Umbraco Cloud
CMSHeartcoreDXPMarketplace
  • What is Umbraco Cloud?
  • Frequently asked questions
  • Security
    • Web Application Firewall
  • Sustainability Best Practices
  • Getting Started
    • Explore Umbraco Cloud
    • The Cloud Portal
      • Organizations
      • Sustainability Dashboard
    • Project Overview
    • Environments
    • Flexible Environments (beta)
    • Baselines
      • Baseline Merge Conflicts
      • Break Reference between Baseline and Child Project
      • Handling configuration files
      • Pushing Upgrades to a Child Project
    • Plans
    • Migrate to Umbraco Cloud
    • Repositories in a Cloud Project
    • Best Practice for Working in Teams
    • Migrate between regions
  • Set up
    • Ready to Set Up Your Project?
    • Working with a Local Clone
      • Legacy Umbraco Visual Studio Setup
    • Manage Environments
    • Project Settings
      • Managing Transport Security
      • CDN Caching and Optimizations
      • Dedicated Resources
      • Upgrade your Plan
      • Public Access
      • Managing Hostnames
        • New Certificate Authority for custom hostnames
        • Rewrite rules
        • Custom Certificates
      • Management API Security
      • Umbraco CI/CD Flow
        • Cloud API For CI/CD Flow
        • Configuring a CI/CD pipeline
          • Azure DevOps
          • GitHub Actions
        • Troubleshooting
        • Known Limitations and Considerations
      • External Services
      • Usage
        • Bandwidth
      • Availability and Performance
      • Team Members
        • Technical Contact
      • Secrets Management
      • Project History
    • Private NuGet Feed on Umbraco Cloud
    • Going Live
    • Media
    • External Login Providers
    • Azure Blob Storage
      • Connect to Azure Storage Explorer to upload files manually
      • Connect and Upload Files Programmatically to Azure Blob Storage
    • Users
    • Multi-Factor Authentication
    • Application Insights
    • Config Transforms
    • SMTP Settings
    • Payments
      • Subscription migration information and FAQ
    • Power Tools (Kudu)
      • View the Files on your Cloud Environments
      • Generate UDA files
      • Manually run Extractions on your Cloud Environments
  • Deployments
    • Deployment
    • Deploying between environments
    • Transferring Content, Media, Members, and Forms
    • Deploying Deletions
    • Deployment Webhook
    • Deploying Changes
    • Umbraco Forms on Cloud
    • Deploy Dashboard
    • Hotfixes
      • Apply hotfix by manually moving files
      • Apply hotfix by using Git
    • Restoring Content
      • Partial Restores
  • Databases
    • Keep Your Data Secure and Accessible
    • Working with databases
    • Database backups
    • Database
      • Connecting to the Database on Mac
    • Working with a Cloud database locally
  • Product Upgrades
    • Stay Up to Date with Umbraco Cloud
    • Product Upgrades
    • Major Upgrades
    • Minor Upgrades
    • Version Specific Upgrades
      • Migrate from Umbraco 8 to the latest version
      • Migrate from Umbraco 7 to Umbraco 8 on Umbraco Cloud
    • Upgrade your projects manually
      • Manual upgrade of Umbraco CMS
      • Manual upgrade of Umbraco Deploy
    • Dependencies on Umbraco Cloud
  • Troubleshooting
    • Resolve Issues Quickly and Efficiently
    • Troubleshooting FAQ
    • Log files
    • The Umbraco Backoffice
    • The Frontend
    • The Umbraco Cloud Portal
    • Site Performance checklist
    • Troubleshooting deployments
      • Extraction error: Config transforms failing
      • Extraction error: Data Type collisions
      • Dependency Exception
      • Merge Conflicts on Flexible Environments
      • Troubleshooting deployments failing with no error message
      • Troubleshooting duplicate dictionary items
      • Troubleshooting language mismatches
      • Path too long Exception
      • Schema Mismatches
      • How to resolve collision errors
      • Extraction error: "Type not found! "
    • Cloud Errors
  • Release Notes
    • Overview 2025
      • April 2025
      • March 2025
      • February 2025
      • January 2025
    • Overview 2024
      • December 2024
      • November 2024
      • October 2024
      • September 2024
      • August 2024
      • July 2024
      • May 2024
      • April 2024
      • March 2024
      • February 2024
      • January 2024
    • Overview 2023
      • December 2023
      • October 2023
      • September 2023
      • August 2023
      • June 2023
      • May 2023
      • April 2023
      • March 2023
      • February 2023
      • January 2023
    • Overview 2022
      • December 2022
      • November 2022
      • September 2022
      • August 2022
      • June 2022
      • May 2022
      • April 2022
      • March 2022
      • February 2022
      • January 2022
Powered by GitBook
On this page
  • How to add secrets
  • Working locally with secrets
  • Access secrets in a Umbraco Solution
  • Naming standards for secrets
  • Accepted Prefixes

Was this helpful?

Edit on GitHub
Export as PDF
  1. Set up
  2. Project Settings

Secrets Management

If your Umbraco Cloud project uses sensitive information such as API keys, encryption keys, and connection strings, it is recommended to store these as secrets.

