Docs/Reference/Config & Secrets Management

Config & Secrets Management

tawa config manages environment variables and encrypted secrets for your services. Changes are stored in the builder and take effect on the next deploy.

CLI Commands

# Set plain config vars (visible in logs)
tawa config set LOG_LEVEL=debug API_TIMEOUT=30000

# Set an encrypted secret (value never returned by API)
tawa config set STRIPE_SECRET_KEY=sk_live_... --secret

# List all config vars and secret key names (values masked for secrets)
tawa config list

# Remove a config var or secret
tawa config unset STRIPE_SECRET_KEY

# Pull all config + decrypted secrets to .env.local
tawa config pull

# Push .env.local values to the builder (as plain config)
tawa config push

After setting or changing config, you must redeploy with tawa deploy for changes to take effect in your running pod.

How Secrets Work

  1. You run tawa config set MY_KEY=value --secret
  2. The builder encrypts the value with AES-256-GCM and stores the ciphertext in MongoDB
  3. On deploy, the builder decrypts all secrets and creates a Kubernetes Secret named {service}-managed-secrets
  4. The secret is mounted into your pod via envFrom.secretRef
  5. Your app reads the value with process.env.MY_KEY — no decryption needed in code

Secret values are never returned by the API. The only way to retrieve a secret value is tawa config pull, which writes the decrypted value to .env.local on your local machine.

Auto-Provisioned Variables

The builder automatically injects these based on your catalog-info.yaml — do NOT set these with tawa config:

SourceVariableProvisioned from
DatabasesMONGODB_URIspec.databases with type: mongodb
DatabasesREDIS_URLspec.databases with type: redis
OAuthBIO_CLIENT_IDAuto-created OAuth client
OAuthBIO_CLIENT_SECRETAuto-created OAuth client
Internal deps{SERVICE}_URLspec.internalDependencies resolved to K8s DNS

Precedence

From lowest to highest (highest wins):

  1. catalog-info.yaml defaults (e.g., NODE_ENV)
  2. Managed config — plain vars set via tawa config set
  3. Kubernetes Secret — encrypted secrets, mounted via envFrom.secretRef

Local Development

tawa config pull
# Writes .env.local with all config + decrypted secrets
# File permissions: 0600 (owner read/write only)

Most Node.js frameworks load .env.local automatically. Your app reads process.env.STRIPE_SECRET_KEY the same way whether running locally or in a pod.

WARNING: Add .env.local to your .gitignore. Never commit it to version control.

Common Mistakes

// WRONG: hardcoded secret
const apiKey = "sk_live_abc123..."

// CORRECT: read from environment
const apiKey = process.env.STRIPE_SECRET_KEY
if (!apiKey) throw new Error('STRIPE_SECRET_KEY not configured')
  • Committing .env.local — always add it to .gitignore
  • Forgetting to redeploytawa config set only takes effect after tawa deploy
  • Setting auto-provisioned vars manuallyMONGODB_URI and BIO_CLIENT_ID are generated by the builder; setting them manually creates a conflict

Last updated: February 28, 2026