Secrets#
Runhouse provides a convenient interface for managing your secrets in a secure manner. Secrets are stored in Vault, and never on Runhouse servers.
See the Accessibility API tutorial for more details on using the Secrets API.
Secrets Factory Methods#
- runhouse.secret(name: str | None = None, values: Dict | None = None, provider: str | None = None, dryrun: bool = False) Secret [source]#
Builds an instance of
Secret
.- Parameters:
name (str, optional) – Name to assign the secret resource.
values (Dict, optional) – Dictionary of secret key-value pairs.
dryrun (bool, optional) – Whether to create in dryrun mode. (Default: False)
- Returns:
The resulting Secret object.
- Return type:
Example
>>> rh.secret("in_memory_secret", values={"secret_key": "secret_val"})
- runhouse.provider_secret(provider: str | None = None, name: str | None = None, values: Dict | None = None, path: str | File | None = None, env_vars: Dict | None = None, dryrun: bool = False) ProviderSecret [source]#
Builds an instance of
ProviderSecret
. At most one of values, path, and env_vars can be provided, to maintain one source of truth. If None are provided, will infer the values from the default path or env vars for the given provider.- Parameters:
provider (str) – Provider corresponding to the secret. Currently supported options are: [“aws”, “azure”, “huggingface”, “lambda”, “github”, “gcp”, “ssh”]
name (str, optional) – Name to assign the resource. If none is provided, resource name defaults to the provider name.
values (Dict, optional) – Dictionary mapping of secret keys and values.
path (str or Path, optional) – Path where the secret values are held.
env_vars (Dict, optional) – Dictionary mapping secret keys to the corresponding environment variable key.
dryrun (bool) – Whether to creat in dryrun mode. (Default: False)
- Returns:
The resulting provider secret object.
- Return type:
Example
>>> aws_secret = rh.provider_secret("aws") >>> gcp_secret = rh.provider("gcp", path="~/.gcp/credentials") >>> lamdba_secret = rh.provider_secret("lambda", values={"api_key": "xxxxx"})
Secret Class#
- class runhouse.Secret(name: str | None, values: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
- classmethod builtin_providers(as_str: bool = False) list [source]#
Return list of all Runhouse providers (as class objects) supported out of the box.
- delete(headers: Dict | None = None)[source]#
Delete the secret config from Den and from Vault/local.
- static from_config(config: dict, dryrun: bool = False)[source]#
Create a Secret object from a config dictionary.
- save(name: str | None = None, save_values: bool = True, headers: Dict | None = None, folder: str | None = None)[source]#
Save the secret config to Den. Save the secret values into Vault if the user is logged in, or to local if not or if the resource is a local resource. If a folder is specified, save the secret to that folder in Den (e.g. saving secrets for a cluster associated with an organization).
- to(system: str | Cluster, name: str | None = None, env: Env | None = None)[source]#
Return a copy of the secret on a system.
- Parameters:
system (str or Cluster) – Cluster to send the secret to
name (str, ooptional) – Name to assign the resource on the cluster.
Example
>>> secret.to(my_cluster, path=secret.path)
ProviderSecret Class#
- class runhouse.ProviderSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
- __init__(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Provider Secret class. Built-in provider classes contain default path and/or environment variable mappings, based on it’s expected usage.
Currently supported built-in providers: anthropic, aws, azure, gcp, github, huggingface, lambda, langchain, openai, pinecone, ssh, sky, wandb.
Note
To create a ProviderSecret, please use the factory method
provider_secret()
.
- delete(headers: Dict | None = None, contents: bool = False)[source]#
Delete the secret config from Den and from Vault/local. Optionally also delete contents of secret file or env vars.
- static from_config(config: dict, dryrun: bool = False)[source]#
Create a ProviderSecret object from a config dictionary.
- save(name: str | None = None, save_values: bool = True, headers: Dict | None = None, folder: str | None = None)[source]#
Save the secret config to Den. Save the secret values into Vault if the user is logged in, or to local if not or if the resource is a local resource. If a folder is specified, save the secret to that folder in Den (e.g. saving secrets for a cluster associated with an organization).
- to(system: str | Cluster, path: str | File | None = None, env: str | Env | None = None, values: bool | None = None, name: str | None = None)[source]#
Return a copy of the secret on a system.
- Parameters:
system (str or Cluster) – Cluster to send the secret to
path (str or Path, optional) – Path on cluster to write down the secret values to. If not provided and secret is not already associated with a path, the secret values will not be written down on the cluster.
env (str or Env, optional) – Env to send the secret to. This will save down the secrets as env vars in the env.
values (bool, optional) – Whether to save down the values in the resource config. By default, save down values if the secret is not being written down to a file or environment variable. Otherwise, values are not written down. (Default: None)
name (str, ooptional) – Name to assign the resource on the cluster.
