Breaking: Grafana Cloud k6 Introduces Centralized Secrets Management
Grafana Cloud k6, the fully managed performance testing platform powered by k6 OSS, today announced a new secrets management feature that allows developers to securely store and inject sensitive values—such as API keys, tokens, and credentials—directly into load tests at runtime.
This move eliminates the need to hardcode secrets into test scripts or pass them around manually, addressing a growing security risk as testing suites scale and sensitive data sprawls across scripts, configurations, and environments.
“Secrets management is a critical missing piece for teams running performance tests against real systems,” said Alex Chen, Product Manager for Grafana Cloud k6. “With this release, we’re giving developers a secure, central place to manage credentials, reducing exposure risks and simplifying test maintenance.”
How It Works
Secrets are stored centrally in Grafana Cloud and injected into k6 tests at runtime using a dedicated module, k6/secrets. This keeps scripts clean, prevents accidental leaks in version control, and makes it easier to reuse the same test across different environments.
To use a secret in a test, developers import the module and call secrets.get('secret-name'). The secret value is then available for API calls, authentication headers, or any other part of the test logic.
Background: The Problem of Secrets Sprawl
Performance tests often require API keys, tokens, or credentials to simulate real user behavior against live systems. As testing suites grow, these sensitive values get scattered across scripts, configuration files, and environment variables, increasing the risk of exposure through version control, screenshots, or shared dashboards.
Traditional workarounds—like hardcoding secrets or using external vaults—add complexity and maintenance overhead. Grafana Cloud k6’s secrets management offers a built-in solution that integrates directly with the platform, eliminating the need for additional tooling.
What This Means for Developers
This feature streamlines test development and enhances security. Developers no longer need to worry about accidentally committing credentials to Git or sharing screenshots that reveal sensitive data. Instead, secrets are write-only after creation—never displayed in the UI—preventing casual exposure.
Teams can also rotate credentials easily by overwriting existing secrets via the UI, without modifying test scripts. This makes it simpler to maintain tests across staging, production, and other environments, while enforcing least-privilege access.
How to Get Started with Secrets Management
Secrets can be created and managed directly from the Grafana Cloud web interface. Navigate to Testing & synthetics > Performance > Settings and open the Secrets tab from the menu.
From this interface, you can perform all lifecycle operations:
- Create secrets by providing a name, description, and value. The name is how the secret will be referenced in tests, and the value is the sensitive data itself. Labels help with organization.
- Edit secrets to modify their descriptions, labels, or values. Editing does not reveal the current value; you simply provide a new value that replaces the previous one.
- Delete secrets that are no longer needed.
Secret values are write-only in the UI. After initial creation, they cannot be read back or displayed, aligning with common security best practices.
Using Secrets in Your Tests
Once secrets are defined, using them in tests is straightforward. Grafana Cloud k6 provides the k6/secrets module, which allows retrieving secret values at runtime.
Example usage in a test script:
import check from "k6";
import http from 'k6/http';
import secrets from 'k6/secrets';
export default async function main () {
const apiToken = await secrets.get('api-token');
const headers = {
Authorization: `Bearer ${apiToken}`,
};
let res = http.get('https://api.example.com/endpoint', { headers });
check(res, { 'status is 200': (r) => r.status === 200 });
}For full documentation, visit the Grafana Cloud k6 secrets management guide.