There are two ways to add secrets to your Cloud project, as an Environment Secrets or as a Shared Secrets.

Environment Secrets are intended to be utilized exclusively within a particular environment during the runtime of your Umbraco solution.

Shared Secrets are utilized across all environments and will be seamlessly integrated into any new environment you create. Shared Secrets are particularly well-suited for safeguarding credentials necessary for project development, such as access to private NuGet feeds.

Utilizing environment-specific secrets for private NuGet feeds will result in the unsuccessful creation of new environments due to the unknown status of the secret. In such instances, Shared Secrets should be used.

Typical secrets are Private Keys, 3rd-party API tokens, database passwords, or otherwise sensitive data that needs to be kept secret.

When the secrets have been added they will be exposed exclusively to the assigned environments.

It will be assigned as an environment variable at runtime using the assigned name for the secret.

It will then use a reference that only the managed identity of the environment has access to.

Starter Plans have a limit of 5 secrets per environment, whereas higher-tiered plans have no limit.

How to add secrets

When adding a secret to your environment it will restart.

To add a secret to your environment follow these steps:

  1. Go to your Umbraco Cloud project

  2. Go to the Settings section and go to Secret Management

  3. Choose either shared or environment secrets

  4. Choose the environment to add the secret and click Add secret

  5. Add the Key and the Value in the fields and click Add secret

  6. Save the key to the environment.

Working locally with secrets

When you develop locally, you cannot access secrets that are stored in the key vault associated with a cloud environment.

We recommend that you use common methods for handling secrets locally, such as using app settings in the appsettings.development.json.

The app setting should not be committed to the code repository or it needs to be ignored via a gitignore file.

An example could be that you have a secret in a cloud environment with the key name "ApiKey",

You should specify this with a corresponding name in a configuration file such as appsettings.development.json:

{
   "Serilog": {
     …
   },
   "Umbraco":{
     …
   },
   "ApiKey": "Value",
}

Access secrets in a Umbraco Solution

Secrets for cloud environments are stored in a key vault and loaded by the app service (using a key vault reference) as an environment variable.

This enables you to get the value at runtime as you normally would fetch an environment variable.

You can use the method, getting it from the System namespace in .NET as below:

_secretMessage = Environment.GetEnvironmentVariable("SecretMessage");

Secrets can also be used to override AppSettings defined in appsettings.json files.

In order for this to work, when adding the secret, the Key value should be all the settings' names joined by double underscores.

For example, to change the Serilog's default options under Serilog:MinimumLevel:Default, the Secret key would look like this:

Serilog__MinimumLevel__Default

The value defined in appsettings.json file will be overwritten with the Cloud Secret's value.

Naming standards for secrets

When naming a secret, it is possible to use alphanumeric characters as well as '_' (underscore).

Some words are reserved and cannot be accepted:

  • COMMAND

  • HOME

  • PORT

  • REMOTE

  • DEBUGGING

  • VERSION

  • REGION_NAME

  • CONNECTIONSTRINGS__UMBRACODBDSN

The following prefixes are not accepted.

The list consists of:

  • UMBRACO_

  • WEBSITE_

  • SCM_

  • SDEPLOY_

  • DEPLOYMENT_

  • DOCKER_

  • CONTAINER_

  • DIAGNOSTICS_

  • APPSERVICEAPPLOGS_

  • WEBSITE_

  • DOTNET_

  • IDENTITY_

  • MSI_

  • WEBJOBS_

  • FUNCTIONS_

  • AzureWebJobsWP_

  • PHP_

  • FILE_

  • DATABASE_

  • WORDPRESS_

  • MACHINEKEY_

  • SQLCONNSTR

  • SQLAZURECONNSTR_

  • POSTGRESQLCONNSTR_

  • CUSTOMCONNSTR_

  • MYSQLCONNSTR_

  • AZUREFILESSTORAGE_

  • AZUREBLOBSTORAGE_

  • NOTIFICATIONHUBCONNSTR_

  • SERVICEBUSCONNSTR_

  • EVENTHUBCONNSTR_

  • DOCDBCONNSTR_

  • REDISCACHECONNSTR_

  • FILESHARESTORAGE_

The provided list of restricted prefixes is incomplete but will be continuously updated as new cases arise.

Accepted Prefixes

The following prefixes are allowed for Secrets on Umbraco Cloud:

  • Umbraco__CMS__Global__Smtp__

  • Umbraco__Forms__Security__FormsApiKey__

  • Umbraco__Forms__FieldTypes__Recaptcha__

  • Umbraco__CMS__Integrations__

  • Umbraco__CMS__DeliveryAPI__

  • UMBRACO__LICENSES__

  • UMBRACO__AUTHORIZEDSERVICES__

  • UMBRACO__COMMERCE__

It is also possible to use Secrets to save API keys, Passwords, and ReChaptcha for all our Umbraco products on Umbraco Cloud.

Do you have an existing or new secret that you want to add to a key vault that conflicts with the name restrictions?

Then please contact Umbraco support, then we will consider it as soon as possible.

PreviousTechnical ContactNextProject History

Last updated 1 month ago

Was this helpful?