Important
Secrets cannot be moved from one region to another after creation.
Secret Manager - Quickstart
Reviewed on 17 June 2025 • Published on 21 February 2023
Upon secret creation, you are prompted to choose a Scaleway-managed encryption key or specify an existing Key Manager key which will encrypt your data. This allows for secure and flexible encryption of your data, compliant with industry standards.
In this quickstart, we show you how to create a secret within a path, how to add an existing or a new Key Manager key. Then we show you how to add versions to your newly-created secret.
Console overviewLink to this anchor
Discover the Secret Manager interface on the Scaleway console.
Before you startLink to this anchor
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
How to create a secretLink to this anchor
-
Click Secret Manager in the Security & Identity section of the Scaleway console side menu.
-
In the Region drop-down, select the region in which you want to store your secret.
-
Click + Create secret.
-
Add your secret:
- Choose whether to add your secret manually or import it.
Note
The maximum file size for your secret is 64 KiB.
- Choose a secret type and enter or upload your secret value.
- Choose whether to add your secret manually or import it.
-
Choose a Key Manager encryption key:
- Scaleway-managed encryption key: requires no configuration on your side.
- Manually-managed encryption key: an existing Key Manager key you have previously created.
-
Choose a path for your secret.
-
Enter a name for your secret, and, optionally, add a description and tags.
-
Optionally, click «Toogle Icon» to enable secret protection.
-
Optionally, click «Toogle Icon» next to Enable single access or Enable Time to Live to apply an ephemeral policy to your secret and its versions.
Important- Single access: allows you to set your secret versions to expire after one single access.
- Time to Live: allows you to set a time frame of up to one year, during which your secret versions are valid and accessible.
- The ephemeral policy can only be applied to a secret at creation, and cannot be removed once applied.
- Once applied to a secret, the ephemeral policy’s settings will be applied to all the secret’s versions (even those created subsequently).
-
Check the estimated cost and click Create secret to confirm. The Overview tab of your secret displays with information such as the region of your secret, its encryption key, the secret’s ID, etc.
Note- You have created a secret on the go. The value of your secret is stored in its first version, which is enabled by default. At creation, your secret only has one version. Keep reading our quickstart to find out how to add more versions to your secret.
How to add a secret versionLink to this anchor
-
Click your secret’s Versions tab.
-
Click + Create version. A pop-up displays.
-
Add your version:
- manually
- import it from a file
- or click Copy from latest version to restore your latest enabled version
-
Optionally, if you have selected Copy from latest version and applied the Single access ephemeral policy to your secret, click Copy from latest version to acknowledge the information displayed in the yellow banner, and confirm.
Important- Restoring a former version of a secret where you have applied the Single access ephemeral policy counts as an access, meaning it will then be disabled and/or deleted depending on the policies applied.
- By default, all your secret versions have the same type as the secret they belong to. You cannot change the type after you have created the secret.
-
Click the «Toogle Icon» icon if you want to enable the version.
-
Click Create version. Your secret versions display.
Was this page helpful?