Don't sync shared variables?

a month ago

Is there a way to not have the sync feature try to update shared variables? I'm scared I'm going to forget to dismiss them one of these times and pull prod keys into dev or vice-versa.

$10 Bounty

10 Replies

a month ago

The docs say:

Sealed variables are a security-first feature and with that come some constraints:

[...]

  • Sealed variables are not copied over when creating PR environments.
  • Sealed variables are not copied when duplicating an environment.
  • Sealed variables are not copied when duplicating a service.
  • Sealed variables are not shown as part of the diff when syncing environment changes.

But this does not indicate what the actual behaviour is. Do the still get copied when syncing?


a month ago

(FWIW my variables are currently unsealed)


a month ago

(I'm just exploring it as a potential solution to this, but like I say - is a bit unclear)


24 days ago

I'm still looking for clarity on this if anyone can help. ☺️


24 days ago

This would have to be a feedback post on station.railway.com.

It's not behavior we could just change from a one off request.


24 days ago

I am not requesting a change, I'm asking for clarification on how this actually works. Specifically:

Sealed variables are not shown as part of the diff when syncing environment changes.

Are they simply not shown, or just not synced (as is the case for PR environments)?


Railway
BOT

24 days ago

This thread has been opened as a bounty so the community can help solve it.

Status changed to Open Railway 24 days ago


24 days ago

If they are, is there any other mechanism I can use for environment-specific variables/secrets to ensure I can never screw up and sync them to where they shouldn't be?


nisarg-202
PRO

23 days ago

Sealed variables are excluded from the sync diff display, but the docs don't explicitly say they're excluded from syncing itself — so they probably still sync silently.

Safest option: don't use shared variables for sensitive keys at all. Set them directly per environment so they're never part of the sync flow.


zvi
PRO

14 days ago

+1 from me too, I'm looking to do this as well, it would be great if the syncing feature would allow us to add to a "deny list" specific changes (with an option to remove from that list too), this way we can say a specific env var shouldn't sync, deploy setting, or a full service.


lleywyn
PROTop 5% Contributor

13 days ago

the docs are genuinely fuzzy here. "sealed variables arent shown in the sync diff" only means theyre hidden from the diff view, it does not clearly mean theyre excluded from syncing, so dont trust sealing alone to keep prod creds out of dev. the safe pattern: dont put environment specific secrets as shared/synced vars at all, set them directly per environment so theyre never in the sync path in the first place. that fully sidesteps it. theres an open feature request for a proper "deny list" to block specific vars from syncing, but until thats real, per-env vars is the move.


Welcome!

Sign in to your Railway account to join the conversation.

Loading...