GitLab Secrets Manager
- Tier: Ultimate
- Offering: GitLab.com
- Status: Experiment
This feature is an experiment and subject to change without notice. This feature is not ready for public testing or production use.
Secrets represent sensitive information your CI/CD jobs need to function. Secrets could be access tokens, database credentials, private keys, or similar.
Unlike CI/CD variables, which are always available to jobs by default, secrets must be explicitly requested by a job.
Use the GitLab Secrets Manager to securely store and manage your project’s secrets and credentials.
Enable GitLab Secrets Manager
Prerequisites:
- You must have the Owner role for the project.
To enable GitLab Secrets Manager:
- On the left sidebar, select Search or go to and find your project. If you’ve turned on the new navigation, this field is on the top bar.
- Select Settings > General.
- Expand Visibility, project features, permissions.
- Turn on the Secrets manager toggle and wait for the secrets manager to be provisioned.
Define a secret
You can add secrets to the secrets manager so that it can be used for secure CI/CD pipelines and workflows.
- On the left sidebar, select Search or go to and find your project. If you’ve turned on the new navigation, this field is on the top bar.
- Select Secure > Secrets manager.
- Select Add secret and fill in the details:
- Name: Must be unique in the project.
- Value: No limitations.
- Description: Maximum of 200 characters.
- Environments: Can be:
- All (default) (
*) - A specific environment
- A wildcard environment.
- All (default) (
- Branch: Can be:
- A specific branch
- A wildcard branch (must have the
*character)
- Expiration date: Secrets become unavailable after the expiration date.
- Rotation reminder: Optional. Send an email reminder to rotate the secret after the set number of days. Minimum 7 days.
After you create a secret, you can use it in the pipeline configuration or in job scripts.
Use secrets in job scripts
To access secrets defined with the secret manager, use the secrets and gitlab_secrets_manager keywords:
job:
secrets:
TEST_SECRET:
gitlab_secrets_manager:
name: foo
script:
- cat $TEST_SECRET