How To
ForgeRock Identity Cloud

How do I reference an environment-specific secret or non-secret value from a script in the Identity Cloud?

Last updated Sep 22, 2021

The purpose of this article is to provide assistance if you want to reference secrets or non-secret values (such as a third-party URL) from a script, where the values vary depending on the environment being used. For example, you want to use the Scripted Decision node to consume an API key in a script that is used to call a third-party API, and you use different keys in your Development, Staging and Production environments.

3 readers recommend this article


You can add a variable to a script that references a secret or non-secret value in your Development environment. This variable then allows different values to be used in your other environments.

Script requirements

You must observe the following requirements when you create your script:

  • The variable declaration must be on a separate line, but this can be anywhere in your script.
  • The entire variable declaration, including the secret or value, must be a single-line string. If the secret or value is currently a multi-lined string, you must resolve it to a single line before including it in your script.
  • Inline comments must not be included in the variable declaration. Add any comments on the line above or below the variable declaration.
  • The variable name must be unique and cannot be reused elsewhere in the script. The same variable name can be used in other scripts, but you will need to tell us about each script it is used in.

Referencing an environment-specific secret or value from a script

You can reference an environment-specific secret or value in your scripts as follows:

  1. Update your script in the Development environment to declare the variable and required value. For example, include a declaration as follows:var mySecret = "abcd1234";
  2. Raise a Configuration Promotion ticket with the following details:
    • The name of the variable.
    • The name of the script the variable is being used in.
    • The name of the realm where the script is located.
    • The value for this variable in each environment. You can provide encrypted values if required; the ForgeRock support engineer can provide instructions for doing this in the ticket if requested.

For example:

var name: mySecret Script name: myScript Realm: alpha Value in Development: abcd1234 Value in Staging: 4321dcba Value in Production: efghij567890!

ForgeRock will then securely register these secrets or values in each environment, and the script will be auto-updated with the environment-specific values when we promote your configuration changes.


Please note the following:

  • You will still see the actual secret or decrypted value in the script if you look in the Admin UI, but this will not be exposed within the node. Operationally, this is replaced with a pointer to the secret value that is parsed when the script needs to be run or edited in the UI, etc.
  • You must tell us if the value changes in any of your environments, so we can update the stored values accordingly. 

See Also

Promote Configuration

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.