Secrets
Overview
A secret stores a sensitive value — typically a connection string or credential — that a sensor needs to reach a private resource within an environment. Unlike variables, secrets are encrypted at rest and their values are never displayed in the interface after creation.
Secrets are used by sensors that connect to databases, key-value stores, or message brokers through private agents.
Supported types
| Type | Sensor |
|---|---|
| PostgreSQL | SQL Compatible |
| SQL Server | SQL Compatible |
| MySQL | SQL Compatible |
| MariaDB | SQL Compatible |
| Oracle | SQL Compatible |
| Redis | KVDB |
| RabbitMQ | DLQ |
Create a secret
- Navigate to Settings → Environments and select your environment.
- In the Secrets section, click Add secret.
- Fill in the required fields:
- Code — A unique identifier (lowercase letters, digits, hyphens, and dots). This code is referenced by your sensors and cannot be changed after creation.
- Type — The resource type (e.g. PostgreSQL, Redis).
- Value — The connection string or credential.
- Save. The value is immediately encrypted and stored.
⚠️ Secret values are write-only
Once saved, a secret's value can never be read back from the interface. Only the code, type, and version number are displayed. To change a value, update the secret — Onagre will create a new version automatically.
Use a secret in a sensor
When configuring a SQL Compatible, KVDB, or DLQ sensor, select the target environment and the corresponding secret code in the Entrypoint field. The agent receives the decrypted connection string at execution time — you never have to copy credentials manually.
Versioning
Each time you update a secret's value, Onagre creates a new version. Previous versions are retained internally for traceability. Sensors always use the latest version automatically.
💡 Deletion protection
A secret cannot be deleted if it is still referenced by an active sensor. Disable or reassign the sensor first.
Connection string examples
Below are examples of connection strings for each supported type.
PostgreSQL
Server=127.0.0.1;Port=5432;Database=myDataBase;User Id=myUsername;Password=myPassword;
SQL Server
Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=myPassword;
MySQL
Server=127.0.0.1;Port=3306;Database=myDataBase;User Id=myUsername;Password=myPassword;
MariaDB
Server=127.0.0.1;Port=3306;Database=myDataBase;User Id=myUsername;Password=myPassword;
Oracle
Data Source=myOracleDB;User Id=myUsername;Password=myPassword;
Redis
redis0:6380,password=myPassword,ssl=True,abortConnect=False
RabbitMQ
amqp://user:password@host:port/vhost
AMQP URI specification
Summary
| Aspect | Details |
|---|---|
| Storage | Encrypted at rest (AES-GCM 256-bit) |
| Visibility | Write-only — never displayed after creation |
| Versioning | New version created on each update |
| Deletion | Protected if referenced by an active sensor |
| Scope | Isolated per environment |
| Delivery | Decrypted by the Hub and sent to agents over TLS |
| Security details | See Security |