How to Use a Context for Production Deploy Secrets in CircleCI
A context is an org-level secret bundle; attaching it to a workflow job injects those env vars only into that job, keeping prod keys off the project.
Create a context in organization settings, add the deploy credentials, then attach the context to the deploy job in the workflow.
Steps
- Create a context (Organization Settings to Contexts).
- Add the deploy env vars to that context.
- Attach it with
context:on the workflow job. - Restrict the context to a security group for prod.
Config
.circleci/config.yml
version: 2.1
jobs:
deploy:
docker:
- image: cimg/base:2024.03
steps:
- checkout
- run: ./deploy.sh # reads $PROD_API_TOKEN from the context
workflows:
ship:
jobs:
- deploy:
context:
- prod-deploy
filters:
branches:
only: mainGotchas
- Context env vars override project env vars of the same name within that job.
- Restrict the context to a security group so only approved users can run jobs that read it.
Related guides
How to Gate a Production Deploy With Approval and a Restricted Context in CircleCIProtect a CircleCI production deploy with both a manual approval job and a context restricted to a security g…
How to Deploy to AWS With OIDC in CircleCIDeploy to AWS from CircleCI without long-lived keys by exchanging the job OIDC token for short-lived credenti…