Skip to main content

Use Barbara secrets from inside your app

This article refers to Platform v3.1.0. The current Platform version is v3.2.0.

Overview

A Barbara Global Secret is a sensitive key-value pair (a token, a password, a certificate fingerprint) stored encrypted on the edge node and made available to your apps as environment variables. You manage them from the Secrets card on the Node Details page; inside the container you read them with the regular environment APIs.

This step adapts the MQTT client app from the previous step so that its broker URL, port, topic, username, and password come from secrets — not hardcoded.

Video walkthrough

Watch this step on YouTube: Using Node Secrets in an Application.

How secrets work on a Barbara node

  1. Encrypted storage. Secrets are stored encrypted on the node — see Secrets for the management UI.
  2. Runtime access. Apps read secrets through the environment of their container, just like any other env var.
  3. Not in the image. Secrets are injected at runtime; nothing sensitive ends up baked into the Docker image you publish.

Compose syntax

No special tag is required in docker-compose.yaml. Every secret defined on the node is automatically available to every container as an env var with the same name. Your app code just calls os.getenv("MY_SECRET") (or the equivalent in your language).

Practice — drive the MQTT client with secrets

Picking up from the previous step, we will move the connection parameters into the Secrets card.

1. Define the secrets

On the Node Details page, open the Secrets card and add:

BROKER=mqttbbr
PORT=8883
TOPIC=test/topic
USERNAME=bbruser
PASSWORD=bbrpassword

2. Read the secrets in code

Update test.py to pull the values from the environment (with sensible defaults):

import os

# MQTT broker configuration (env-driven; defaults match the Marketplace MQTT Broker)
BROKER   = os.getenv("BROKER", "mqttbbr")
PORT     = int(os.getenv("PORT", 8883))
TOPIC    = os.getenv("TOPIC", "test/topic")
USERNAME = os.getenv("USERNAME", "bbruser")
PASSWORD = os.getenv("PASSWORD", "bbrpassword")

3. Push a new version

Zip the source, upload it to the App Library as a new version of the mqtt_client app, and deploy it via the workload card's Update Version action.

4. Verify

Enable logs on the workload card. You should still see:

✅ Connected to MQTT broker!

…even though the credentials no longer live in the source code.

Summary

Barbara's Global Secrets give you a clean separation between app code (your repo) and node-specific configuration (Panel). The compose file does not change; your app reads the values from environment variables that Barbara injects at runtime. For sensitive material scoped to a single Marketplace workload, see App Environment Secrets instead.