Mounted Files#
You can securely add arbitrary confidential information to your workloads by using file-mounted secrets.
File-mounted secrets are more secure than env
secrets because they are less likely to be leaked by the processes running in your workload (e.g. some loggers can optionally record the system environment variables to aid in reproducibility).
To create a file-mounted secret, use the mounted
secret type:
> mcli create secret mounted
? What would you like to name this secret? mounted-secret
? What data would you like to store? ****************
✔ Created secret: mounted-secret
This command will request the secret name and confidential data you wish to store.
By default, the secret will be mounted at the path /secrets/<secret-name>/secret
(/secrets/mounted-secret/secret
above). This mount path can be changed by supplying the --mount-path
argument.
The path will be made available as the environment variable $SECRET_PATH_<UPPER_NAME>
, where <UPPER_NAME>
is the secret name, all upper-case with “-” replaced by “_”.
Once you’ve added your file-mounted secret, you can verify that it exists by running the following YAML:
name: check-file
gpu_type: none
image: bash
command: |
ls -l $SECRET_PATH_MOUNTED_SECRET
Save this YAML locally as check-file.yaml
and run it with mcli run -f check-file.yaml
.
You should see the following:
> mcli run -f check-file.yaml
i Run check-file-6khr submitted. Waiting for it to start...
i You can press Ctrl+C to quit and follow your run manually.
✔ Run check-file started
i Following run logs. Press Ctrl+C to quit.
lrwxrwxrwx 1 root root 13 Jun 21 23:15 /secrets/mounted-secret/secret -> ..data/secret