Skip to main content

Secrets Manager

Secrets Manager stores encrypted values that CDB EdgeCompute applications can read at runtime. Each secret has a name, an optional description, and one or more slots — each slot holds an independently encrypted value. Use slot 0 for a regular single-value secret. Multiple slots are used for rotation scenarios where different values become active at different times.

Create a secret

  1. In the CDB Technical Web Portal, navigate to CDB EdgeCompute > Secrets Manager.

  2. Click Add secret.

Secrets Manager page with the Add secret button

  1. Enter a Name and an optional Description.

  2. In the Slots section, enter a Slot index and the secret value in the Value field. Use 0 for a single-value secret.

  3. Click Encrypt. The field shows "Encrypted Value" to confirm the value was encrypted.

Create secret form with name, description, and slot value encrypted

  1. Click Save changes.

Once saved, the original value cannot be viewed — only replaced. Encrypted values are stored separately from application data to protect against unauthorized access.

Edit a secret

  1. Navigate to CDB EdgeCompute > Secrets Manager.

  2. Click the secret name to open the edit form.

Secrets Manager list showing a secret entry

  1. To replace an encrypted value, click the pencil icon next to the Value field, enter the new value, and click Encrypt.

Edit secret form with the pencil icon next to the encrypted value field

  1. Click Save changes.

Delete a secret

  1. Navigate to CDB EdgeCompute > Secrets Manager.

  2. Click the three-dot icon (...) next to the secret and select Delete.

Secrets Manager list with the three-dot menu showing Edit and Delete options

  1. Click Yes, delete to confirm.

A secret assigned to an application cannot be deleted — remove it from the application first. Deleted secrets cannot be restored.

Secrets in applications

Creating a secret only stores the encrypted value. To make it available to an application, link it from the application's Secrets tab in manage apps. The application reads the value at runtime using the secret name and slot index via the JavaScript SDK or Rust SDK.

Secrets Manager stores encrypted values that CDB EdgeCompute applications read at runtime. The API covers the full secret lifecycle: create, read, update, and delete. Each secret contains one or more slots — a slot holds an encrypted value and a numeric identifier. Use slot 0 for single-value secrets; multiple slots support time-based rotation using Unix timestamps as identifiers.

All requests authenticate with an API token. Set it as an environment variable before running the examples:

export GCORE_API_KEY="{YOUR_API_KEY}"

Create a secret

curl -X POST https://api.cdb-staging.cdn.orange.com/edgecompute/v1/secrets \
  -H "Authorization: APIKey $GCORE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-app-secret",
    "comment": "API key for external service",
    "secret_slots": [
      {
        "slot": 0,
        "value": "your-secret-value"
      }
    ]
  }'

The response returns the created secret with its assigned ID:

{
  "id": 638,
  "name": "my-app-secret",
  "comment": "API key for external service",
  "secret_slots": [
    {
      "slot": 0,
      "checksum": "03a0986e7619f1d45d12369a1a58d2bbfc3e9f8aea9c5fe84b86087ff8941abb"
    }
  ]
}

The checksum field identifies the stored encrypted value. The original value is never returned.

List secrets

curl https://api.cdb-staging.cdn.orange.com/edgecompute/v1/secrets \
  -H "Authorization: APIKey $GCORE_API_KEY"

Optional query parameters:

ParameterTypeDescription
app_idintegerFilter secrets assigned to the specified application
secret_namestringFilter by exact secret name

Response:

{
  "count": 2,
  "secrets": [
    {
      "id": 636,
      "name": "docs-audit-secret",
      "comment": "",
      "app_count": 0
    },
    {
      "id": 638,
      "name": "my-app-secret",
      "comment": "API key for external service",
      "app_count": 1
    }
  ]
}

Get a secret

curl https://api.cdb-staging.cdn.orange.com/edgecompute/v1/secrets/SECRET_ID \
  -H "Authorization: APIKey $GCORE_API_KEY"

Response includes the slot list with checksums:

{
  "name": "my-app-secret",
  "comment": "API key for external service",
  "app_count": 1,
  "secret_slots": [
    {
      "slot": 0,
      "checksum": "03a0986e7619f1d45d12369a1a58d2bbfc3e9f8aea9c5fe84b86087ff8941abb"
    }
  ]
}

Update a secret

Use PATCH to update the name, description, or slot values. Only the fields included in the request body are changed.

curl -X PATCH https://api.cdb-staging.cdn.orange.com/edgecompute/v1/secrets/SECRET_ID \
  -H "Authorization: APIKey $GCORE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "comment": "Updated description",
    "secret_slots": [
      {
        "slot": 0,
        "value": "new-secret-value"
      }
    ]
  }'

The response returns the full updated secret object, including the new checksum for the updated slot.

Delete a secret

curl -X DELETE "https://api.cdb-staging.cdn.orange.com/edgecompute/v1/secrets/SECRET_ID?force=true" \
  -H "Authorization: APIKey $GCORE_API_KEY"

A successful response returns HTTP 204 with no body.

The force=true parameter is required when the secret has encrypted slots. Without it, the request returns 400. If the secret is assigned to an application, force=true also removes it from all assigned applications before deletion.