Secrets

Runhouse provides a convenient interface for managing your secrets in a secure manner. Secrets are stored in Vault, and never on Runhouse servers.

See the Accessibility API tutorial for more details on using the Secrets API.

Secrets Factory Methods

runhouse.secret(name: str | None = None, values: Dict | None = None, provider: str | None = None, dryrun: bool = False) → Secret

Builds an instance of Secret.

Parameters:

• name (str, optional) – Name to assign the secret resource.

• values (Dict, optional) – Dictionary of secret key-value pairs.

• dryrun (bool, optional) – Whether to create in dryrun mode. (Default: False)

Returns:

The resulting Secret object.

Return type:

Secret

Example

>>> rh.secret("in_memory_secret", values={"secret_key": "secret_val"})

runhouse.provider_secret(provider: str | None = None, name: str | None = None, values: Dict | None = None, path: str | File | None = None, env_vars: Dict | None = None, dryrun: bool = False) → ProviderSecret

Builds an instance of ProviderSecret. At most one of values, path, and env_vars can be provided, to maintain one source of truth. If None are provided, will infer the values from the default path or env vars for the given provider.

Parameters:

• provider (str) – Provider corresponding to the secret. Currently supported options are: [“aws”, “azure”, “huggingface”, “lambda”, “github”, “gcp”, “ssh”]

• name (str, optional) – Name to assign the resource. If none is provided, resource name defaults to the provider name.

• values (Dict, optional) – Dictionary mapping of secret keys and values.

• path (str or Path, optional) – Path where the secret values are held.

• env_vars (Dict, optional) – Dictionary mapping secret keys to the corresponding environment variable key.

• dryrun (bool) – Whether to creat in dryrun mode. (Default: False)

Returns:

The resulting provider secret object.

Return type:

ProviderSecret

Example

>>> aws_secret = rh.provider_secret("aws")
>>> gcp_secret = rh.provider("gcp", path="~/.gcp/credentials")
>>> lamdba_secret = rh.provider_secret("lambda", values={"api_key": "xxxxx"})

Secret Class

class runhouse.Secret(name: str | None, values: Dict | None = None, dryrun: bool = False, **kwargs)

__init__(name: str | None, values: Dict | None = None, dryrun: bool = False, **kwargs)

Runhouse Secret object.

Note

To create a Secret, please use one of the factory methods.

classmethod builtin_providers(as_str: bool = False) → list

Return list of all Runhouse providers (as class objects) supported out of the box.

delete(headers: Dict | None = None)

Delete the secret config from Den and from Vault/local.

static from_config(config: dict, dryrun: bool = False)

Create a Secret object from a config dictionary.

classmethod from_name(name, dryrun=False)

Load existing Secret via its name.

in_local()

Whether the secret config is stored locally (as opposed to Vault).

in_vault(headers=None)

Whether the secret is stored in Vault

save(name: str | None = None, save_values: bool = True, headers: Dict | None = None, folder: str | None = None)

Save the secret config to Den. Save the secret values into Vault if the user is logged in, or to local if not or if the resource is a local resource. If a folder is specified, save the secret to that folder in Den (e.g. saving secrets for a cluster associated with an organization).

to(system: str | Cluster, name: str | None = None, env: Env | None = None)

Return a copy of the secret on a system.

Parameters:

• system (str or Cluster) – Cluster to send the secret to

• name (str, ooptional) – Name to assign the resource on the cluster.

Example

>>> secret.to(my_cluster, path=secret.path)

classmethod vault_secrets(headers: Dict | None = None) → List[str]

Get secret names that are stored in Vault

ProviderSecret Class

class runhouse.ProviderSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

__init__(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Provider Secret class. Built-in provider classes contain default path and/or environment variable mappings, based on it’s expected usage.

Currently supported built-in providers: anthropic, aws, azure, gcp, github, huggingface, lambda, langchain, openai, pinecone, ssh, sky, wandb.

Note

To create a ProviderSecret, please use the factory method provider_secret().

delete(headers: Dict | None = None, contents: bool = False)

Delete the secret config from Den and from Vault/local. Optionally also delete contents of secret file or env vars.

static from_config(config: dict, dryrun: bool = False)

Create a ProviderSecret object from a config dictionary.

save(name: str | None = None, save_values: bool = True, headers: Dict | None = None, folder: str | None = None)

Save the secret config to Den. Save the secret values into Vault if the user is logged in, or to local if not or if the resource is a local resource. If a folder is specified, save the secret to that folder in Den (e.g. saving secrets for a cluster associated with an organization).

to(system: str | Cluster, path: str | File | None = None, env: str | Env | None = None, values: bool | None = None, name: str | None = None)

Return a copy of the secret on a system.

Parameters:

• system (str or Cluster) – Cluster to send the secret to

• path (str or Path, optional) – Path on cluster to write down the secret values to. If not provided and secret is not already associated with a path, the secret values will not be written down on the cluster.

• env (str or Env, optional) – Env to send the secret to. This will save down the secrets as env vars in the env.

• values (bool, optional) – Whether to save down the values in the resource config. By default, save down values if the secret is not being written down to a file or environment variable. Otherwise, values are not written down. (Default: None)

• name (str, ooptional) – Name to assign the resource on the cluster.

Example

>>> secret.to(my_cluster, path=secret.path)

AWSSecret Class

class runhouse.resources.secrets.provider_secrets.aws_secret.AWSSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ProviderSecret

Note

To create an AWSSecret, please use the factory method provider_secret() with provider="aws".

