Secrets
SecretService (dodil.ignite.v1.SecretService) manages named, typed, Vault-backed credential slots — a git PAT or a registry login. Other workflows reference a secret by name instead of embedding credentials inline.
Slots are per-organization and isolated: only your org can read or use them. They’re referenced from image-mode Compute deploys (to pull from private registries) and build-from-git (to clone private repos).
In this section
- How Secrets Work — slot identity, rotation, the two reference fields, and how they resolve
- API Reference — every SecretService RPC, with HTTP + gRPC contracts
Two secret types
| Type | Fields | Used for |
|---|---|---|
| git | username, token (PAT) | Cloning private git repos (build-from-git) |
| registry | username, password, optional server_address | Pulling private base/app images (Compute BYOI) |
A registry secret with an empty server_address defaults to Docker Hub.
CLI cheat-sheet
The dodil ignite secret command group is the quickest way to manage slots:
# Create (or rotate) a registry slot — re-running with the same name overwrites it
dodil ignite secret create ghcr-pull --type registry \
--username <user> --password <token> --server-address ghcr.io
# Create a git slot
dodil ignite secret create gh-clone --type git --username <user> --token <pat>
dodil ignite secret list # name, type, updated — never the value
dodil ignite secret get ghcr-pull # returns the stored value (see the note below)
dodil ignite secret delete ghcr-pullReading values back.
getreturns the stored token/password in full — slots are readable, not write-only. Any org member with theGetSecretscope can retrieve stored credentials, so manage scope access and rotate anything you suspect is exposed. See How Secrets Work.
Referencing a slot
Once a slot exists, point a deploy or build at it by name:
- Compute BYOI —
registry_secret_refon an image-mode version (dodil ignite draft save --image-ref … --registry-secret-ref ghcr-pull). See Bring Your Own Image. - Build-from-git —
secret_refon a git source (dodil ignite draft save --git-url … --git-secret-ref gh-clone). See Build from Git.
Distinct from Build’s
SaveBuildSecrets, which is a separate per-org credential store. SecretService slots are named and referenced explicitly — see How Secrets Work.
See also
- How Secrets Work · API Reference
- Compute — image-mode deploys pull private images via secrets
- Builds — references git/registry secrets by name
- Conventions — transport, auth
- CLI Basics