Documentation Grafana Cloud Testing and synthetics Synthetic Monitoring Create checks Create and manage secrets

Create and manage secrets

Secrets management provides a centralized location to securely store and manage values such as API keys, passwords, tokens, and credentials. Synthetic Monitoring tests reference secrets in a way that prevents them from being exposed in the UI, scripts, and logs generated by Synthetic Monitoring.

With secrets management, you can:

• Create secrets and attach metadata to secrets, such as description and labels.
• Reference secrets by name in k6 scripted and k6 browser synthetics.
• Reset and revoke secret values.

Secrets are encrypted at rest using envelope encryption. Grafana Cloud stores the secrets’ metadata in one location while simultaneously encrypting and storing secret values in a different location. Secret values can only be decrypted by Synthetic Monitoring by using references to the metadata, not the encrypted value itself. This ensures that secrets are never stored permanently and are only available in memory during active use.

Before you begin

• Users with the Grafana Admin role can create, edit, and delete secrets by default.
• Users with the Grafana Editor and Viewer roles can be granted access to create, edit, and delete secrets using a fixed role. Refer to the Role-based access control section for more details.
• Only users with the Admin or Editor role, or the Checks writer permission, can use secrets when editing tests. Refer to Manage users and teams for Synthetic Monitoring for more details.
• Secrets are only supported in k6 scripted and k6 browser synthetics.
• Only text-based secrets, such as passwords and certificates, are supported. Secrets have a limit of 24kB.
• Secret names must be 253 characters or less.
• Secret descriptions must be 253 characters or less.
• Secrets can have a maximum of 10 labels.
• Label keys must be 63 characters or less.

Create a secret

To create a new secret:

1. Navigate to Home > Testing & synthetics > Synthetics > Config
2. Click the Secrets tab.
3. Click Create secret.
4. In the Create secret dialog box, fill in the following fields:
   1. Name: A unique name for your secret. Use a descriptive name, such as api-key-production. Can contain letters, numbers, hyphens, and underscores.
   2. Description: An optional description explaining the secret’s purpose.
   3. Value: The secure value to be encrypted. This field is masked for security.
5. Click Save to create the secret.

Edit a secret

To edit a secret:

1. Navigate to Home > Testing & synthetics > Synthetics > Config.
2. Click the Secrets tab.
3. Find the name of the secret you want to edit and click the Edit button next to it.
4. Update the fields you want to change. To update the Value field, click Reset first, and then update the secret’s value.
5. Click Save.

Delete a secret

To delete a secret:

1. Navigate to Home > Testing & synthetics > Synthetics > Config
2. Click the Secrets tab.
3. Find the name of the secret you want to delete and click the trash icon next to it.
4. In the confirmation dialog box, type “Delete”.
5. Click Delete.

Use secrets in a test

To use secrets in a test:

1. Navigate to Home > Testing & synthetics > Synthetics > Checks.
2. Click “Add new check”.
3. Select the “Scripted” or “Browser” check type.
4. In your script:
   1. Import the k6/secrets module: import secrets from 'k6/secrets';
   2. Retrieve the secret value by using its name: const secret_value = await secrets.get('test-secret-name');
5. Use the secret value variable in your script.

Here is an example of a minimal k6 scripted test that fetches a secret value and tries to log it:

js Copy

import secrets from 'k6/secrets';

export default async function main() {
  const secret_value = await secrets.get('test-secret-name');

  // Try logging the secret -- the value is redacted
  console.log(`try to log the secret value: ${secret_value}`);
}

Refer to the k6/secrets documentation for more details on the secrets module.

Secret redaction

Secret values are masked in the Synthetic Monitoring output with the ***SECRET_REDACTED*** placeholder.

For example, the following script snippet:

js Copy

const result = http.post('https://my-endpoint.test.app', '', { headers: { Authorization: `Bearer ${secret_value}` } });

Produces a header in the form of:

http Copy

Authorization: Bearer xm_MCp5aalOF2BGlafChR8Gu5hv

But that same line appears in the logs as:

http Copy

Authorization: Bearer ***SECRET_REDACTED***

Role-based access control

The ability to create, edit, and delete secrets is defined by the Grafana role assigned to a user:

• Admins can create, edit, and delete secrets by default.
• Only users with the Admin or Editor role, or the Checks writer permission, can use secrets when editing tests.

You can use Role-based access control to give users, whether they’re Admins, Editors, or Viewers, granular access to secrets. The following roles are available:

To assign a role to a user:

• Navigate to Home > Administration > Users and access > Users.
• Assign a fixed role from Fixed roles > Secret manager.

When assigning secret manager roles to users, ensure these users have been granted appropriate access to Synthetic Monitoring. For example, a user with the Grafana Viewer role and the Secure Values Creator role has the ability to create secrets, but they also need the Checks writer role to gain access to the Synthetic checks interface containing the secrets configuration.

Refer to Synthetic Monitoring RBAC roles for more details about the available roles.