Network Access Policies, Cross-app referencing, and more

Wednesday, May 7, 2025

cross app referencing

The Phase platform has seen significant feature updates and improvements this April, including support for cross-app secret referencing, network access policies, enhanced log filtering and more. Here's a recap of all the recent changes.


Reference Secrets across Apps

One of our most requested features is here: you can now reference secrets across Apps in Phase, making it easier to reuse shared keys like API tokens, database credentials, and service configs.

You can already reference secrets across environments and folders within a single App. With this update, you can now extend that to secrets stored in other apps. To construct a cross-app secret reference, simply prefix a reference with the app name, followed by ::.

For example, ${API::production./jwt/SECRET_KEY} references the SECRET_KEY secret from the production environment of the API app at path /jwt/.

Syntax Recap:

SyntaxAppEnvironmentPathKey
${API::production./jwt/SECRET_KEY}APIproduction/jwt/SECRET_KEY

The feature was highly requested by the community, and adds another layer of abstraction to allow you to build complex workflows to manage secrets in your team.

Note that the standard rules of access and permissions still apply to secrets referenced across apps. In the example above, an account without access to the API app will not be able to resolve this secret reference.

If you're interested in a deep dive into how references work, check out the docs.

Cross-app secret referencing is available now on Phase Cloud and available in v2.40.0 for self-hosted users. This feature is also supported on the Phase CLI v1.19.1 and the currently available SDKs:


Restrict access to allowed IPs

You can now manage access to secrets in your team with Network Access Policies. A Policy is defined by a set of IP addresses or CIDR ranges, and functions as an allowlist. You can enforce Network Access Policies to specific accounts, or across your entire Organisation. To create a Network Access Policy, click Access in the sidebar and navigate to the Network tab. Click Create policy and enter one or more IP addresses or ranges, and hit Enter, Space, or ,. Both IPv4 and IPv6 are supported, and you can even select your own IP address from the dropdown if required.

Enforce a policy for a specific account

You can selectively enforce a Network Access Policy on a specific user or service account from the account page. Simply scroll down to the Network Access Policy section and select one or more policies to enforce

This will enforce the selected policy immediately and restrict access to the Console, CLI, SDKs and REST API from any IP address outside the allowlist.

Enforce a policy globally

Network Access Policies can also be applied globally across your organisation. To set a global policy, simply navigate to Access from the sidebar, open the Network tab and scroll down to Global Policies. Click the "Manage global policies" button and select one or more policies to apply globally. Careful not to lock yourself out!

For complete documentation on managing and enforcing Network Access Policies, check out the Docs


Filter logs

We've added a detailed filtering feature to audit logs to give you better visibility on secret access and modifications. You can now filter logs by event type (Create, Read, Update, Delete), get logs for a specific user or service account, filter by environment, and by date range. The logs UI has also got a makeover with better typography, layout and general UI polish, along with a completely rebuilt client-side data fetching implementation which will significantly improve browser performance.

Other updates and improvements

  • Performance optimizations for Service Account list and detail pages
  • REST API error responses caused by access restrictions are more accurate, and verbose debug logging is enabled on the backend to help diagnose access issues
  • A dedicated Account page is added for human users to help admins more easily manage settings for individual accounts
  • The "Unlock Keyring" dialog has been updated with a visual refresh and better UX

All these features are live now on Phase Cloud and available in the latest release v2.42.1 for self-hosted users.

As always, we'd love your feedback — come say hi on Slack or GitHub.

Request a feature

We build features based on community requests and feedback.
Looking for a specific feature or have a use-case in mind? Reach out to us!

CLOUD

The fastest and easiest way to get started with Phase. Spin up an app in minutes. Hosted in the 🇪🇺

SELF-HOSTED

Run Phase on your own infrastructure and maintain full control. Perfect for customers with strict compliance requirements.