Skip to content

Ingest New Documentation #2895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Ancairon merged 1 commit into from
Jun 18, 2026
+40 −4
Merged

Ingest New Documentation #2895

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions docs/Collecting Metrics/Secrets Management/Secrets Management.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Netdata lets you reference secret values in collector configs instead of storing

### Jump To

[Resolver Quick Reference](#resolver-quick-reference) • [Choosing a Resolver](#choosing-a-resolver) • [Environment Variables](#environment-variables) • [Files](#files) • [Commands](#commands) • [Secretstores](#secretstores) • [Supported Secretstore Backends](#supported-secretstore-backends) • [How It Works](#how-it-works) • [Troubleshooting](#troubleshooting)
[Resolver Quick Reference](#resolver-quick-reference) • [Choosing a Resolver](#choosing-a-resolver) • [Environment Variables](#environment-variables) • [Files](#files) • [Commands](#commands) • [Encoding Values for URIs](#encoding-values-for-uris) • [Secretstores](#secretstores) • [Supported Secretstore Backends](#supported-secretstore-backends) • [How It Works](#how-it-works) • [Troubleshooting](#troubleshooting)


## Resolver Quick Reference
Expand All @@ -37,6 +37,7 @@ Netdata lets you reference secret values in collector configs instead of storing
- Use `${cmd:...}` when you need dynamic secret retrieval via a trusted local command, such as 1Password CLI or a custom script.
- Use `${store:...}` when your organization manages secrets centrally in a cloud provider or Vault and you want Netdata to pull from that source directly.
- You can use different resolver types across different collectors, different jobs within the same collector, or even within the same configuration value. See [Mixing resolver types](#mixing-resolver-types).
- When you embed a secret inside a URI or DSN, append `+urienc` to the reference scheme to percent-encode the resolved value. See [Encoding values for URIs](#encoding-values-for-uris).

## Environment Variables

Expand Down Expand Up @@ -82,6 +83,20 @@ jobs:
- Netdata uses a 10-second timeout for command resolvers.
- Netdata trims leading and trailing whitespace from stdout and ignores stderr.

## Encoding Values for URIs

When a resolved secret is embedded inside a URI or DSN, characters such as `/`, `:`, `@`, or `+` can break parsing. Append `+urienc` to the reference scheme to percent-encode the resolved value so it is safe in any URI component. It works with every resolver: `${env+urienc:...}`, `${file+urienc:...}`, `${cmd+urienc:...}`, and `${store+urienc:...}`.

```yaml
jobs:
- name: postgres_remote
dsn: "postgresql://postgres:${store+urienc:vault:vault_prod:secret/data/netdata/pg#password}@db.example.com:5432/postgres"
```

- Encoding is opt-in. Without `+urienc`, the resolved value is used exactly as stored.
- Every character outside the RFC 3986 unreserved set (`A-Za-z0-9` and `-` `.` `_` `~`) is percent-encoded.
- Use `+urienc` only for a value that is a single URI component, such as a password. Applying it to a plain field, or to a value that is already a complete URL, leaves stray percent-encoded text.

## Secretstores

Use secretstores when you want Netdata collectors to fetch secrets from remote backends at runtime instead of storing them locally in collector configs.
Expand Down Expand Up @@ -160,7 +175,7 @@ jobs:
dsn: "${env:MYSQL_USER}:${store:vault:vault_prod:secret/data/netdata/mysql#password}@tcp(127.0.0.1:3306)/"
```

Different jobs within the same collector config file can also use different resolver types.
Different jobs within the same collector config file can also use different resolver types. When a secretstore value is embedded inside a URI or DSN, append `+urienc` to the scheme (`${store+urienc:<kind>:<name>:<operand>}`) to percent-encode it. See [Encoding values for URIs](#encoding-values-for-uris).

## Supported Secretstore Backends

Expand Down Expand Up @@ -204,3 +219,4 @@ Representative error patterns:
- `${file:relative/path}`: file path must be absolute
- `${cmd:echo hello}`: command path must be absolute
- `${cmd:/path/to/slow-command}`: command timed out after 10s
- `${env+foo:VAR_NAME}`: unknown modifier 'foo'
24 changes: 22 additions & 2 deletions docs/Netdata Agent/Configuration/Dynamic Configuration Manager.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ slug: "/netdata-agent/configuration/dynamic-configuration-manager"

:::important

Netdata Cloud paid plan is required.
Netdata Cloud paid plan is required for creating, editing, testing, enabling, disabling, or removing configurations. On Community plans, you can still list configurable items.

:::

Expand Down Expand Up @@ -303,8 +303,28 @@ In Netdata, HTTP 412 is used to indicate that an authorization bearer token was

For more information, see [Secure Your Netdata Agent with Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection).

### Forbidden (HTTP 403) Error When Accessing Configuration Manager

If you see **"forbidden"** (HTTP 403) when opening configuration details or creating, editing, testing, enabling, disabling, or removing configurations in the Configuration Manager, one of the following restrictions is blocking the action.

:::important

Only users with an **Admin** or **Manager** role on a **paid plan** can perform Dynamic Configuration actions beyond listing. Users without Dynamic Configuration permissions and all users on the Community plan will receive **"forbidden"** for those actions.

:::

**Common causes:**

1. **Insufficient role** — Only Admin and Manager roles can perform Dynamic Configuration actions such as **View**, **Add**, **Update**, **Enable/Disable**, **Remove**, and **Test**. Troubleshooters, Observers, and Billing users can still use **List All**, but they will receive **"forbidden"** for actions beyond listing.
2. **Community (free) plan limitation** — A paid plan is required for all Dynamic Configuration Manager actions except **List All**. Users on the Community plan will see **"forbidden"** when attempting any action beyond listing.

**Resolution steps:**

1. **Check your assigned role**: Go to **Space Settings → Users** and verify your role. If you are not an Admin or Manager, ask a Space Admin to upgrade your role. See the [Role-Based Access Model documentation](/docs/netdata-cloud/authentication-&-authorization/role-based-access-model) for the full permissions table.
2. **Verify your subscription plan**: If you are on the Community plan, [upgrade to a paid plan](https://www.netdata.cloud/pricing/) or ask a Space Admin to do so. A paid plan is required for all Dynamic Configuration actions except **List All**.

---

Experience the efficiency and power of the Dynamic Configuration Manager in Netdata today. Whether you're managing a handful of nodes or a vast infrastructure, this feature will make your monitoring and alerting tasks smoother and more intuitive.

Developing with dynamic configuration? [Click here](https://learn.netdata.cloud/docs/developer-and-contributor-corner/dynamic-configuration/).
[Read more](/docs/developer-and-contributor-corner/dynamic-configuration) on developing with dynamic configuration.