Mounted Files

You can securely add arbitrary confidential information to your workloads by using file-mounted secrets. File-mounted secrets are more secure than env secrets because they are less likely to be leaked by the processes running in your workload (e.g. some loggers can optionally record the system environment variables to aid in reproducibility). To create a file-mounted secret, use the mounted secret type:

> mcli create secret mounted
? What would you like to name this secret? mounted-secret
? What data would you like to store? ****************
✔  Created secret: mounted-secret

This command will request the secret name and confidential data you wish to store. By default, the secret will be mounted at the path /secrets/<secret-name>/secret (/secrets/mounted-secret/secret above). This mount path can be changed by supplying the --mount-path argument.

The path will be made available as the environment variable $SECRET_PATH_<UPPER_NAME>, where <UPPER_NAME> is the secret name, all upper-case with “-” replaced by “_”.

Once you’ve added your file-mounted secret, you can verify that it exists by running the following YAML:

name: check-file
gpu_type: none
image: bash
command: |
  ls -l $SECRET_PATH_MOUNTED_SECRET

Save this YAML locally as check-file.yaml and run it with mcli run -f check-file.yaml. You should see the following:

> mcli run -f check-file.yaml

i  Run check-file-6khr submitted. Waiting for it to start...
i  You can press Ctrl+C to quit and follow your run manually.
✔  Run check-file started
i  Following run logs. Press Ctrl+C to quit.

lrwxrwxrwx    1 root     root            13 Jun 21 23:15 /secrets/mounted-secret/secret -> ..data/secret