Transformation Credentials

Securely store configuration data like user secrets and API keys and reuse them in transformations.
Available Plans
  • starter
  • growth
  • enterprise

The credential store is a central repository in the RudderStack dashboard for securely storing and efficiently managing your configuration data.

success
By storing secrets and variables in RudderStack’s credential store, you can avoid hardcoding sensitive information in your transformations and avoid any security risks.

Credentials overview

RudderStack supports two types of credentials - Secrets and Variables.

Credential
Description
Examples
SecretLets you store sensitive information as encrypted text values and use them as environment variables in your transformations.

Note that you cannot see the secrets in the dashboard after setting them.
Passwords, app secrets, API tokens.
VariableLets you store non-sensitive configuration data as non-encrypted strings.Application configuration, paths.

Access credential store

Go to Settings > Workspace > Credentials to access the credential store and create your secrets and variables.

info

Note that:

RudderStack credential store

Create secrets

  1. Go to the Secrets tab of the credential store.
  2. Click New secret.
  3. Enter the secret name and value.
warning
Secret names can contain only alphanumeric characters and underscores and they cannot start with a number.
  1. Click Add to save the secret.
Create secret in credential store

To edit a secret, click the edit icon, enter the new secret value, and click Save. Note that the previous secret value will not be visible.

Edit secret in credential store

Create variables

  1. Go to the Variables tab of the credential store.
  2. Click New variable.
  3. Enter the variable name and value.
warning
Variable names must contain only alphanumeric characters and underscores and they cannot start with a number.
  1. Click Add to save the variable.
Create secret in credential store

To edit a variable, click the edit icon, enter the new value, and click Save.

Use credentials in transformations

Once you create the credentials in the credential store, you can easily reuse them by referencing them within the getCredential() function in your transformations.

Note the following while using credentials in transformations:

  • Any workspace member can use the credentials in their transformations.
  • You cannot use credentials in transformation libraries.
  • getCredential is a restricted keyword in transformations. You must not use it for naming functions or variables.
  • RudderStack drops the event in case of any error while using the getCredential function in a transformation that is connected to a destination.
warning

Do not log or embed secrets in the event payload from the transformation.

All workspace users (including read-only users) have access to the transformation logs and live events and can get access to these secrets if you do not handle them properly in the transformation.

Examples

The following example shows a custom transformation that:

  • Fetches a variable named dev_url from the credential store,
  • Assigns its value to the event’s url field, and
  • Returns the event.

The following example highlights the usage of credentials within a fetchV2 function:

export async function transformEvent(event, metadata) {
  const url = getCredential('URL'); // Variable named URL
  const id = getCredential('ID'); // Credential named ID
  const authToken = getCredential('authToken'); // Secret named authToken
  const response = await fetchV2(`${url}/${id}`, {
    headers: {
      Authorization: "Bearer " + authToken
    }
  });
  event.value = response.body
  return event;
}

Considerations for using getCredential function

Note the following scenarios and the expected behavior when using the getCredential function:

ScenarioBehavior (JavaScript)Behavior (Python)
getCredential function called without a keyYou will get the following error:

TypeError: Key should be valid and defined
You will get the following error:

TypeError('Key should be valid and defined')
getCredential function called with multiple argumentsCredential function takes the first argument as the key.Credential function takes the first argument as the key.
getCredential function called with a non-string key (for example, integers, Boolean)No credential value is passed and the event remains unchanged.Credential value is passed as null.
getCredential function called with a non-existent keyCredential value is undefined and is not passed.Credential value is passed as null.

Questions? Contact us by email or on Slack