Environment variables
Store all your sensitive inputs (API keys, passwords etc) as secrets.
SQD Cloud supports adding environment variables to squid deployments. The variables can be defined as key-value pairs at any of the env:
sections of the manifest.
For example, here is how to add a variable that will be visible only to the squid processor:
deploy:
processor:
env:
MY_PROCESSOR_VAR: string_value
You can also add variables visible only to the GraphQL server or to the migration script.
There is also an option to add variables for all services:
deploy:
env:
MY_SQUIDWIDE_VAR: string_value
Variables can be assigned either to strings, or to member variables of contexts provided by the service. For example, to make a processor-scoped API_KEY
variable and populate it with the value of secrets.API_KEY
, do this:
deploy:
processor:
env:
RPC_ENDPOINT: ${{ secrets.API_KEY }}
Variable shadowing
There is one special case in which the variables defined in the manifest will get overwritten by the Cloud: database connection settings are shadowed by the system-defined values whenever the postgres
addon is enabled (see the Variable shadowing section of the addon page). For example, in the snippet below all the DB_*
variable definitions will be ignored:
deploy:
addons:
postgres:
env:
DB_HOST: mypostgreshost.xyz
DB_PORT: 5432
DB_NAME: squid-tests
DB_USER: me
DB_PASS: ${{ secrets.DATABASE_PASSWORD }}
DB_SSL: true
Contexts
The Cloud exposes some useful variables via a mechanism identical to GitHub Actions contexts. Namely, any string
${{ <context> }}
added to the manifest at any environment variable definition gets replaced by the value supplied by the Cloud.
Secrets
Secrets are designed to store sensitive data, such as API keys or private URLs for chain RPC endpoints. They are defined at the organization level and are exposed to all organization squids that request them in their environment variable definitions.
To add a secret:
- Create it in the Cloud. You can do it at the secrets page or with
sqd secrets
:If you do not specify the value,sqd secrets set MOONRIVER_GRPC_ENDPOINT wss://moonriver.my-endpoint.com/ws/my-secret-key
sqd
will attempt to read it from standard input. This is useful when setting a value to the contents of some file:sqd secrets set MY_JSON_CREDENTIALS < creds.json
- At your squid's manifest, add an environment variable and assign it to the secret:
Note: a deployment requesting a secret unknown to the Cloud will fail.
deploy:
env:
RPC_ENDPOINT: ${{ secrets.MOONRIVER_GRPC_ENDPOINT }} - Access the value in the squid with
process.env
, e.g.const processor = new EvmBatchProcessor()
.setRpcEndpoint({
url: process.env.RPC_ENDPOINT,
rateLimit: 1000rps
})
Inspect, remove and update the secrets using the sqd secrets
command.
Any changes to secrets will take effect only when the squid is restarted, e.g. with
sqd deploy .