Save Variables and Secrets
When writing scripts, you may want to reuse variables, or safely pass secrets to scripts. You can do that with Variables. Windmill has user-defined variables and reserved variables.
Secrets are encrypted when stored on Windmill. From a usage standpoint, secrets are kept safe in three different ways:
- Secrets can only be accessed by users with the right permissions, as defined
by their path. In addition, secrets can be explicitly shared with users or
groups. A secret in
u/alice/secretwill only be accessible by
alice, unless explicitly shared.
- Secrets cannot be viewed outside of scripts. Note that a user could still
- Accessing secrets generates
variables.decrypt_secretevent that ends up in the Audit Logs. It means that you can audit who accesses secrets. Additionally you can audit results, logs and script code for every script run.
Reserved variables are automatically set by Windmill. See the
on the Variables page for the list of
reserved variables and what they are used for.
Add a variable or secret
You can define variables from the Variables page. Like all objects in Windmill, variable ownership is defined by the path - see ownership path prefix.
Variables also have a name, generated from the path, and names are used to access variables from scripts.
A variable can be made secret. In this case, the value of it will not be visible outside of a script.
Access a variable from a script
At runtime, all the variables you have access to are set as environment variables. Easiest way to use a variable in your script is to add it via the UI. Click the "+Variable" button in the header row of the editor to open the variable picker and select the one you need.