Transformation Credentials

Securely store configuration data like user secrets and API keys and reuse them in transformations.

3 minute read

The credential store is a central repository in the RudderStack dashboard for securely storing and efficiently managing your configuration data.

RudderStack supports two types of credentials - Secrets and Variables.

Credential	Description	Examples
Secret	Lets you store sensitive information as encrypted text values and use them as environment variables in your transformations. Note that: You cannot see the secrets in the dashboard after setting them. RudderStack recommends storing sensitive data as secrets to prevent data leaks.	Passwords, app secrets, API tokens.
Variable	Lets you store non-sensitive configuration data as non-encrypted strings.	Application configuration, paths.

By storing secrets and variables in RudderStack’s credential store, you can avoid hardcoding sensitive information in your transformations and avoid any security risks.

Access credential store

Go to Settings > Workspace > Credentials to access the credential store and create your secrets and variables.

You must have Admin privileges to create, edit, and delete secrets and variables.

Create secrets

Go to the Secrets tab of the credential store.
Click New secret.
Enter the secret name and value.

Secret names can contain only alphanumeric characters and underscores and they cannot start with a number.

Click Add to save the secret.

To edit a secret, click the edit icon, enter the new secret value, and click Save. Note that the previous secret value will not be visible.

Create variables

Go to the Variables tab of the credential store.
Click New variable.
Enter the variable name and value.

Variable names must contain only alphanumeric characters and underscores and they cannot start with a number.

Click Add to save the variable.

To edit a variable, click the edit icon, enter the new value, and click Save.

Use credentials in transformations

Once you create the credentials in the credential store, you can easily reuse them by referencing them within the getCredential() function in your transformations.

Note the following while using credentials in transformations:
Any workspace member can use the credentials in their transformations.
You cannot use credentials in transformation libraries.
getCredential is a restricted keyword in transformations and you must not use it for naming functions or variables.
RudderStack drops the event in case of any error while using the getCredential function in a transformation that is connected to a destination.

The following example shows a custom transformation that:

Fetches a variable named dev_url from the credential store,
Assigns its value to the event’s url field, and
Returns the event.

export function transformEvent(event, metadata) {
  try {
    event.context.url = getCredential('dev_url');
  } catch (error) {
    log(error)
  }
  return event;
}

def transformEvent(event, metadata):
    try:
	    event['context']['url'] = getCredential('dev_url');
    except Exception as e:
        log(e)
    return event

The following example highlights the usage of credentials within a fetchV2 function:

export async function transformEvent(event, metadata) {
  const url = getCredential('URL'); // Variable named URL
  const id = getCredential('ID'); // Credential named ID
  const authToken = getCredential('authToken'); // Secret named authToken
  const response = await fetchV2(`${url}/${id}`, {
    headers: {
      Authorization: "Bearer " + authToken
    }
  });
  event.value = response.body
  return event;
}

Considerations for using `getCredential` function

Note the following scenarios and the expected behavior when using the getCredential function:

Scenario	Behavior (JavaScript)	Behavior (Python)
`getCredential` function called without a key	You will get the following error: `TypeError: Key should be valid and defined`	You will get the following error: `TypeError('Key should be valid and defined')`
`getCredential` function called with multiple arguments	Credential function takes the first argument as the key.	Credential function takes the first argument as the key.
`getCredential` function called with a non-string key (for example, integers, Boolean)	No credential value is passed and the event remains unchanged.	Credential value is passed as `null`.
`getCredential` function called with a non-existent key	Credential value is undefined and is not passed.	Credential value is passed as `null`.

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Questions? Contact us by email or on Slack