Skip to main content
An environment group is a set of environment variables and secrets that can be shared across multiple applications. Environment groups are project-wide — they can be used across all clusters and cloud accounts within your project. For example, if all of your web services need a shared set of API keys and database credentials, you can create an environment group containing those values and sync it to each service.
Environment variables configured directly on an application always take precedence over values from an environment group. This override applies on a per-variable basis — if an app sets API_KEY=xyz and a synced environment group has API_KEY=abc, the app-level value (xyz) is used.

How Secrets Are Stored

Environment group secrets are automatically synced to the secret manager of every cloud account linked to your project that has a running cluster:
  • AWS — AWS Secrets Manager
  • GCP — GCP Secret Manager
  • Azure — Azure Key Vault
No secret data is stored on Porter’s infrastructure. Secrets only exist in memory on Porter’s servers momentarily during creation and updates. If you already manage your secrets in a third-party secret manager, you can sync them into Porter as a read-only environment group instead. See the Doppler and Infisical integrations.

Creating an Environment Group

You can create a new environment group from the Env Groups tab on the Porter dashboard. Click New Env Group, enter a name, and add your variables and secrets. Environment group names must be up to 63 characters and may only contain lowercase letters, numbers, and hyphens (-). You can also create environment groups from the CLI: 
porter env create

Variables and Secrets

Environment groups support two types of values:
TypeDescriptionVisibility
VariablesNon-sensitive configuration values (max 25 KB per value)Visible in the dashboard and CLI after creation
SecretsSensitive values such as API keys, passwords, and tokens (max 25 KB per value)Hidden after creation; stored in your cloud provider’s secret manager
When creating or updating an environment group, use the lock icon in the dashboard (or the -s flag in the CLI) to mark a value as a secret.

Files

Environment groups can also contain files for sensitive data such as certificates or configuration files. Files are managed through the Porter dashboard and are injected into your application’s container at the path: 
/etc/secrets/<env-group-name>

Syncing Environment Groups to Applications

Environment groups can be synced to applications so that when the group is updated, all synced applications are automatically redeployed with the new values.

From the Dashboard

You can sync an environment group to an application during app creation or by navigating to the application’s Env Groups tab and adding the group. Click Update app to apply.

From porter.yaml

Add the envGroups field to your porter.yaml: 
version: v2
name: my-app

envGroups:
  - production-secrets
  - shared-config

services:
  - name: web
    type: web
    run: npm start
    port: 3000
    cpuCores: 0.5
    ramMegabytes: 512
Environment groups listed in envGroups must already exist in the project before deploying.

Updating an Environment Group

When you update an environment group, all applications synced to it are automatically redeployed with the new values.

From the Dashboard

Navigate to the Env Groups tab, click the environment group you want to update, make your changes, and click Update.

From the CLI

Use porter env set to add or update variables, and porter env unset to remove them: 
porter env set --group production-secrets -v LOG_LEVEL=debug -v FEATURE_FLAG=true

Version History

Every update to an environment group creates a new version. You can view the full history of an environment group — including who made each change and when — from the Versions tab on the environment group’s page.

Reverting to a Previous Version

If a change introduces a bad value or you need to roll back to a known-good configuration, you can revert an environment group to any previous version from the Versions tab.
  1. Open the environment group from the Env Groups tab.
  2. Switch to the Versions tab.
  3. Find the version you want to restore and click Revert to v<n>.
  4. Review the diff between the current version and the target version, then confirm.
Reverting does not rewrite history — it creates a new version containing the values from the version you selected. The previous versions remain in the history, so you can roll forward again if needed.
All applications synced to the environment group are automatically redeployed with the reverted values, just like a normal update.

Pulling Environment Variables Locally

You can pull the contents of an environment group to your local machine for development: 
porter env pull --group production-secrets
The --variables (-v) and --secrets (-s) flags are mutually exclusive. If neither is specified, both variables and secrets are included in the output.

Listing Environment Groups

To see all environment groups in your project: 
porter env list
This displays a table with each group’s name, current version, and last updated time.

Deleting an Environment Group

Environment groups can be deleted from the Settings tab on the environment group’s page in the dashboard.
You cannot delete an environment group that is synced to an application. Unsync the environment group from all applications before deleting it.

CLI Reference

For the full list of flags and options, see the porter env CLI reference.