src/collectors/SECRETS.md
Keep collector credentials out of plain-text configuration files.
Netdata lets you reference secret values in collector configs instead of storing them directly in YAML. Depending on where the secret lives, you can resolve it from environment variables, local files, local commands, or remote secretstore backends.
Resolver Quick Reference • Choosing a Resolver • Environment Variables • Files • Commands • Secretstores • Supported Secretstore Backends • How It Works • Troubleshooting
| Resolver | Syntax | Best for | Notes |
|---|---|---|---|
| Environment variable | ${env:VAR_NAME} | Secrets already injected into the Netdata service environment | Value is trimmed. The variable must exist. |
| File | ${file:/absolute/path} | Secrets stored in local files on disk | The path must be absolute. File contents are trimmed. |
| Command | ${cmd:/absolute/path/to/command args} | Secrets returned by a trusted local command | The command path must be absolute. Netdata uses a 10-second timeout. |
| Secretstore | ${store:<kind>:<name>:<operand>} | Secrets stored in remote backends such as Vault, AWS, Azure, or GCP | Configure the secretstore first, then reference it from collector configs. |
${env:...} or ${file:...} for simple setups where secrets are already available locally on the Netdata host.${cmd:...} when you need dynamic secret retrieval via a trusted local command, such as 1Password CLI or a custom script.${store:...} when your organization manages secrets centrally in a cloud provider or Vault and you want Netdata to pull from that source directly.Use ${env:VARIABLE_NAME} to read a secret from the Netdata process environment.
jobs:
- name: mysql_prod
password: "${env:MYSQL_PASSWORD}"
Use ${file:/absolute/path} to read a secret from a local file on disk.
jobs:
- name: mysql_prod
password: "${file:/run/secrets/mysql_password}"
netdata user./run/secrets/ inside the container. Use ${file:/run/secrets/<secret-name>} to read them.${file:/path/to/mounted/secret}.Use ${cmd:/absolute/path/to/command args} to execute a trusted local command and use its stdout as the secret value.
jobs:
- name: mysql_prod
password: "${cmd:/usr/bin/op read op://vault/netdata/mysql/password}"
/bin/sh -c.Use secretstores when you want Netdata collectors to fetch secrets from remote backends at runtime instead of storing them locally in collector configs.
Configure a secretstore first, then reference it from collector configs with:
${store:<kind>:<name>:<operand>}
| Part | Description |
|---|---|
kind | Secretstore backend kind, such as vault or aws-sm. |
name | The store name you configured in Netdata, such as vault_prod. |
operand | Backend-specific identifier for the secret you want to read. |
Example:
jobs:
- name: mysql_prod
password: "${store:vault:vault_prod:secret/data/netdata/mysql#password}"
Collectors -> go.d -> SecretStores.${store:<kind>:<name>:<operand>} reference in collector configs.Each secretstore backend has its own file under /etc/netdata/go.d/ss/:
| File | Backend |
|---|---|
/etc/netdata/go.d/ss/aws-sm.conf | AWS Secrets Manager |
/etc/netdata/go.d/ss/azure-kv.conf | Azure Key Vault |
/etc/netdata/go.d/ss/gcp-sm.conf | Google Secret Manager |
/etc/netdata/go.d/ss/vault.conf | Vault |
Each file contains a jobs array. The backend kind is determined by the filename.
:::note
File-based secretstores are loaded at agent startup. If you edit these files, restart the Netdata Agent to apply the changes.
:::
If the /etc/netdata/go.d/ss/ directory does not exist, create it:
sudo mkdir -p /etc/netdata/go.d/ss
sudo chown netdata:netdata /etc/netdata/go.d/ss
sudo chmod 0750 /etc/netdata/go.d/ss
Secretstore configuration files may contain sensitive values such as tokens or client secrets. Restrict directory and file permissions to the netdata user.
Each secretstore config file can contain multiple jobs entries, each with a unique store name. You can use different secretstore backends simultaneously. For example, you might configure a Vault store for database credentials and an AWS Secrets Manager store for API keys, then reference each one using its ${store:<kind>:<name>:<operand>} syntax in the relevant collector configs.
You can mix different resolver types in the same configuration value or the same config file. For example, you might read the username from an environment variable and the password from a secretstore:
jobs:
- name: mysql_prod
dsn: "${env:MYSQL_USER}:${store:vault:vault_prod:secret/data/netdata/mysql#password}@tcp(127.0.0.1:3306)/"
Different jobs within the same collector config file can also use different resolver types.
Use the backend README for provider-specific authentication, operand rules, configuration examples, and troubleshooting.
| Backend | Kind | Operand Format | Example Operand |
|---|---|---|---|
| AWS Secrets Manager | aws-sm | secret-name[#key] | netdata/mysql#password |
| Azure Key Vault | azure-kv | vault-name/secret-name | my-keyvault/mysql-password |
| Google Secret Manager | gcp-sm | project/secret[/version] | my-project/mysql-password |
| Vault | vault | path#key | secret/data/netdata/mysql#password |
${env:...}, ${file:...}, and ${cmd:...} resolvers. Use them to avoid storing backend credentials in plain text. Note that ${store:...} references are not supported inside secretstore configurations.netdata user, including token files, service account files, and any files used with ${file:...}.${cmd:...} only with trusted local commands and absolute paths.${env:...}, make sure the variable exists in the Netdata process environment.${file:...}, make sure the path is absolute and the file is readable by netdata.${cmd:...}, make sure the command path is absolute and the command completes within 10 seconds.${store:...}, check the backend README for provider-specific operand rules, authentication requirements, and troubleshooting.Representative error patterns:
${env:VAR_NAME}: environment variable is not set${file:relative/path}: file path must be absolute${cmd:echo hello}: command path must be absolute${cmd:/path/to/slow-command}: command timed out after 10s