Skip to content

Environment Variables & Secrets

dagctl injects environment variables and file-based secrets into job pods at runtime using Kyverno. Credentials never need to be committed to your repository.

Accessing Environment Variables

Navigate to Settings → Environment Variables.

Variable Types

Two options exist when creating a variable:

Standard variable - Injected as a shell environment variable into job pods. Use this for connection strings, API keys, feature flags, and other string values.

File-mounted secret - The variable value is written to a file inside the job pod. Use this for credentials that tools expect to read from a file path rather than an environment variable. See File-Mounted Secrets below.

Creating a Variable

  1. Go to Settings → Environment Variables.
  2. Click Add Variable.
  3. Enter the variable name and value.
  4. Check Mark as sensitive if the value should be masked in the UI after saving.
  5. Toggle Mount as file if the value should be written to a file path instead of injected as an environment variable.
  6. Click Add Variable.

Warning

Variable names are case-sensitive. DATABASE_URL and database_url are treated as different variables.

File-Mounted Secrets

Some tools require credentials to be present as files rather than environment variables. Common examples:

  • GCP service account JSON keys
  • Snowflake private keys for key-pair authentication (.p8 files)
  • SSH private keys for dbt package installation
  • SSL certificates

To configure a file-mounted secret:

  1. Create a new variable.
  2. Toggle Mount as file to on.
  3. Enter the File Mount Path - the full path where the file will appear inside the job pod. Example: /secrets/rsa_key.p8.
  4. Paste the file contents into the value field (the input expands to a text area for multi-line content).
  5. Save the variable.

Files are mounted with 0600 permissions (owner read/write only).

Referencing the file in your config:

# SQLMesh connection config example - Snowflake key pair auth
connections:
  snowflake:
    type: snowflake
    account: myaccount
    user: myuser
    private_key_path: /secrets/rsa_key.p8

# dbt profiles.yml example
my_project:
  target: prod
  outputs:
    prod:
      type: snowflake
      account: myaccount
      user: myuser
      private_key_path: /secrets/rsa_key.p8

The /secrets/ directory is the conventional mount point. You can use any path, but /secrets/ keeps credential files separate from other filesystem locations.

Editing Variables

Click the edit icon next to any variable to update its value, sensitivity flag, or file mount settings. The variable name cannot be changed after creation. To rename a variable, delete it and create a new one.

Sensitive variables display their value as masked text. You must provide a new value when editing - the existing value is not shown.

SSH Keys

SSH keys for Git repository access are separate from environment variables. They are configured during project setup and managed at Settings → SSH Keys. Do not add SSH keys as environment variables.

How Injection Works

At runtime, Kyverno mutates job pods to inject configured variables from Kubernetes Secrets and ConfigMaps. This happens transparently when a job pod starts. Variables are available to all processes running inside the pod.

Because injection happens at pod start time, you can rotate credentials by updating the variable value in dagctl without rebuilding or redeploying anything. The next job run picks up the new value.

Deleting Variables

Click the delete icon and confirm. Deleting a variable takes effect immediately. Any job runs that start after deletion will not have the variable available. Running jobs are not affected.

Warning

Deleting a variable that your project configuration references will cause job failures. Update your project config before removing the variable.

Key Takeaways

  • ✅ Variables are injected into job pods at runtime by Kyverno - no rebuilds needed to rotate credentials
  • ✅ Use the "Mount as file" option for any credential a tool expects to read from a file path
  • ✅ File-mounted secrets land at the path you specify, conventionally under /secrets/
  • ✅ Files are mounted with 0600 permissions
  • ✅ Variable names are case-sensitive
  • ✅ SSH keys for Git access are managed separately under Settings → SSH Keys