Docs
Configuration Injection
Variables set in the dashboard or CLI get encrypted, stored, and injected into your containers at deploy time. No .env files on disk.
How variables flow
From storage to your running container, four steps. All automatic.
envFrom. No mounted files, no sidecars.Variable scopes
Variables cascade. More specific scopes override broader ones. Set DATABASE_URL at the workspace level,
then override it per environment for staging vs production.
| Scope | Applies to | CLI flag |
|---|---|---|
| workspace | All projects in the workspace | --scope workspace |
| project | All environments in a project | --scope project |
| env | One environment (staging, production) | --scope env |
| service | One service (default) | --scope service |
Variable types
Runtime
Injected into running containers as environment variables. The standard way to configure your app.
Build-time
Available during image builds as ARG (Dockerfile) or --env (Buildpack). Not present at runtime.
Secret
Values stored in Vault. Masked in the UI and API. Resolved only at deploy time by the control plane.
Config-only deploys
Changed a variable? Redeploy without rebuilding the image. The existing image rolls out with the new config.
For bulk changes, import a .env file:
Or use the deploy dropdown in the UI and select Config-only deploy.
Security
Secret variables are encrypted at rest in HashiCorp Vault. They're resolved at deploy time by the Ancla control plane and injected into a versioned Kubernetes Secret.
Secret values are never exposed in build logs, deploy logs, or the API. The dashboard masks them. Even the CLI only shows the last four characters.