Security
Environment Variables
Environment variables configure your application without hardcoding values in source code. StackBlaze supports two types: plain text variables for non-sensitive configuration, and secrets for sensitive values that are encrypted at rest and redacted in logs.
Variables are applied via a rolling deploy, changing an environment variable triggers an automatic redeploy so the new values take effect immediately without manual intervention.
Variable types
Plain text
Stored as a Kubernetes ConfigMap. Visible in the dashboard UI. Use for non-sensitive configuration like feature flags, API URLs, log levels, and region names.
NODE_ENV=production
LOG_LEVEL=info
API_BASE_URL=https://api.example.com
Secret
Stored as a Kubernetes Secret (AES-256 encrypted at rest). Redacted in build logs and dashboard UI, shown as ••••••••. Use for API keys, database passwords, JWT secrets, and OAuth credentials.
DATABASE_URL=postgresql://...
STRIPE_SECRET_KEY=sk_live_...
JWT_SECRET=...
CLI usage
# List all env vars for a service
$ stackblaze env list --service my-api
NODE_ENV=production
LOG_LEVEL=info
DATABASE_URL=•••••••• (secret)
STRIPE_KEY=•••••••• (secret)
# Set a plain variable
$ stackblaze env set LOG_LEVEL=debug --service my-api
Variable set. Deploying my-api...
# Set a secret
$ stackblaze env set STRIPE_KEY=sk_live_xxx --secret --service my-api
Secret set. Deploying my-api...
# Remove a variable
$ stackblaze env unset LEGACY_FLAG --service my-api
Variable removed. Deploying my-api...
Environment Groups
Environment Groups let you define a set of variables once and attach them to multiple services. Changes to a group propagate to all attached services automatically, no need to update the same variable across ten services one by one.
shared-stripe
Attached to 3 services
Under the hood
- ConfigMap for plain variables: non-secret variables are stored in a Kubernetes ConfigMap in the service's namespace. The ConfigMap is referenced in the pod spec via
envFrom.configMapRef. All keys in the ConfigMap become environment variables in the container. - Kubernetes Secret for sensitive values: secret variables are stored as Kubernetes Secrets with base64-encoded values. The cluster's etcd is encrypted at rest using AES-256-CBC. Secrets are referenced via
envFrom.secretRefand never appear in build logs. - Rolling deploy on change: updating a ConfigMap or Secret triggers a rolling update by patching the Deployment's
spec.template.metadata.annotationswith a checksum of the new values. Kubernetes detects the annotation change and starts a rolling update.
Step by step
Add variables from the dashboard
Navigate to Service → Environment → Add Variable. Enter the key name and value. Toggle "Secret" to mark it as sensitive. Click Save, a rolling deploy triggers automatically to apply the new variable.
Bulk import from a .env file
Click "Bulk import" and paste your KEY=VALUE pairs, or upload a .env file directly. StackBlaze parses the file, detects lines starting with # as comments, and lets you review each variable before saving. Existing variables with the same key are overwritten.
Create an Environment Group for shared variables
Go to Project → Environment Groups → New Group. Add variables that are shared across multiple services (e.g. a Stripe key used by your API and your webhook worker). Attach the group to any service, all variables in the group are injected alongside service-specific ones.
Override variables per environment
Variables can have preview-environment-specific overrides. Navigate to Service → Settings → Preview Environments → Override Variables. Overrides only apply in preview namespaces, production values are unaffected. Useful for using test API keys in previews.