• /
  • EnglishEspañolFrançais日本語한국어Português
  • Se connecterDémarrer

NerdGraph tutorial: Secrets management service

When you're working with New Relic, you might need to store sensitive information like API keys and application credentials. In New Relic, these are called secrets. The Secrets management service provides a secure way to store and retrieve these secrets in a centralized location through our NerdGraph API.

Important

You can store secrets only in string format.

The key features of the Secrets management service are:

  • Unique keys for secrets: You can prevent accidental exposure of secrets by assigning a unique key to each one when storing. Use the key to retrieve and manage the secrets.

  • Secrets stored at account or organization level: To access and use a secret across multiple accounts, you can store it at the organization level. If a secret is specific to a single account, you can store it at the account level.

  • Versions of secrets: You can update a secret without losing the previous version. The Secrets management service tracks all versions of a secret.

  • Controlled deletion and recovery of secrets: The service allows recoverable deletion of secrets. Users without the Purge permission can soft-delete secrets. Permanent deletion is restricted to users with the Purge permission.

  • Access control: Admins can define who can access the secrets by setting custom roles and permissions, and specifying the scope of permissions. The scope can range from View to Purge permissions.

Secrets management services billing

The Secrets management service is an Advanced Compute Product feature offered as an add-on or as a part of the Compute pricing model. Advanced CCUs are consumed when NerdGraph queries are executed to store, retrieve, or manage secrets.

Access control

Users with standard roles can access the Secrets management service specific to the accounts they have access to, with the following permissions.

  • Read Only: Users can only retrieve secrets. They can't create, update, or delete secrets.

  • Standard User: Users can create, update, retrieve, and soft-delete secrets.

  • All Product Admin: Users have full access to the Secrets management service. They can create, update, retrieve, soft-delete, permanently delete, and fetch the list of secrets.

  • Billing User: Users can only fetch the list of secrets.

To manage secrets at the account level with a non-standard role, ask your admin to create a custom role with the necessary permissions, and assign them to your user group.

For managing secrets at the organization level, ask your admin to create an org-scoped custom role via the NerdGraph API, add the required permissions, and assign it to the user group. Organization Manager have default permissions at the organization level, but to allow them to manage secrets, ask your admin to assign them a custom role specific to the Secrets management service.

Important

Setup and configure the users, roles, permissions, and access to the Secrets management service at the account and organization level, in accordance with your organization policies and requirements.

Pre-requisites

To use the Secrets management service, you need:

User type and assigned roles can affect your NerdGraph permissions. For more details, refer Factors affecting access.

Use the Secrets management service

From the NerdGraph Explorer, use mutations and queries to interact with the Secrets management service.

Here are the common attributes you will use in the mutations and queries:

Attribute name

Data type

Description

description

String

A brief description of the secret.

key

String

A unique identifier for the secret within a namespace. The same key can exist across different namespaces.

namespace

String

Serves as a logical grouping of secrets, organizing and categorizing them to enhance management and prevent conflicts. It pairs with the key to create a unique address for the secret. This attribute is beneficial in environments with multiple teams or projects using New Relic.

scope

  • type: Enum
  • id: string

The scope of storing the secrets in terms of its accessibility. The defining attributes are:

  • type: To use the secret across multiple accounts, select Organization. If the secret is specific to a single account, select Account. To store a secret at the organization level, you must have the org-scoped custom role with the required permissions. Refer to the Access control section for more details.
  • id: Corresponding account or organization ID.

tags

Array

Functions as key-value pairs that add metadata to your entities, including applications, services, and hosts. Using tags you can enhance the ability to organize, filter, and manage secrets.

value

String

The actual secret.

purge

Boolean

Deletes all versions of the secret.

  • true: Deletes the secret permanently.

  • false: You can recover the deleted secret with all its versions.

    Only All Product Admins or a user having a custom role with purge permission can delete secrets permanently. For more details, refer to the Access control section.

version

String

As you can store multiple versions of a secret, it represents the version number of the secret.

cursor (Optional)

String

When retrieving a list of secrets, if the response contains the nextCursor attribute, it indicates that there are more secrets available beyond the current page of results. To access the next page of results, use the nextCursor value in the cursor attribute and run the query again.

Important

Copy your actual secret only into the value attribute. Ensure it is not declared in any other attributes, such as description, key, or namespace.

Operations

The operations you can perform with the Secrets management service are as follows:

Droits d'auteur © 2025 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.