Grafana Cloud k6 Launches Centralized Secrets Management to Eliminate Hardcoded Credentials in Performance Testing

Breaking: Grafana Cloud k6 Introduces Centralized Secrets for Secure Performance Testing at Scale

In a move to address the growing security risks of credential sprawl in performance testing, Grafana Labs today announced the launch of native secrets management for its fully managed Grafana Cloud k6 platform. The new feature allows teams to store API tokens, database credentials, and other sensitive data centrally in Grafana Cloud, injecting them into test scripts at runtime—eliminating the need to hardcode secrets or pass them manually between environments.

“Performance tests often simulate real user behavior by interacting with live systems, which means they require API keys and tokens. But as testing suites grow, those credentials end up scattered across scripts, config files, and version control—creating a major security headache,” said Marcus Anders, Product Manager at Grafana Labs. “Secrets management for k6 removes that risk by keeping sensitive values out of scripts entirely. Engineers can now focus on test logic without worrying about accidental exposure.”

Centralized Storage, Runtime Injection

Secrets are stored in Grafana Cloud and never written into test code. At runtime, the k6/secrets module retrieves them securely. Once saved, secret values are write-only in the UI—they cannot be viewed again, preventing leaks via screenshots or screen sharing.

“This is a critical design principle,” added Anders. “If a secret is ever rotated, you simply update the value in a single location. All tests automatically use the new value on their next run. No script modifications, no pull requests, no delays.”

Getting Started: Manage Secrets from the Grafana Cloud UI

Users can create, edit, and delete secrets directly from the Grafana Cloud web interface under Testing & Synthetics > Performance > Settings > Secrets. Each secret is defined by a name (used to reference it in tests), a description, and labels for organization.

Editing a secret requires supplying a new value—the current value is never displayed. Deleting a secret removes it from all active tests. This lifecycle management aligns with enterprise security best practices and supports rapid credential rotation.

Using Secrets in k6 Tests

To use a secret, import the k6/secrets module and call secrets.get('secret-name'). Functions remain clean and readable:

import { check } from 'k6';
import http from 'k6/http';
import secrets from 'k6/secrets';

export default async function () {
  const apiToken = await secrets.get('api-token');
  const headers = { Authorization: `Bearer ${apiToken}` };
  let res = http.get('https://example.com/api', { headers });
  check(res, { 'status 200': (r) => r.status === 200 });
}

No credentials appear in the script. The same test can run across staging, QA, and production simply by pointing to a different secret set.

Background: The Credential Sprawl Problem

Performance testing tools like k6 (open source) are widely adopted for simulating high user loads. But as organizations scale their test suites, sensitive values—API tokens, service account passwords, database URIs—begin to spread across multiple scripts, environment variables, and even version control repositories.

“Hardcoding secrets into test scripts is the number one cause of accidental credential exposure in CI/CD pipelines,” said Dr. Lena Chen, cybersecurity researcher at SecureDevOps Labs. “Once a test script is committed to a repo, that secret lives forever in the history. Secrets management like this is not just a convenience; it’s a security necessity.”

Grafana Cloud k6 already supports environment variables and configuration files, but those methods still require manual management of the sensitive values. The new secrets management feature centralizes the storage and controls access at the platform level.

What This Means

For engineering teams, the immediate benefit is reduced security risk. Credentials are no longer exposed in code reviews, logs, or screenshots. For platform teams, the centralized model simplifies compliance with data protection regulations (e.g., GDPR, SOC 2) by providing a single audit point for secret usage.

Operationally, the change accelerates test development. Engineers no longer need to maintain separate environment configurations or secret distribution workflows. A test written for a staging environment can be promoted to production simply by changing the secret values via the UI or API.

“This is a classic developer experience improvement that also strengthens security,” noted Anders. “It removes friction without adding complexity. We expect adoption to be rapid among teams already using k6 for load testing.”

The feature is available immediately to all Grafana Cloud k6 customers at no additional cost. Existing tests can be migrated incrementally—secrets can be adopted per function without rewriting entire scripts.

For more details, refer to the official documentation.