Example
>>> secret.to(my_cluster, path=secret.path)
AWSSecret Class#
- class runhouse.resources.secrets.provider_secrets.aws_secret.AWSSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ProviderSecret
Note
To create an AWSSecret, please use the factory method
provider_secret()
withprovider="aws"
.- _PROVIDER = 'aws'#
- _DEFAULT_CREDENTIALS_PATH = '~/.aws/credentials'#
- _DEFAULT_ENV_VARS = {'access_key': 'AWS_ACCESS_KEY_ID', 'secret_key': 'AWS_SECRET_ACCESS_KEY'}#
AzureSecret Class#
- class runhouse.resources.secrets.provider_secrets.azure_secret.AzureSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ProviderSecret
Note
To create an AzureSecret, please use the factory method
provider_secret()
withprovider="azure"
.- _PROVIDER = 'azure'#
- _DEFAULT_CREDENTIALS_PATH = '~/.azure/clouds.config'#
- _DEFAULT_ENV_VARS = {'subscription_id': 'AZURE_SUBSCRIPTION_ID'}#
GCPSecret Class#
- class runhouse.resources.secrets.provider_secrets.gcp_secret.GCPSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ProviderSecret
Note
To create a GCPSecret, please use the factory method
provider_secret()
withprovider="gcp"
.- _PROVIDER = 'gcp'#
- _DEFAULT_CREDENTIALS_PATH = '~/.config/gcloud/application_default_credentials.json'#
- _DEFAULT_ENV_VARS = {'client_id': 'CLIENT_ID', 'client_secret': 'CLIENT_SECRET'}#
GitHubSecret Class#
- class runhouse.resources.secrets.provider_secrets.github_secret.GitHubSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ProviderSecret
Note
To create a GitHubSecret, please use the factory method
provider_secret()
withprovider="github"
.- _PROVIDER = 'github'#
- _DEFAULT_CREDENTIALS_PATH = '~/.config/gh/hosts.yml'#
HuggingFaceSecret Class#
- class runhouse.resources.secrets.provider_secrets.huggingface_secret.HuggingFaceSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ProviderSecret
Note
To create a HuggingFaceSecret, please use the factory method
provider_secret()
withprovider="huggingface"
.- _PROVIDER = 'huggingface'#
- _DEFAULT_CREDENTIALS_PATH = '~/.cache/huggingface/token'#
LambdaSecret Class#
- class runhouse.resources.secrets.provider_secrets.lambda_secret.LambdaSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ProviderSecret
Note
To create a LambdaSecret, please use the factory method
provider_secret()
withprovider="lambda"
.- _PROVIDER = 'lambda'#
- _DEFAULT_CREDENTIALS_PATH = '~/.lambda_cloud/lambda_keys'#
SSHSecret Class#
- class runhouse.resources.secrets.provider_secrets.ssh_secret.SSHSecret(name: str | None = None, provider: str | None = None, values: Dict = {}, path: str | None = None, key: str | None = None, dryrun: bool = True, **kwargs)[source]#
Bases:
ProviderSecret
Note
To create a SSHSecret, please use the factory method
provider_secret()
withprovider="ssh"
.- _PROVIDER = 'ssh'#
- _DEFAULT_CREDENTIALS_PATH = '~/.ssh'#
- _DEFAULT_KEY = 'id_rsa'#
SkySecret Class#
- class runhouse.resources.secrets.provider_secrets.sky_secret.SkySecret(name: str | None = None, provider: str | None = None, values: Dict = {}, path: str | None = None, dryrun: bool = True, **kwargs)[source]#
Bases:
SSHSecret
Note
To create a SkySecret, please use the factory method
provider_secret()
withprovider="sky"
.- _PROVIDER = 'sky'#
- _DEFAULT_CREDENTIALS_PATH = '~/.ssh'#
- _DEFAULT_KEY = 'sky-key'#
AnthropicSecret Class#
- class runhouse.resources.secrets.provider_secrets.anthropic_secret.AnthropicSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ApiKeySecret
Note
To create an AnthropicSecret, please use the factory method
provider_secret()
withprovider="anthropic"
.- _PROVIDER = 'anthropic'#
- _DEFAULT_ENV_VARS = {'api_key': 'ANTHROPIC_API_KEY'}#
CohereSecret Class#
- class runhouse.resources.secrets.provider_secrets.cohere_secret.CohereSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ApiKeySecret
Note
To create an CohereSecret, please use the factory method
provider_secret()
withprovider="cohere"
.- _PROVIDER = 'cohere'#
- _DEFAULT_ENV_VARS = {'api_key': 'COHERE_API_KEY'}#
LangChainSecret Class#
- class runhouse.resources.secrets.provider_secrets.langchain_secret.LangChainSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ApiKeySecret
Note
To create an LangChainSecret, please use the factory method
provider_secret()
withprovider="langchain"
.- _PROVIDER = 'langchain'#
- _DEFAULT_ENV_VARS = {'api_key': 'LANGCHAIN_API_KEY'}#
OpenAISecret Class#
- class runhouse.resources.secrets.provider_secrets.openai_secret.OpenAISecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ApiKeySecret
Note
To create an OpenAISecret, please use the factory method
provider_secret()
withprovider="openai"
.- _PROVIDER = 'openai'#
- _DEFAULT_ENV_VARS = {'api_key': 'OPENAI_API_KEY'}#
PineconeSecret Class#
- class runhouse.resources.secrets.provider_secrets.pinecone_secret.PineconeSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ApiKeySecret
Note
To create an PineconeSecret, please use the factory method
provider_secret()
withprovider="pinecone"
.- _PROVIDER = 'pinecone'#
- _DEFAULT_ENV_VARS = {'api_key': 'PINECONE_API_KEY'}#
WandBSecret Class#
- class runhouse.resources.secrets.provider_secrets.wandb_secret.WandBSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]#
Bases:
ApiKeySecret
Note
To create an WandBSecret, please use the factory method
provider_secret()
withprovider="wandb"
.- _PROVIDER = 'wandb'#
- _DEFAULT_ENV_VARS = {'api_key': 'WANDB_API_KEY'}#