Mastering Secure Performance Testing: A Step-by-Step Guide to Using Secrets Management in Grafana Cloud k6
Introduction
Performance tests that mimic real user behavior often require API keys, tokens, or credentials to interact with live systems. As your testing suite expands, these sensitive details can quickly become scattered across scripts, configuration files, and environments—increasing the risk of exposure and making tests harder to manage. To solve this, Grafana Cloud k6 now offers built-in secrets management. This feature lets you store confidential data securely in the cloud and inject it into your tests at runtime. No more hardcoding secrets or manually passing them around. Your scripts stay clean, version control remains safe, and you can reuse tests across different environments without compromise.
This guide walks you through everything you need to know: from setting up secrets in the Grafana Cloud UI to using them in your k6 test scripts. Follow along to fortify your performance testing workflow.
What You Need
- A Grafana Cloud account with access to the Testing & synthetics section (specifically the Performance module).
- One or more k6 test scripts (JavaScript files) that rely on sensitive values like API tokens or credentials.
- Basic familiarity with k6 scripting (importing modules, writing HTTP requests).
- An understanding of which data in your tests is confidential and should be treated as a secret.
Step-by-Step Guide
Step 1: Access the Secrets Management Interface
Log in to your Grafana Cloud account. In the left-hand menu, navigate to Testing & synthetics > Performance. Then click on Settings (often a gear icon) and select the Secrets tab from the submenu. You’ll see a clean interface for managing all your secrets.
Step 2: Create a New Secret
Click the Create Secret button. You will need to fill in:
- Name – This is the identifier you’ll use in your test code (e.g.,
api-token). Choose something clear and unique. - Value – The actual sensitive data (e.g.,
sk-xxxx…). This field is only visible when you type it; after saving, the value becomes write-only. - Description (optional) – A short note explaining the secret’s purpose (e.g., “API token for production environment”).
- Labels (optional) – Key-value pairs to organize secrets (e.g.,
env=prod,service=payment).
Once saved, the secret is immediately available for use in your tests. You cannot view the value again through the UI—this prevents accidental leaks via screenshots or screen sharing.
Step 3: Edit an Existing Secret
If you need to rotate credentials or update a secret’s description/labels, locate the secret in the list and click the Edit button (usually a pencil icon). The current value is never displayed. Instead, you provide a new value, which overwrites the old one. You can also change the description and labels. Click Save to apply the changes.
Step 4: Delete a Secret
When a secret is no longer needed (e.g., a decommissioned API key), click the Delete button (trash icon) next to it. Confirm the deletion. The secret is permanently removed, and any tests that reference it will fail at runtime until updated.
Step 5: Use Secrets in Your k6 Test Script
Grafana Cloud k6 provides a dedicated module, k6/secrets, to retrieve secret values at runtime. The method is asynchronous, so you must use async/await or promise handling. Here’s a basic example:
import { check } from 'k6';
import http from 'k6/http';
import secrets from 'k6/secrets';
export default async function main() {
const apiToken = await secrets.get('api-token');
const headers = {
Authorization: `Bearer ${apiToken}`,
};
console.log('Headers: ' + JSON.stringify(headers));
let res = http.get('https://api.example.com/endpoint', { headers });
check(res, { 'status is 200': (r) => r.status === 200 });
}Replace 'api-token' with the name you gave your secret in the UI. The secrets.get() function returns the value as a string. You can then use it in your HTTP headers, request bodies, or any other part of the script.
Important: Because the call is asynchronous, make sure your default function is marked async and you await the result. If you need the secret in an init context (outside the default function), you may need to restructure your code; currently, secrets.get() is only supported inside the VU code (default function or lifecycle hooks that allow async).
Step 6: Run Your Test with Secrets
Execute your k6 test as usual from the Grafana Cloud interface (via the Performance dashboard) or by triggering a test run through the API. The secrets module automatically resolves the values at runtime from your Grafana Cloud account. There’s no need to pass environment variables or store files. Your test will use the exact values you defined.
Tips for Effective Secrets Management
- Rotate credentials regularly. Use the edit feature to update secrets without changing your test scripts. Schedule rotations alongside your security policies.
- Use descriptive labels. Group secrets by environment, service, or team. This makes maintenance easier when you have many secrets.
- Never share secret values via screenshots or logs. The write-only UI helps, but be mindful when debugging—avoid printing secret values to console in production tests.
- Leverage environment-specific secrets. Create different secrets for development, staging, and production (e.g.,
api-token-dev,api-token-prod). Reference the correct one in each test script or use conditional logic. - Test secret resolution locally. If you run k6 locally with the OSS version, the
k6/secretsmodule is not available. Use environment variables during local development, then switch to the cloud module for production test runs. - Monitor test failures. If a secret is deleted or renamed, tests will fail with an error from
secrets.get(). Set up alerts in Grafana Cloud to catch such issues quickly.
Conclusion
Secrets management in Grafana Cloud k6 is a straightforward way to secure sensitive data in your performance tests. By centralizing secrets, keeping them write-only, and injecting them at runtime, you eliminate the risks of hardcoded credentials and reduce maintenance overhead. Follow the steps above to implement a robust, secure testing pipeline. For more details, check the official Grafana Cloud k6 documentation.