Skip to main content


Defang allows you to configure your application using environment variables. You can set environment variables in your compose.yaml file, or in your Pulumi program. Using Pulumi gives you the advantage of being able to manage your environment variables across different environments using Pulumi stacks.


You can find a sample of how to set environment variables with Pulumi here.

Sensitive Config aka Secrets

The Defang CLI allows you to securely store sensitive information such as API keys, passwords, and other credentials.

You can use sensitive config by specifying them in the environment section of a service in a compose.yaml file without any value, or by specifying an environment key with a null value in your Pulumi code.

image: image1:latest

Use the defang config command of the Defang CLI to manage the values.

Connecting Services

If you have created a service before a secret you can connect it by running the defang compose start command if using the defang compose workflow. If you are using the Pulumi-based workflow you will need to redeploy using Pulumi.


You can find a sample of how to set sensitive config values here.


Here are the different ways sensitive config values are stored depending on the provider you are using: