Secret management with the CLI


In some cases, you might not want to provide a plain text string for configuration options. For example, is a good practice to not include API tokens or other kind of sensitive information on code-versioning repositories when using Monitors as Code.

Using the Monte Carlo CLI you create and manage account specific secrets. These secrets can then be referenced in specific parts of the product instead of using plain text strings.



Create a secret using the secrets create command:

montecarlo secrets create --name my_new_secret --scope <a secret scope> 
  • name: provides a name to identify the secret. Can only include a-z, A-Z, 0-9, _, or - characters, and be up to 64 characters in length.
  • scope: provides a context of use for the secret. Secrets scoped to notifications will only be usable in the context of notification settings, while those in global will be available in all contexts. When a configuration option accepts a secret reference, it will declare the supported scopes (in addition to global).
  • description: (Optional) a description for your secret.
  • expires-at: (Optional) a date when the secret should no longer be returned and becomes unavailable for use.

You will be prompted for the secret value. The secret value will never be displayed except when using the secrets get command described below while having the appropriate permissions.

There can be other supported options when creating a secret, please use the --help option on the secrets create command for additional options.


Get a secret details using the secret get command:

montecarlo secrets get --name my_new_secret [--reveal]
  • name: the secret name
  • reveal: if provided, only the secret value will be returned.

The secret value can only be read by Account Owners, or by the user that crated the secret.

Other commands

Use montecarlo secrets --help to list other commands to manage secrets.

Referencing secrets

At the moment, only a specific set of configuration options allow to reference secrets. The documentation for those options will indicate if a secret reference is accepted.

To reference a secret, use {secret:<secret name} for the configuration option value.

The list below provides a non-comprehensive list of some of the currently supported options:

OptionScopes (in addition to global)Where can it be used
PagerDuty routing_keynotificationsNotifications as Code
Opsgenie api_keynotificationsNotifications as Code
Webhook secretnotificationsNotifications as Code