where the env vars of deployments deployed through Deploy REST API are stored?

Hey there folks, have a question. Using Deploy REST API, we can create brand new project (& deployments) and pass it environment variables, then on every request the isolate has access to them. Now, the question is, since they are persisted, where these variables are visible and where they are stored? Cuz i don't see them anywhere in my account/project/deployment info, which is good for my use case. How are they protected? Who can see them? Can we prove that no one has access to them, except the isolated sandbox?
const dr = await fetch(`${API}/projects/${project.id}/deployments`, {
method: 'POST',
headers,
body: JSON.stringify({
entryPointUrl: 'main.ts',
assets: {
'main.ts': {
kind: 'file',
content: `console.log('env var SOME_SHARE:', Deno.env.get('SOME_SHARE'));`
}
},
envVars: {
SOME_SHARE: 'some value',
},
permissions: {
net: [], // all network requests are denied (except npm/jsr), almost complete isolation
},
}),
});
const dr = await fetch(`${API}/projects/${project.id}/deployments`, {
method: 'POST',
headers,
body: JSON.stringify({
entryPointUrl: 'main.ts',
assets: {
'main.ts': {
kind: 'file',
content: `console.log('env var SOME_SHARE:', Deno.env.get('SOME_SHARE'));`
}
},
envVars: {
SOME_SHARE: 'some value',
},
permissions: {
net: [], // all network requests are denied (except npm/jsr), almost complete isolation
},
}),
});
Who can see and access the 'some value', except the deployment sandbox? Where and how it is stored? I assume it would be in some logs on Deploy infra, right? Probably not only, but on Deploy infra database somewhere too? Is there policy about that which i can read?
1 Reply
WGW ☂ calldata.space
By the same logic, how are the secrets that you put on through the project settings UI protected and how are they not exploited?

Did you find this page helpful?