Secrets allow you to inject secret values into your runs, such as API keys, passwords, access keys, or any other sensitive information. These secrets can be made accessible inside your run either through a mounted text file or, more typically, as an environment variable. Secrets are available across all the userâs clusters.
For example, secrets can be added as environment variables:
mcli create secret env NAME=my-super-secret-name
â Created environment secret: name
â Synced to all clusters
The above secret is now available inside your runs as the environment variable NAME
with the value my-super-secret-name
.
Secrets can also be injected as mounted text files:
mcli create secret git-ssh ~/.ssh/my_id_rsa
Working with secrets#
In this example, we create a secret, and then show how to access that within a run. First, create an environment variable secret with:
mcli create secret env SECRET_STUFF='super-secret-name'
Now, letâs run a simple âHello Worldâ run, except we access the injected secret in the command with echo Hello $SECRET_STUFF
:
name: hello-secret-user
compute:
gpus: 0
image: python
command: |
echo Hello $SECRET_STUFF!
Creating a run with the above YAML should yield:
> mcli run -f hello-secret-user.yaml
i Run hello-secret-user submitted. Waiting for it to start...
i You can press Ctrl+C to quit and follow your run manually.
â Run hello-secret-user started
i Following run logs. Press Ctrl+C to quit.
Hello super-secret-name!
Secrets by design are not modifiable. To edit the existing secret, delete the secret first and then re-create:
mcli delete secret secret-stuff
mcli create secret env SECRET_STUFF='super-secret-name2'
You can get all of your secrets using:
mcli get secrets
Automatically mounted secrets#
API access via mcli
inside your run is automatically configured with your userâs permissions.
For example, you can launch a run inside a run or make updates to the existing run.