_PROVIDER = 'aws'

_DEFAULT_CREDENTIALS_PATH = '~/.aws/credentials'

_DEFAULT_ENV_VARS = {'access_key': 'AWS_ACCESS_KEY_ID', 'secret_key': 'AWS_SECRET_ACCESS_KEY'}

AzureSecret Class

class runhouse.resources.secrets.provider_secrets.azure_secret.AzureSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ProviderSecret

Note

To create an AzureSecret, please use the factory method provider_secret() with provider="azure".

_PROVIDER = 'azure'

_DEFAULT_CREDENTIALS_PATH = '~/.azure/clouds.config'

_DEFAULT_ENV_VARS = {'subscription_id': 'AZURE_SUBSCRIPTION_ID'}

GCPSecret Class

class runhouse.resources.secrets.provider_secrets.gcp_secret.GCPSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ProviderSecret

Note

To create a GCPSecret, please use the factory method provider_secret() with provider="gcp".

_PROVIDER = 'gcp'

_DEFAULT_CREDENTIALS_PATH = '~/.config/gcloud/application_default_credentials.json'

_DEFAULT_ENV_VARS = {'client_id': 'CLIENT_ID', 'client_secret': 'CLIENT_SECRET'}

GitHubSecret Class

class runhouse.resources.secrets.provider_secrets.github_secret.GitHubSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ProviderSecret

Note

To create a GitHubSecret, please use the factory method provider_secret() with provider="github".

_PROVIDER = 'github'

_DEFAULT_CREDENTIALS_PATH = '~/.config/gh/hosts.yml'

HuggingFaceSecret Class

class runhouse.resources.secrets.provider_secrets.huggingface_secret.HuggingFaceSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ProviderSecret

Note

To create a HuggingFaceSecret, please use the factory method provider_secret() with provider="huggingface".

_PROVIDER = 'huggingface'

_DEFAULT_CREDENTIALS_PATH = '~/.cache/huggingface/token'

LambdaSecret Class

class runhouse.resources.secrets.provider_secrets.lambda_secret.LambdaSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ProviderSecret

Note

To create a LambdaSecret, please use the factory method provider_secret() with provider="lambda".

_PROVIDER = 'lambda'

_DEFAULT_CREDENTIALS_PATH = '~/.lambda_cloud/lambda_keys'

SSHSecret Class

class runhouse.resources.secrets.provider_secrets.ssh_secret.SSHSecret(name: str | None = None, provider: str | None = None, values: Dict = {}, path: str | None = None, key: str | None = None, dryrun: bool = True, **kwargs)

Bases: ProviderSecret

Note

To create a SSHSecret, please use the factory method provider_secret() with provider="ssh".

_PROVIDER = 'ssh'

_DEFAULT_CREDENTIALS_PATH = '~/.ssh'

_DEFAULT_KEY = 'id_rsa'

SkySecret Class

class runhouse.resources.secrets.provider_secrets.sky_secret.SkySecret(name: str | None = None, provider: str | None = None, values: Dict = {}, path: str | None = None, dryrun: bool = True, **kwargs)

Bases: SSHSecret

Note

To create a SkySecret, please use the factory method provider_secret() with provider="sky".

_PROVIDER = 'sky'

_DEFAULT_CREDENTIALS_PATH = '~/.ssh'

_DEFAULT_KEY = 'sky-key'

AnthropicSecret Class

class runhouse.resources.secrets.provider_secrets.anthropic_secret.AnthropicSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ApiKeySecret

Note

To create an AnthropicSecret, please use the factory method provider_secret() with provider="anthropic".

_PROVIDER = 'anthropic'

_DEFAULT_ENV_VARS = {'api_key': 'ANTHROPIC_API_KEY'}

CohereSecret Class

class runhouse.resources.secrets.provider_secrets.cohere_secret.CohereSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ApiKeySecret

Note

To create an CohereSecret, please use the factory method provider_secret() with provider="cohere".

_PROVIDER = 'cohere'

_DEFAULT_ENV_VARS = {'api_key': 'COHERE_API_KEY'}

LangChainSecret Class

class runhouse.resources.secrets.provider_secrets.langchain_secret.LangChainSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ApiKeySecret

Note

To create an LangChainSecret, please use the factory method provider_secret() with provider="langchain".

_PROVIDER = 'langchain'

_DEFAULT_ENV_VARS = {'api_key': 'LANGCHAIN_API_KEY'}

OpenAISecret Class

class runhouse.resources.secrets.provider_secrets.openai_secret.OpenAISecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ApiKeySecret

Note

To create an OpenAISecret, please use the factory method provider_secret() with provider="openai".

_PROVIDER = 'openai'

_DEFAULT_ENV_VARS = {'api_key': 'OPENAI_API_KEY'}

PineconeSecret Class

class runhouse.resources.secrets.provider_secrets.pinecone_secret.PineconeSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ApiKeySecret

Note

To create an PineconeSecret, please use the factory method provider_secret() with provider="pinecone".

_PROVIDER = 'pinecone'

_DEFAULT_ENV_VARS = {'api_key': 'PINECONE_API_KEY'}

WandBSecret Class

class runhouse.resources.secrets.provider_secrets.wandb_secret.WandBSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)

Bases: ApiKeySecret

Note

To create an WandBSecret, please use the factory method provider_secret() with provider="wandb".

_PROVIDER = 'wandb'

_DEFAULT_ENV_VARS = {'api_key': 'WANDB_API_KEY'}