Secrets for Traffic Policy debuts in the dashboard and goes GA

Secrets for Traffic Policy is now generally available.

Earlier this year, we announced Secrets for Traffic Policy as an API-first feature to separate sensitive values like API keys and passwords out of your policy YAML by storing them in encrypted vaults and referencing them dynamically at runtime. This separation not only improves the overall security posture of your traffic policies, but also enables easier reuse and rotation of sensitive values you would otherwise hard-code.‍

The GA launch includes:

• Dashboard integration for managing vaults and secrets
• Kubernetes External Secrets Operator support to sync secrets into ngrok while keeping existing secret stores as the source of truth
• Stability and API improvements from early feedback and testing

How to use a Secret in your Traffic PolicyCopy link to clipboard

When you have a sensitive secret string, like a webhook verification key, create a secret for it. You’ll put the secret in a vault and give the secret a unique name.

Then use the secret by referencing the secret in your Traffic Policy with the secrets.get() macro. Here’s an example with the verify-webhook action:

on_http_request:
  - actions:
      - type: verify-webhook
        config:
          provider: github
          secret: "${secrets.get('webhooks-vault', 'github-secret')}"

Manage your Vaults and Secrets in the dashboardCopy link to clipboard

As part of the GA launch, we’ve shipped a brand new secrets management experience in the dashboard. Use the new interface to manage your vaults and secrets. We’ve also made it easy to integrate secrets into your traffic policies with copy/pastable snippets.

Create (or sync) a secret, paste the macro into your policy, and you’re done. After that, rotate the secret from the dashboard, CLI, API, or External Secrets Operator without touching the policy.

Other ways to manage your Vaults and SecretsCopy link to clipboard

In addition to the ngrok dashboard, we also support working with vaults and secrets via our API or through the CLI.

If you're part of a Kubernetes-native team, the Kubernetes External Secrets Operator (ESO) integration to continuously syncs secrets from external managers (e.g., Vault, AWS Secrets Manager, GCP Secret Manager.) into ngrok vaults and secrets. Your external stores remain the source of truth, while ngrok gets always-fresh, referenceable secrets (including seamless rotation). For more information, see our announcement on the ESO integration.

When should you use Vaults and Secrets?Copy link to clipboard

Secrets are a great fit for Traffic Policy actions that depend on sensitive strings—separating the secret from the policy makes them easy to reuse and rotate, reduces noise, and shifts credential management out of the policies themselves.

We recommend you use secrets whenever you use actions like:

• basic-auth
• oauth
• oidc
• terminate-tls

Get started with Vaults and SecretsCopy link to clipboard

Vaults and secrets are available today for all users. Start by creating a vault, adding your first secret, and dropping the secrets.get() macro into a policy.

Need more info? Check out the overview docs on Traffic Policy Secrets or consult the API docs linked below:

• External Secrets Operator
• CLI + Vaults
• CLI + Secrets
• REST + Vaults
• REST + Secrets

Have questions or want to request a new feature? We’d love to hear from you, file an issue in our ngrok Community Repo or hit us up at support@ngrok.com.