Secrets allow you to inject secret values into your runs, such as API keys, passwords, access keys, or any other sensitive information. These secrets can be made accessible inside your run either through a mounted text file or, more typically, as an environment variable. Secrets are available across all the user’s clusters.

For example, secrets can be added as environment variables:

mcli create secret env NAME=my-super-secret-name
✔  Created environment secret: name
✔  Synced to all clusters

The above secret is now available inside your runs as the environment variable NAME with the value my-super-secret-name.

Secrets can also be injected as mounted text files:

mcli create secret git-ssh ~/.ssh/my_id_rsa

Modifying Secrets

Secrets by design are not modifiable. To edit an existing secret, delete the secret with mcli delete secret <secret-name> and then recreate the secret.

Working with secrets#

In this example, we create a secret, and then show how to access that within a run. First, create an environment variable secret with:

mcli create secret env SECRET_STUFF='super-secret-name'

Now, let’s run a simple “Hello World” run, except we access the injected secret in the command with echo Hello $SECRET_STUFF:

name: hello-secret-user
  gpus: 0
image: python
command: |
  echo Hello $SECRET_STUFF!

Creating a run with the above YAML should yield:

> mcli run -f hello-secret-user.yaml

i  Run hello-secret-user submitted. Waiting for it to start...
i  You can press Ctrl+C to quit and follow your run manually.
✔  Run hello-secret-user started
i  Following run logs. Press Ctrl+C to quit.

Hello super-secret-name!

Secrets by design are not modifiable. To edit the existing secret, delete the secret first and then re-create:

mcli delete secret secret-stuff
mcli create secret env SECRET_STUFF='super-secret-name2'

You can get all of your secrets using:

mcli get secrets

Automatically mounted secrets#

Access to the MosaicML platform inside your run is automatically configured with your user’s permissions. You can use this to interact with the platform via the SDK or CLI. For example, you can launch a run inside a run or make updates to the existing run.

Supported Secret Types#