If you want to pull secrets from an external secrets management system, declare a variable with `@url@` prefix, followed by the URL of the secret. Our templates will automatically fetch the URL and put the content into the variable (make sure you're using a version of the template that supports this syntax).
For [Hashicorp Vault](https://developer.hashicorp.com/vault), we provide a [vault-secrets-provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image, available in most templates through a `-vault`[variant](../self-managed/advanced/#template-variants). It allows fetching secrets from a Vault server and inject them into your CI/CD variables using the `@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}` syntax.
Default timeout for fetching secrets is 5 seconds. If you need to increase it, you can set the global `TBC_SECRET_URL_TIMEOUT` variable to the desired number of seconds.
## Scoped variables
All our templates support a generic and powerful way of limiting/overriding some of your environment variables, depending on the execution context.
