When are secrets added to the deploy environment?

Hi everyone,

Today I ran into this error:

Compilation error in file lib/my_app/airtable/client.ex ==
** (CompileError) lib/my_app/airtable/client.ex:11: invalid literal nil in <<>>

The faulting line is here:
IO.puts("Key: " <> Application.get_env(:my_app, :airtable_api_key))

In config/runtime.exs I have:
config :my_app, airtable_api_key: System.get_env("AIRTABLE_API_KEY")

The AIRTABLE_API_KEY had been set through fly secrets.

So my question is, are these secrets available at compilation?

I don’t think secrets are available to the build/compilation stage. You can choose to do a local build using fly deploy --local-only, for instance, and then the secrets definitely won’t be fetched into your machine.

There is a section in the fly.toml called

[build.args]
  RAILS_ENV = "production"
  RACK_ENV = "production"

which you could use. I would hesitate to put secrets in it, though.

I’m not too familiar with Elixir, let me page @Mark to ask if it’s possible to move configuration like this out of the build step.

fly secrets are available at runtime in the Fly environment. Since you could be building locally using Docker, they are not available during build. I don’t know if they might be available during build using a fly remote builder.

Secrets are only available at runtime. You can use build arguments as @sudhir.j said, but those are insecure since they get written to the final image. Unless you need to call a third party api from the build, you can set AIRTABLE_API_KEY to a placeholder value so it’s not null during initialization but still the correct value once deployed.