How can I set forge secrets from the forge CLI (or else)?

Carles · March 20, 2025, 3:33pm

We have an app in Forge for which we want to use secrets (e.g. API tokens to an external API). Each secret is associated to a domain/installation.

I was thinking of using kvm and set secrets in there, so that the app can read them. But ideally we would like to create these secrets from the forge CLI (or a custom CLI) but there doesn’t seem to be a way to setSecret from outside a running forge app, and I don’t want to deploy an app with the secret.

This is what I want to do basically:

kvs.setSecret(
  'outcome-io.atlassian.net',
  '...some value...'
);

I don’t want to use an environment variable because I will have a different secret per installation (or some global lookup where each “token” is associated with the installation’s domain).

Looking for suggestions / ideas on how to do this. I have a hunch that I may need to set up some convoluted workflow that has a remote listening for app installs that then uses the provided app token to create a secret via the API… (I have something similar to that for a different forge app, so I am familiar with the details but don’t think I need that level of automation ATM).

Ideally a “forge storage set-secret” would be perfect for me.

Thanks

Carles · March 20, 2025, 3:36pm

TBH I’m not clear as to whether the Key Value store is shared across installations or not. Leaning towards “it isn’t”

Benny · March 20, 2025, 11:13pm

Hi Carles,

You are correct, KVS store data per installation. If the keys are unique per installation, then often apps have an Admin screen for the Customer Admin to update the required Secret and that is stored in KVS securely.

If this key is for your all app installations (not per customer/install) then you could store it via Environment Variables (https://developer.atlassian.com/platform/forge/cli-reference/variables-set/). Just make sure to use the encrypt flag.

Cheers
Ben

Carles · March 21, 2025, 6:43am

In this case it is a key we generate (in an external system), not the customer, so the customer admin is not an option.

Carles · March 21, 2025, 8:10am

Related question then… when are environment variable changes picked up by the application? There are some cloud environments where one needs to (manually) redeploy or restart the app after an env var changes, else the app never loads the new value. How does Forge handle that?

Benny · March 23, 2025, 9:22pm

Environment Variables are paired with the deployment process for the App (not per installation).

Carles · March 24, 2025, 7:58am

Thanks Benny, but his doesn’t really answer my question, so let me rephrase.

In Atlassian Forge, when I add or update an environment variable, will all new invocations of my application automatically use the new value/variable? Or do I need to redeploy the application to ensure that is the case?

AaronCollier · March 24, 2025, 9:46am

I know from experience (relearned several times ) that you have to manually redeploy. (That’s what Benny meant by “paired with the deployment process”.)

Benny · March 25, 2025, 12:55am

As Aaron mentioned, that is correct.

Order of operations:

Set Forge environment variable via CLI for “production” environment
Run Forge Deploy to “production” environment
Then the environment variable is now available for that deployed Forge App

Hope that helps.

Cheers
Ben