You can securely add arbitrary confidential information to your workloads by using file-mounted secrets.
File-mounted secrets are more secure than
env secrets because they are less likely to be leaked by the processes running in your workload (e.g. some loggers can optionally record the system environment variables to aid in reproducibility).
To create a file-mounted secret, use the
mounted secret type:
> mcli create secret mounted ? What would you like to name this secret? mounted-secret ? What data would you like to store? **************** ✔ Created secret: mounted-secret
This command will request the secret name and confidential data you wish to store.
By default, the secret will be mounted at the path
/secrets/mounted-secret/secret above). This mount path can be changed by supplying the
The path will be made available as the environment variable
<UPPER_NAME> is the secret name, all upper-case with “-” replaced by “_”.
Once you’ve added your file-mounted secret, you can verify that it exists by running the following YAML:
name: check-file gpu_type: none image: bash command: | ls -l $SECRET_PATH_MOUNTED_SECRET
Save this YAML locally as
check-file.yaml and run it with
mcli run -f check-file.yaml.
You should see the following:
> mcli run -f check-file.yaml i Run check-file-6khr submitted. Waiting for it to start... i You can press Ctrl+C to quit and follow your run manually. ✔ Run check-file started i Following run logs. Press Ctrl+C to quit. lrwxrwxrwx 1 root root 13 Jun 21 23:15 /secrets/mounted-secret/secret -> ..data/secret