Is there a way to provide secrets using environment variables instead of entries in a secrets.toml file? (Something similar to Working with configuration options - Streamlit Docs)
1 Like
Great questionâthanks for bringing this up! 
In Streamlit, secrets are typically managed via a .streamlit/secrets.toml file for local development or through the âSecretsâ section in Streamlit Community Cloud. However, Streamlit also makes all root-level secrets from secrets.toml available as environment variables at runtime, so you can access them with os.environ as well as st.secrets in your code.
But, Streamlit does not natively support populating st.secrets directly from environment variables alone (i.e., without a secrets.toml file present). For configuration options, you can use environment variables (with the STREAMLIT_ prefix), but for secrets, you must use the secrets management system as described above. If youâre deploying to platforms like Heroku or Render, you can use environment variables and access them via os.environ, but these wonât be available in st.secrets unless you generate a secrets.toml file at runtime. For more, see Working with configuration options - Streamlit Docs and Secrets management - Streamlit Docs.
Sources:
1 Like
I ran into this same choice while building a Portfolio Analytics app. While .toml files are great for local development, they can be a headache for CI/CD since you (rightfully) .gitignore them.
My workaround for the cloud version was to skip the file entirely and use the Cloud Secrets Panel to inject the password as an environment variable.
In my code, I just use: PASSWORD = os.environ.get("DB_PASSWORD")
This keeps the âSecretsâ purely in the environment and out of the repo, which is much more secure for public-facing apps. It also makes the app more âportableââif I move from Streamlit Cloud to a VPS, I just set the environment variable there and the code doesnât have to change at all.
Just to add one detail: st.secretscan fetch from Kubernetes-style secrets, too. You just need to update your config.tomlto point to a directory for it. So, if your particular deployment platform supports it, thatâs another option: