Skip to content


Secrets with OpenFaaS Cloud

There are two ways to bind to OpenFaaS secrets with OpenFaaS Cloud which apply when self-hosted.

Encrypt a secret for use in your git repository

You can encrypt or seal secrets so that they can be committed to your git repository. Each secret can be sealed using the public key of the cluster which you can get from your administrator.

OpenFaaS Cloud uses SealedSecrets by Bitnami for encrypting or sealing your confidential information.


  • If you installed OpenFaaS Cloud using ofc-bootstrap then SealedSecrets will already be installed and available

  • If you installed OpenFaaS Cloud manually, you can add it with the development guide

  • Follow the instructions to install the dependency kubeseal

  • Export the public key of your cluster

  • If you are using the Community Cluster, then use this link: pub-cert.pem.


  • Create a new git repository under your account username
  • Create a new function i.e. faas new --lang go has-secret --prefix=username
  • Copy pub-cert.pem into the root of the repository
  • Run faas-cli cloud seal, this will create secrets.yml.

For information on the flags available see the faas-cli docs

When sealing secrets we specify a unique --name for the set of secrets, this should always be prefixed with your username or organisation name, using only lower case characters. Then enter a number of --literal and/or --from-file flags which correspond to each secret in the set.

So if we wanted to seal a single secret called api-key with a value of test1234 we could run:

faas-cli cloud seal --name username-my-secrets \
  --literal api-key=test1234

Your function will access the secret via:

  • /var/openfaas/secrets/api-key

If you have more than one secret you can enter additional --literal flags:

faas-cli cloud seal --name username-my-secrets \
  --literal api-key=test1234 \

Your function will access the secret via:

  • /var/openfaas/secrets/api-key
  • /var/openfaas/secrets/hostname

You can also read in an entire file:

faas-cli cloud seal --name username-my-secrets \

Your function will access the secret via:

  • /var/openfaas/secrets/private-key.pem

  • Edit stack.yml

Add the secret to the secrets: section of your YAML, use the value from --name, but remove the username prefix.

  name: openfaas

    lang: go
    handler: ./has-secret
    image: alexellis/has-secret
      - my-secrets

  • Now run git push

Check the git commit status in the repo, or view your overview page at:

faas-cli cloud seal reference

Flag Description
--name The name of the secret object prefixed with your GitHub username
--cert pub-cert.pem from the Community Cluster, or your local cluster
--literal Secret key and value pair. You can specify this parameter more than once to add more secrets
--from-file Read secret from file. Note secret key name will be the filename
Example from reference repository:

We'll encrypt an incoming webhook URL for Slack, which should be considered as confidential information.

Let's write the example function:

def handle(req):
    webhook_url = None
    with open("/var/openfaas/secrets/incoming-webhook-url") as webhook_url_text:
        webhook_url =

    respond_to_user(req, webhook_url)

We see that the secret is read as per any other OpenFaaS secret, from the mounted location on disk at: /var/openfaas/secrets/.

Now let's look at how we seal the secret:

# Seal secrets for owner alexellis named `fn-secrets`

faas-cli cloud seal --name alexellis-fn-secrets \
  --literal incoming-webhook-url=https://...

Here's the file generated by the command above:

kind: SealedSecret
  creationTimestamp: null
  name: alexellis-fn-secrets
  namespace: openfaas-fn
    incoming-webhook-url: (redacted)

And finally, we now need to reference the name of our secret in stack.yml. Notice that the key and the secret name do not have to match, this is because we can have multiple secret key/values within a single secret.

  name: openfaas

    lang: python
    handler: ./slack-me
    image: alexellis/slack-me
      - fn-secrets


The steps above must be followed precisely and if you have mis-read any of the details this may result in the secret not being accessible.


  • When using faas-cli cloud seal your secret set name needs to be prefixed with your username i.e. alexellis-my-secret
  • In stack.yml your secrets should have no prefix, this is added later automatically
  • The key from --literal or --from-file will be mounted under /var/openfaas/secrets/ and can be read from there
  • You must commit secrets.yaml into the root of your repository and do a git push

If in doubt check your results against this reference repository.

You can create secrets manually via faas-cli secret create or by using kubectl. These secrets will be available to users if the prefix of the secret matches the owner of the code being deployed, i.e.

If you are using an organization or repo named myorg and want a secret named api-key you could run:

$ faas-cli secret create myorg-api-key

In your stack.yml file in the secrets section, you could then reference the api-key secret.

This method relies on you having administrative access or making a request to your administrator.