Do Umbraco Cloud Identity Secrets need to be committed into git?

mattou07 · March 25, 2026, 11:01am

I have raised this on the Umbraco Cloud Issues tracker but cross posting it here just to see if anyone else in the community has come up with their own approach when managing these secrets for their Cloud projects. Tldr: I want to know if its possible to avoid committing the umbraco-cloud.json file for a repo using Umbraco Cloud CI/CD.

github.com/umbraco/Umbraco.Cloud.Issues

Do Umbraco Cloud Identity Secrets need to be committed into git?

opened 10:51AM - 25 Mar 26 UTC

mattou07

### Issue description This affects every Umbraco Cloud site as far as I know. A…pologies if this has already been raised. umbraco-cloud.json contains the following JSON structure that has to be committed into the repository: ``` "Identity": { "ClientId": "id", "ClientSecret": "secret", "EnvironmentId": "id", "LocalLoginRedirectUri": "https://redirect.identity.umbraco.com" } ``` Is it possible to move these settings into .NET `secret.json` so they would essentially act like regular appsettings that don't get committed? Are there any other methods that I have missed that I can do to avoid these being committed into the repo? Does this file need to be on the Umbraco cloud repository? We noticed different Client Ids between local and dev. I assume this file is for local development in that case? Having an area in the Cloud portal to copy the secrets and then paste it into a secret.json makes more sense in this case to avoid this approach for local dev. For demonstration reasons I am working on making my Umbraco Cloud blog site codebase public.

mattou07 · March 25, 2026, 11:08am

If there’s no approach I can update my Umbraco Cloud action (GitHub - mattou07/Our.UmbracoCloudAction: A GitHub action to deploy to Umbraco Cloud using the v2 API · GitHub) to inject the secrets file during the pushing of the artifact to cloud using Github secrets to store the contents of the umbraco-cloud.json.

Not ideal though!

JamieT · March 25, 2026, 11:09am

Not sure if that specific file will go through this transform, but what we do for our Cloud sites which needs to call a private nuget is to use the Cloud Secrets: Secrets Management | Cloud | Umbraco Documentation

Then in the nuget.config we have

  `<add key="ClearTextPassword" value="%NUGET_PASSWORD%" />`

So I wonder if this approach would work, but that’s if there is not an alternative reason to not use the built in secrets on Cloud which someone else may know the reason for.

mattou07 · March 25, 2026, 11:11am

This secret is needed for local development. The secrets in umbraco-cloud.json enables you to login with Umbraco ID locally to get to the back office. We cannot use Secrets management in Umbraco Cloud portal for this.

JamieT · March 25, 2026, 11:17am

Ahh sorry yes I understand what you’re saying - for me you’re correct in that even if we have to manually copy it or there is a step on initial creation which we can use to set it in a local non-git file and then the one which is committed has the variable.

I would be interested in the reason for including it, I know those secrets expire so maybe it’s a logistics thing.

sebastiaan · March 25, 2026, 1:54pm

For an upcoming open source Cloud site, we stored it as a GitHub secret that gets injected during the CI/CD step into the final zip file that gets pushed to Cloud.

As this is not a site we can allow people access to the Cloud site for, we use local backoffice accounts and do not have the ability to push/pull Umbraco Deploy - so we’re working around that with exporting things from the staging/live to import it back to Local (or vice versa).

I do think it’s quite nice though, this shields the whole Cloud environment from people working locally - given that you have the proper approvals set up on GitHub / Azure to not just push any commit straight to the Cloud environment. It also allows for offline work. People can still log into the Cloud environment, export content/media etc to import locally if they really need to.