GitLab secrets manager
- Tier: Ultimate
- Status: Experiment
This feature is an experiment and subject to change without notice. This feature is not ready for public testing or production use.
Secrets represent sensitive information your CI/CD jobs need to function. Secrets could be access tokens, database credentials, private keys, or similar.
Unlike CI/CD variables, which are always available to jobs by default, secrets must be explicitly requested by a job.
Use the GitLab secrets manager to securely store and manage your project’s secrets and credentials.
Enable the secrets manager
Prerequisites:
- You must have the Owner role for the project.
To enable the secrets manager:
- On the left sidebar, select Search or go to and find your project.
- Select Settings > General.
- Expand Visibility, project features, permissions.
- Turn on the Secrets Manager toggle and wait for the secrets manager to be provisioned.
Define a secret
You can add secrets to the secrets manager so that it can be used for secure CI/CD pipelines and workflows.
- On the left sidebar, select Search or go to and find your project.
- Select Secure > Secrets manager.
- Select Add secret and fill in the details:
- Name: Must be unique in the project.
- Value: No limitations.
- Description: Maximum of 200 characters.
- Environments: Can be:
- All (default) (
*) - A specific environment
- A wildcard environment.
- All (default) (
- Branch: Any branch from the project.
- Expiration date: Secrets become unavailable after the expiration date.
After you create a secret, you can use it in the pipeline configuration or in job scripts.
Use secrets in job scripts
To access secrets defined with the secret manager, use the secrets and gitlab_secrets_manager keywords:
job:
secrets:
TEST_SECRET:
gitlab_secrets_manager:
name: foo
script:
- cat $TEST_SECRET