Managing Secrets

This guide walks you through creating secrets, using them during VM deployment via cloud-init, and enabling runtime API retrieval.

Prerequisites

• An active NetActuate account
• At least one VM or the ability to deploy a new one

Step 1: Navigate to Secrets Manager

1. Log in to the NetActuate Customer Portal.
2. In the top navigation, click Platform.
3. In the left sidebar, click Secrets.

Step 2: Create a Secret List

1. Click Add to create a new Secret List.
2. Give the list a name (e.g., "Production Keys").

Secret Lists are containers that hold one or more secrets. You first create a list, then add key-value pairs inside it. You can organize secrets into multiple lists by environment, project, or team.

Step 3: Add Secrets to the List

1. Click into your newly created list. The secrets sidebar expands, showing the list identifier, list name, and any existing secrets.
2. Click Add Secret.
3. Enter a key name and value, or click import to load the value from a file (useful for SSL certificates and configuration files).

Examples:

• Key: APIKEY, Value: abcdefghijklmnop1234567890
• Key: DB_PASSWORD, Value: s3cureP@ssw0rd
• Key: SSL_CERT, File: import your certificate file

Note: Secret keys must be unique across your entire account, not just within a single list.

Step 3a: View, Edit, or Delete Secrets

• View — click the eye icon next to any secret to reveal its value
• Edit — click edit to update a secret's value
• Delete — remove an individual secret from the list
• Delete a list — from the main secrets page, delete an entire secret list and all its contents

Step 4: Reference Secrets in a Cloud-Init Script

When deploying a new VM through Infrastructure → Virtual Machines → + Add, paste a cloud-init script in the OS configuration step. Reference your secrets using the template variable syntax ${{secret.KEY_NAME}}.

Example cloud-init script that writes an API key to /etc/environment:

#cloud-config
write_files:
  - path: /etc/environment
    content: |
      API_KEY="${{secret.APIKEY}}"
    permissions: '0644'
    append: true

final_message: |
  Cloud-init completed
  API_KEY ${{secret.APIKEY}} has been added to /etc/environment

Click Show Secrets in the portal to see all available template variables for your account.

Note: You can also store an entire cloud-init script as a secret value and reference it during deployment.

Step 5: Verify Secret Injection

After the VM boots, confirm the secret was injected correctly by checking the cloud-init output log:

$ tail -n 4 /var/log/cloud-init-output.log
Cloud-init v. 24.1.3-0ubuntu3 running 'modules:final' at Thu, 27 Feb 2025 16:19:02 +0000. Up 8.15 seconds.
Cloud-init completed
API_KEY abcdefghijklmnop1234567890 has been added to /etc/environment

$ cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
API_KEY="abcdefghijklmnop1234567890"

Step 6: Enable Runtime API Retrieval (Optional)

For VMs that need to retrieve secrets after boot — without storing an API key on the VM:

1. Navigate to Account → API.
2. Enable Allow VMs to authenticate.

This is an account-wide toggle. Once enabled, any VM in your account can call the NetActuate API to retrieve secrets by identifying itself automatically. No API key needs to be stored on the VM.

This is particularly useful for stateless OS images (e.g., Talos, NixOS) where secrets cannot be baked into the image at build time.

Next Steps

• Secrets Manager Overview — secret types, encryption, and organization
• Secrets API Reference — manage secrets programmatically
• Deploying a Virtual Machine — full VM deployment walkthrough

---

Need Help?

Contact support@netactuate.com or open a support ticket from the portal.