Skip to content

Secrets at Runtime

Automation compiles Jinja expressions and resolves vault secrets differently. At runtime, the system first performs Jinja template preprocessing. It then resolves and populates secrets where they are permitted and only at the moments during order run execution, where they are required.

What gets compiled

The system performs two types of compilation when executing an order:

  • Jinja compilation: where Jinja template expressions, such as {{variable_name}} or {% if variable_name == 'xyz' %} "stop-on-error", {% else %} "warning", {% endif %} are converted to executable values.
  • Secret resolution: where vault paths like #{vault://secret_name} are converted to their secret values.

A user only sees the results of Jinja compilation when compiling a file in the File Editor or when compiling all files through the command line interface. The compiled SQL resource file, inline query in JSON files, or container script all display the code that will run.

The exceptions are the runtime variables and vault paths. In a user-compiled file, the runtime variables displayed are different (usually shown as null or default values) from the values the system will process during an order run because, by definition, the values are only set during execution. Vault secrets resolve during an order run only at the moment the secrets are needed to connect to a database or other tool. Users can see only vault secret names, not the secret values.