Cloud Functions often need credentials or settings — API keys for external services, hostnames or passwords should never be hard-coded.

Configuration of secrets is provided through YAML, with two parallel mechanisms: one for local development, one for the deployed function.

Which configuration is my Cloud Function reading and where?

🚧

Same schema, both places

As best practice, use the same configuration shape locally and in the cloud, or your function may work in development but break in production (or vice versa).

Local development configuration

The configuration can be created locally by setting it in the context_values.yaml file in the root of your backend-component-workspace folder. There are no requirements on the format, other than that the root should be an object (i.e. not a string, array or int).

The configuration is exposed on the FunctionContext via the config field:

apiApplication: pubidxxxxxxx

externalService:
  hostname: api.reallyusefulservice.com
  username: user
  password: pass

from ixoncdkingress.function.context import FunctionContext

@FunctionContext.expose
def hello_world(context: FunctionContext, **kwargs):
    print(context.config['apiApplication'])
    # prints "pubidxxxxxxx"

    # Nested objects are accessible as nested dicts:
    print(context.config['externalService']['username'])
    # prints "user"

📘

Numbers parse as strings

Integers and floats in YAML are read as strings by context.config. If you need them as numbers, cast explicitly with int(...) or float(...).

Default configuration in IXON Cloud

Under Studio > Cloud Functions > Function of choice > General > Default config, a default configuration template can be set and provided as an example so that admins can properly set up the encrypted configuration.

The default config supports any valid YAML — comments included, which is the recommended way to document each option.

❗️

Default config is not encrypted

The default config is shared with everyone who installs your function and simply provides an example. Never put secrets there.

Encrypted configuration in IXON Cloud

To allow users to safely store their secrets, an encrypted configuration is provided in Admin > Apps > Function of choice > More options. This configuration should be selected to protect any API Token or passwords used by the Cloud Function.

Secrets stored here should follow the same structure of the context_values.yaml file used during local development as mentioned in the note on top of this article.

Additionally, pressing the Reset button resets the configuration to the one set as Default Configuration mentioned in the previous section:

❗️

Why do I not see a "Reset" button?

The "Reset" button will not be available unless a Default configuration has been set up.

Confidentiality

When publishing a Cloud Function, you can set the confidentiality of its configuration under Studio > Cloud Functions > Function of choice > Confidentiality > Edit.

Choose the Secret option for any configuration that should only ever be readable by the Cloud Function itself — for example, third-party API tokens. This protects sensitive values from being inspected by users with access to the configuration UI.

Are secrets stored across companies?

Different companies store their own secrets. When your Cloud Function is shared with multiple companies, each company configures its own settings independently. If Company A stores credentials for an external service, Company B does not see them — Company B will need to enter their own. Configuration does not travel with the function.