From 224e63a92bd3e7c063953512f6f5cf0c49045c27 Mon Sep 17 00:00:00 2001
From: Chad Wilson <chadw@thoughtworks.com>
Date: Sun, 21 Jul 2024 22:39:13 +0800
Subject: [PATCH] Document need to quote secrets mgmt values

Fixes #136
---
 README.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3021b176..d18ffb4e 100644
--- a/README.md
+++ b/README.md
@@ -216,6 +216,7 @@ Feel free to improve it!
     * [pluggable scm](#pluggable)
     * [config repo](#configrepo)
 1. [Secure variables](#to-generate-an-encrypted-value)
+1. [Retrieving secrets from Secrets Management plugins in values][#retrieving-secrets-from-secrets-management-plugins-in-values)
 1. [YAML Aliases](#yaml-aliases)
 
 ## Format version
@@ -1103,7 +1104,7 @@ parameters:
 ```
 
 
-#### To generate an encrypted value
+### To generate an encrypted value
 
 **For versions of GoCD >= 17.1:**
 
@@ -1117,6 +1118,24 @@ See the [encryption API](https://api.gocd.org/current/#encrypt-a-plain-text-valu
 sudo -u go bash -c 'echo -n 'YOUR-INPUT' | openssl enc -des-cbc -a -iv 0 -K $(cat /etc/go/cipher)'
 ```
 
+### Retrieving secrets from Secrets Management plugins in values
+
+Rather than using secure variables encrypted in values and source controlled, you can use [Secrets Management](https://docs.gocd.org/current/configuration/secrets_management.html) plugins
+to store secrets within various backends and have them dynamically retrieved at runtime.
+
+With any of the corresponding YAML fields documented [here](https://docs.gocd.org/current/configuration/secrets_management.html#step-4---define-secret-params) you
+can use the special syntax to denote a secret to be looked up.
+
+Note that **quoting the values is important** since braces (`{`, `}`) are important in YAML, as a superset of JSON.
+
+```yaml
+environment_variables:
+  DEPLOYMENT: testing
+  FOO: bar
+  # this value retrieves the `testing_password` secret from the `sample_secret` configuration if whichever secrets plugin is appropriate
+  MY_PASSWORD: "{{SECRET:[sample_secret][testing_password]"
+```
+
 ### Boolean values
 
 Among all configuration elements there are boolean values, which can be defined