Skip to main content
When self-hosting the Superblocks data plane, you can store credentials as environment variables, enabling you to manage secrets securely within your own infrastructure. Environment variables prefixed with SUPERBLOCKS_AGENT_APP_ENV_ can be referenced using the global Env object.

Benefits

  • Enhanced security: Credentials remain within your infrastructure and are never stored in or transmitted through Superblocks Cloud
  • Full control: Manage credentials using your existing secrets management tools and processes (e.g., AWS Secrets Manager, HashiCorp Vault, Kubernetes Secrets)
  • Simplified rotation: Update credentials in your deployment without modifying Superblocks configurations
  • Compliance: Meet security and compliance requirements by keeping sensitive data in your controlled environment

Environment variable prefix (SUPERBLOCKS_AGENT_APP_ENV_)

All environment variables that are prefixed with SUPERBLOCKS_AGENT_APP_ENV_ are accessible through the Env global variable. You can use them in Superblocks with the environment variable name without the prefix (e.g. Env.postgres_password). To use:
  1. Specify environment variables prefixed with SUPERBLOCKS_AGENT_APP_ENV_ (e.g. SUPERBLOCKS_AGENT_APP_ENV_POSTGRES_PASSWORD) in the environment where the data plane is deployed
  2. Reference the environment variable insider Superblocks as a property on the global Env object by the suffix of the environment variable (e.g. {{Env.postgres_password}} for the example above)

Example: Configuring a Postgres integration with environment variable secrets

  1. Expose the environment variables SUPERBLOCKS_AGENT_APP_ENV_POSTGRES_USERNAME and SUPERBLOCKS_AGENT_APP_ENV_POSTGRES_PASSWORD in your data plane deployment
  2. Navigate to the Integrations tab in the menu bar on the left side of the Home page and select a Postgres integration
  3. Enable “Fetch credentials dynamically” via the toggle at the top of the Postgres integration form
  4. Enter the username and password as {{Env.postgres_username}} and {{Env.postgres_password}}.
Enabling Fetch credentials dynamically for Postgres

Integrating with secret managers

You can combine data plane environment variables with your existing secrets management infrastructure. Here are common patterns:

AWS Secrets Manager / Parameter Store

When deploying on AWS (ECS, EKS, etc.), inject secrets from AWS Secrets Manager or Parameter Store into your data plane container as environment variables at runtime.

HashiCorp Vault

Use Vault Agent or the Vault Secrets Operator (for Kubernetes) to inject secrets as environment variables into your data plane deployment.

Kubernetes Secrets

Reference Kubernetes Secrets in your deployment manifest to inject credentials as environment variables.

Azure Key Vault / Google Secret Manager

Use your cloud provider’s native secrets integration to inject secrets into your container environment.