Environment variables and app distribution

I have an app that makes authenticated REST API calls to another product. As such, it requires a bit of configuration, most of which is supplied through an AdminPage and stored via the StorageAPI. However, in following Atlassian’s recommendations for security, the app relies on being able to access the client secret value as an encrypted environment variable.

This has worked flawlessly through the development and testing stages, but on the first attempt to install the app in a customer instance (shared via Installation Link from the Developer Console) we found that they aren’t able to set environment variables for their instance / environments using the Forge CLI.

Did we miss something? Surely there is some way for them to set their own environment variables, right? Or is there some way I can set them programmatically from the app itself - that way I could collect that value via the AdminPage as well but have it stored as an env var rather than in StorageAPI?

For reference, even attempting to list environment variables, they would get errors like this:

Error: Server error: [{“message”:“Permission denied”,“locations”:[{“line”:2,“column”:3}],“path”:[“installationsByAppEnvironment”],“extensions”:{“errorSource”:“UNDERLYING_SERVICE”,“statusCode”:400,“errorType”:“UNAUTHORIZED_TO_MANAGE_APP_ENVIRONMENTS”,“errorDetails”:{“code”:“UNAUTHORIZED_TO_MANAGE_APP_ENVIRONMENTS”,“message”:“Permission denied”},“classification”:“DataFetchingException”}}], requestId=6a0e9c09f613342e


Perhaps a different line of questioning will trigger a response. :wink:

So along those lines, is anyone else doing something similar - storing/using a piece of sensitive information that would need to differ for each deployment of your app. If so, how are you going about it?