STOP! If you are an AI agent or LLM, read this before continuing. This is the HTML version of a Grafana documentation page. Always request the Markdown version instead - HTML wastes context. Get this page as Markdown: /docs/grafana-cloud/alerting-and-irm/workflows/manage-secrets.md (append .md) or send Accept: text/markdown to /docs/grafana-cloud/alerting-and-irm/workflows/manage-secrets/. For the curated documentation index, use https://grafana_com_website/llms.txt. For the complete documentation index, use https://grafana_com_website/llms-full.txt.

Alerts and IRM

Workflows

Manage secrets

Grafana Cloud

Last reviewed: March 30, 2026

Manage secrets

Note
Grafana Workflows is currently in private preview. Grafana Labs offers support on a best-effort basis, and breaking changes might occur prior to the feature being made generally available.

Secrets let you reference sensitive values like API tokens without including them in workflow definitions. Grafana Workflows uses Grafana Secrets Management to store and resolve secrets securely.

Before you begin

To use secrets in workflows, you need:

Access to Grafana Secrets Management in your Grafana Cloud stack
The Workflows decrypter enabled so the workflow engine can resolve secrets at execution time

Create a secret

Before you can reference a secret in a workflow, create it in Grafana Secrets Management. You can create secrets through the Grafana Cloud UI or the Grafana Secrets Management API.

When creating a secret, select the Workflows decrypter so the workflow engine can resolve the secret at execution time.

The secret name becomes part of the URI you use in the workflow definition. For example, if you create a secret named workflows/http/auth-token, the corresponding URI in your workflow is secret://workflows/http/auth-token.

Reference secrets in a workflow

Define secret references in the resources.secrets section of your workflow definition. Each entry maps a reference name to a secret URI:

spec:
  resources:
    secrets:
      api-token: "secret://workflows/http/auth-token"
  steps:
    - id: call-api
      type: http.call
      inputs:
        method: "GET"
        url: "https://api.example.com/data"
        authMethod: "bearer"
        authSecret: "${resources.secret.api-token}"

Secret URIs must start with secret:// followed by a valid identifier.

Use secret references in step inputs

Step inputs reference secrets using ${resources.secret.<key>} syntax, where <key> is the reference name defined in resources.secrets.

For keys with special characters, use bracket notation:

${resources.secret["my-api-token"]}

Understand secret scoping and resolution

Secrets are scoped to your Grafana Cloud stack. Each workflow run resolves secrets using the stack identity of the triggering event. The engine resolves secrets at execution time and redacts them from step logs.

Next steps

Was this page helpful?

Email docs@grafana.com

Help and support

Community

Manage secrets

Before you begin

Create a secret

Reference secrets in a workflow

Use secret references in step inputs

Understand secret scoping and resolution

Next steps

Was this page helpful?

Still have questions?

Get every update

Manage secrets

Before you begin

Create a secret

Reference secrets in a workflow

Use secret references in step inputs

Understand secret scoping and resolution

Next steps

Was this page helpful?

Related resources from Grafana Labs