Overview

Date: 2026-05-11

Time: 15:49

Overview

This example demonstrates FTL2's secret bindings feature, which automatically injects secrets (from environment variables) into module calls without the script ever handling the actual secret values. This is a security best practice that replaces the older pattern of manually passing secrets via ftl.secrets["..."]. The file serves as both a working example and a teaching tool, contrasting the old and new approaches.

Usage Patterns

Secret bindings are passed as a dictionary to automation() at initialization:

bindings = {
    "community.general.slack": {"token": "SLACK_TOKEN"},       # exact module match
    "amazon.aws.*": {"aws_access_key_id": "AWS_ACCESS_KEY_ID"}, # glob pattern
}

async with automation(secret_bindings=bindings, verbose=True) as ftl:
    # Secrets are injected — no need to pass token= explicitly
    await ftl.community.general.slack(channel="#deployments", msg="Deploying...")

The binding dictionary maps module names (or glob patterns) to a dict of {parametername: envvar_name}. When a matching module is called, the parameter is filled from the environment variable automatically.

API and Configuration

| Parameter | Type | Description |

|-----------|------|-------------|

| secret_bindings | dict[str, dict[str, str]] | Passed to automation(). Keys are module names or glob patterns; values map parameter names to environment variable names. |

| verbose | bool | Enables verbose output when passed to automation(). |

Environment variables must be set before the script runs — the bindings reference env vars by name (e.g., SLACKTOKEN, AWSACCESSKEYID).

Key Behaviors

• Script never sees secret values. The binding mechanism resolves env vars at call time and injects them into module parameters, so the script source contains no secrets.
• Glob patterns (amazon.aws.*, community.postgresql.*) apply bindings to all matching modules — useful for credential families like AWS or database logins.
• Manual secrets still work. For modules not covered by bindings, ftl.secrets["KEY"] is still available as a fallback.
• Old approach comparison. The comparison_example() function explicitly contrasts the deprecated pattern (secrets passed as parameters in script code) with the binding approach.

Relationships

• Imports automation from ftl2.automation — the main entry point for all FTL2 scripts.
• Interacts with the Vault/secrets subsystem within automation() for resolving environment variable references at module call time.
• Module calls use FQCN notation (community.general.slack, amazon.aws.ec2_instance, community.postgresql.*), connecting to FTL2's module resolution system.
• Related patterns: pairs with the policy engine (which can enforce that certain modules *must* use bindings) and the audit/replay system (which benefits from secrets being absent from recorded parameters).