Security
Secret Files
Some credentials cannot be passed as environment variables, they need to be files. Secret files let you mount a JSON key, PEM certificate, SSH key, or any other credential directly into your container at a specific path, without putting it in your source code or Docker image.
Contents are stored encrypted (AES-256) and are never shown in the UI after creation. The file appears inside your container as a read-only file at the configured mount path, as if it had always been there.
Common use cases
| File | Mount path | Use case |
|---|---|---|
| service-account.json | /secrets/gcp-sa.json | Google Cloud service account key for GCS, BigQuery, or Pub/Sub access. |
| server.crt / server.key | /certs/server.crt | Custom TLS certificate and private key for mTLS or internal services. |
| .netrc | /root/.netrc | Credentials for pulling private npm/pip packages from authenticated registries. |
| id_rsa | /root/.ssh/id_rsa | SSH private key for deploying to other servers or cloning private repos during build. |
| firebase-adminsdk.json | /secrets/firebase.json | Firebase admin SDK credentials for server-side Firebase operations. |
| kubeconfig | /root/.kube/config | Kubernetes cluster credentials for services that manage other clusters or jobs. |
Adding a secret file
"type": "service_account",
"project_id": "..."
...
}
Contents are encrypted and will not be shown again after saving
Accessing the secret file in code
const { Storage } = require('@google-cloud/storage');
// GOOGLE_APPLICATION_CREDENTIALS points to the mounted secret file
const storage = new Storage({
keyFilename: process.env.GOOGLE_APPLICATION_CREDENTIALS,
});
// Or set GOOGLE_APPLICATION_CREDENTIALS=/secrets/gcp-sa.json
// and the SDK finds it automatically
const storage2 = new Storage(); // uses GOOGLE_APPLICATION_CREDENTIALS env var
Under the hood
- Kubernetes Secret with volume mount: the file contents are stored as a Kubernetes Secret. The pod spec includes a
volumereferencing the Secret and avolumeMountat the configured path. The Secret is projected as a file withdefaultMode: 0400(read-only by owner). - Encryption at rest: the Kubernetes Secret is stored in etcd with envelope encryption. The data encryption key (DEK) is encrypted with a key encryption key (KEK) stored in the cluster's KMS provider. StackBlaze never stores unencrypted secret values outside etcd.
- tmpfs mount: the secret file volume is backed by an in-memory tmpfs mount inside the pod, not written to the node's disk. This means the secret file is never written to persistent storage on the host node.
Step by step
Navigate to Secret Files
Go to Service → Environment → Secret Files → Add File. You'll see a form with fields for the file name, contents, and mount path. Secret file contents are transmitted over TLS and encrypted immediately, they are never stored in plain text.
Enter the file contents
Paste the file contents into the text area. For binary files (e.g. PKCS12 keystores), upload via the file picker and StackBlaze will base64-encode it automatically. Once saved, the contents are not shown again, only the file name and mount path remain visible.
Set the mount path
Enter the absolute path where the file should appear inside the container (e.g. /secrets/gcp-sa.json). The directory is created automatically if it does not exist. The file is mounted read-only to prevent accidental modification by the application.
Access the file in your application
Reference the file by its mount path in your application code or configuration. For Google Cloud: set GOOGLE_APPLICATION_CREDENTIALS=/secrets/gcp-sa.json. For SSH: the key is available at /root/.ssh/id_rsa with correct permissions (0600).