Environment Variables#

Secrets can be surfaced as environment variables using the env secret type. These environment variables are injected at runtime:

mcli create secret env FOO=secret-api-key-1234

The above secret can then be accessed during your run as the environment variable $FOO.

Note that this will expose your API key in your terminal’s command history. If this is a concern, environment variable secrets can also be created interactively with:

mcli create secret env

Secret name

For labeling purposes, the created secret in the example above will be labeled foo. This can be used to later delete the secret with mcli delete secret foo. To see all your secret names, use mcli get secrets.

A custom name can also be used with:

mcli create secret env FOO=secret-stuff --name my-secret-foo


This will create a secret named `foo`, since all secret names have to consist of lower-case letters, numbers and '-'. You can also give it a custom name, if you'd prefer, e.g

```bash
mcli create secret env FOO=secret-api-key-1234 --name my-custom-name

To verify the secret was properly created:

> mcli get secrets
NAME  TYPE
example     environment
example2    environment
example3    ssh

As with all other secrets, env secrets will be injected into every one of your subsequent runs. To only inject environment variables into individual runs, specify them in your Run schema.