Secret Manager - Quickstart

Reviewed on June 17, 2025

Upon secret creation, you are prompted to choose a Scaleway-managed encryption key or specify an existing Key Manager key which will encrypt your data. This allows for secure and flexible encryption of your data, compliant with industry standards.

In this quickstart, we show you how to create a secret within a path, how to add an existing or a new Key Manager key. Then we show you how to add versions to your newly-created secret.

Console overview

Discover the Secret Manager interface on the Scaleway console.

Before you start

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization

How to create a secret

1. Click Secret Manager in the Security & Identity section of the Scaleway console side menu.

2. In the Region drop-down, select the region in which you want to store your secret.

   Important

   Secrets cannot be moved from one region to another after creation.

3. Click + Create secret.

4. Add your secret:

   • Choose whether to add your secret manually or import it.
     Note

     The maximum file size for your secret is 64 KiB.

   • Choose a secret type and enter or upload your secret value.

5. Choose a Key Manager encryption key:

   • Scaleway-managed encryption key: requires no configuration on your side.
   • Manually-managed encryption key: an existing Key Manager key you have previously created.

6. Choose a path for your secret.

   Important

   A path is the directory structure to access your secrets and their versions. Each path must be prefixed with a slash.

7. Enter a name for your secret, and, optionally, add a description and tags.

8. Optionally, click toggle icon to enable secret protection.

9. Optionally, click toggle icon next to Enable single access or Enable Time to Live to apply an ephemeral policy to your secret and its versions.

   Important

   • Single access: allows you to set your secret versions to expire after one single access.
   • Time to Live: allows you to set a time frame of up to one year, during which your secret versions are valid and accessible.
   • The ephemeral policy can only be applied to a secret at creation, and cannot be removed once applied.
   • Once applied to a secret, the ephemeral policy's settings will be applied to all the secret's versions (even those created subsequently).

10. Check the estimated cost and click Create secret to confirm. The Overview tab of your secret displays with information such as the region of your secret, its encryption key, the secret's ID, etc.

    Note

    • You have created a secret on the go. The value of your secret is stored in its first version, which is enabled by default. At creation, your secret only has one version. Keep reading our quickstart to find out how to add more versions to your secret.

How to add a secret version

1. Click your secret's Versions tab.

2. Click + Create version. A pop-up displays.

3. Add your version:

   • manually
   • import it from a file
   • or click Copy from latest version to restore your latest enabled version

4. Optionally, if you have selected Copy from latest version and applied the Single access ephemeral policy to your secret, click Copy from latest version to acknowledge the information displayed in the yellow banner, and confirm.

   Important

   • Restoring a former version of a secret where you have applied the Single access ephemeral policy counts as an access, meaning it will then be disabled and/or deleted depending on the policies applied.
   • By default, all your secret versions have the same type as the secret they belong to. You cannot change the type after you have created the secret.

5. Click the toggle icon icon if you want to enable the version.

6. Click Create version. Your secret versions display.