Changelog

October 2025

Friday, October 31, 2025
consoleclisdkawsgithubvercelkubernetes

October 2025

A packed month for the Phase platform — we shipped External Identities with AWS IAM auth, brought Dynamic Secrets to the CLI, added GitHub Environments and Vercel custom environment sync support, improved macOS packaging, and much more. Here's a recap.

External Identities — AWS IAM Auth

Phase now supports authenticating service accounts using external identity providers, starting with AWS IAM. Instead of managing long-lived Phase service tokens, you can now authenticate directly using your existing AWS IAM credentials. This is ideal for workloads running on AWS infrastructure like EC2, ECS, Lambda, and EKS where IAM roles are already available.

How it works:

  1. Create a service account in Phase Console and configure it with an AWS IAM external identity
  2. From your AWS workload, authenticate using phase auth --identity-provider=aws --aws-region=us-east-1
  3. The CLI automatically detects available AWS credentials (instance role, ECS task role, etc.) and exchanges them for a short-lived Phase token

This eliminates the need to distribute and rotate static service account tokens in AWS environments. Service accounts can be configured with server-side key management (KMS) for seamless, zero-config secret access.

Check out the External Identities docs for setup instructions.

Available in Console v2.53.0 and CLI v1.21.0.

Dynamic Secrets in the CLI

Following last month's launch of Dynamic Secrets in the Console and REST API, the Phase CLI now fully supports dynamic secret operations. When you run phase secrets list --show, phase run, or phase shell in an environment with Dynamic Secrets configured, the CLI automatically leases new credentials on demand and injects them into your shell or command.

Available in CLI v1.20.0.

Sync Secrets to GitHub Environments

You can now sync secrets from Phase directly to GitHub Actions environments — not just repository-level secrets. This gives you finer-grained control over which secrets are available to specific deployment workflows and environments in your CI/CD pipelines.

We also added support for manual GitHub credential setup, letting you configure GitHub integrations using a personal access token instead of the OAuth flow. This is useful for GitHub Enterprise Server (GHES) users or organizations with strict OAuth policies.

Available in Console v2.53.1.

Vercel Custom Environment Support

The Vercel integration now supports syncing secrets to custom Vercel environments, beyond the default Development, Preview, and Production. If you use custom environments in Vercel for staging, QA, or other workflows, Phase can now sync secrets to them.

Check out the Vercel integration docs for setup details.

Available in Console v2.53.2.

Node SDK — Implicit Init

The Phase Node.js SDK now supports implicit initialization. You no longer need to manually call init() before using CRUD methods — the SDK initializes automatically on first use. This simplifies integration and reduces boilerplate.

Available in Node SDK v3.2.0.

CLI — Service Account Login

The phase auth command now supports service account login. You can authenticate using a service account token directly:

phase auth --mode=token

This is useful for CI/CD pipelines and automated workflows where interactive login isn't possible.

Available in CLI v1.21.0.

Improved macOS Packaging

The CLI now ships with proper macOS code signing and notarization for Homebrew builds, as well as native ARM64 (Apple Silicon) binary support. macOS builds have been upgraded to the macos-15 runner. This eliminates Gatekeeper warnings and provides a smoother installation experience on Apple Silicon Macs.

Available in CLI v1.21.0 and v1.21.1.

Other improvements

  • Improved breadcrumbs and page titles — Console now shows consistent, contextual breadcrumbs across all pages with document titles like "Starlink > Apps | Phase Console"
  • Optimized secret log queries — The expensive count query in logs has been optimized and split to avoid blocking, improving performance for large audit log tables
  • Optimized secret history performance — Added database indexes for the SecretEvent model, improving query performance for secret history lookups
  • Fix org name formatting — Organization names are no longer reformatted with startCase, preserving their original case and spacing
  • Fix Service Account Token creation — Resolved a bug in the ServiceAccountToken save method
  • Fix lease minimum TTL — Fixed an issue that allowed creating dynamic secret leases with less than 60-second expiry via the API
  • Cursor button added to docs — Added a quick-start button for Cursor IDE integration in the docs

All features are live on Phase Cloud and available in the latest releases for self-hosted users.

As always, we'd love your feedback — come say hi on Slack or GitHub.

Request a feature

We build features based on community requests and feedback.
Looking for a specific feature or have a use-case in mind? Reach out to us!

CLOUD

The fastest and easiest way to get started with Phase. Spin up an app in seconds. Hosted in the 🇪🇺

SELF-HOSTED

Run Phase on your own infrastructure and maintain full control. Perfect for customers with strict compliance requirements.