Documented secrets

[ci skip]

README.md

@@ -28,7 +28,9 @@ This image(s) is part of the [Docksal](http://docksal.io) image library.
   - drush
     - registry_rebuild
     - coder-8.x + phpcs
+    - Acquia Cloud API commands
   - drupal console launcher
+  - terminus (Pantheon)
   - wp-cli
 - ruby
   - ruby
@@ -75,3 +77,33 @@ cli
 ```
 
 See [docs](https://docs.docksal.io/en/master/tools/xdebug) on using Xdebug for web and cli PHP debugging.
+
+
+## Secrets and integrations
+
+`cli` can read secrets from environment variables and configure the respective integrations automatically at start.  
+
+The recommended place store secrets in Docksal is the global `$HOME/.docksal/docksal.env` file on the host. From there, 
+secrets are injected into the `cli` container's environment.
+
+Below is the list of secrets currently supported.
+
+`SECRET_SSH_PRIVATE_KEY`
+
+Use to pass a private SSH key. The key is stored in `/home/docker/.ssh/id_rsa` inside `cli` and will be considered 
+by the SSH client **in addition** to the keys loaded in `docksal-ssh-agent` when establishing a SSH connection 
+from within `cli`.
+
+`SECRET_ACAPI_EMAIL` and `SECRET_ACAPI_KEY`
+
+Credentials used to authenticate with [Acquia Cloud API](https://docs.acquia.com/acquia-cloud/api).  
+Stored in `/home/docker/.acquia/cloudapi.conf` inside `cli`. 
+
+Acquia Cloud API can be used via `ac-<command>` group of commands in Drush.
+
+`SECRET_TERMINUS_TOKEN`
+
+Credentials used to authenticate [Terminus](https://pantheon.io/docs/terminus) with Pantheon.
+Stored in `/home/docker/.terminus/` inside `cli`.
+
+Terminus is installed and available globally in `cli`.