Secrets are a core component of Kubernetes that enable you to securely store sensitive information such as usernames, passwords, API keys, or authentication tokens for external resource authentication. When you create a secret, it is stored as a base64 encoded file within the Kubernetes cluster, with the name of the secret corresponding to the name of the file.

These encoded secrets can be accessed by mounting the file into your project sessions and deployments, allowing your applications to securely retrieve and use this sensitive information without exposing it in your source code.

Anaconda strongly recommends using secrets as opposed to including credentials in your project, due to the security risk associated with storing them in version control.

Creating a secret

  1. Open the My account dropdown menu in the top navigation, then select Settings.

  2. Under Secrets, click Add.

  3. Enter a name and value for the secret you want to store, then click Add.

    Because secret names are file names, they can only contain alphanumeric characters and underscores.

Secrets you create are listed here, and are stored in the /var/run/secrets/user_credentials/ directory.

Using secrets

To use a secret in a project, you must install the ae5-tools package in your project’s environment.

  • The ae5-tools package is available from Workbench’s internal repository.
  • If you are using an external package repository, you can pull the ae5-tools package from anaconda.org.
  • If you are working in an air-gapped environment, you can download the package here, then transfer it to your cluster.

Then, from within your project, add the following code:

import os
from ae5_tools import load_ae5_user_secrets

This function reads all secrets stored in the /var/run/secrets/user_credentials/ directory and creates environment variables for each defined secret.

For example, let’s say you have defined the following secrets:

MLFLOW_ACCESS_SECRET = "Pa55w0rd"
REDIS_ACCESS_TOKEN = "N0Haxh3r3"

From within one of your projects, you could do the following:

import os
from ae5_tools import load_ae5_user_secrets

mlflow_secret: str = os.environ["MLFLOW_ACCESS_SECRET"]
redis_secret: str = os.environ["REDIS_ACCESS_TOKEN"]

print(mlflow_secret)
print(redis_secret)

There are multiple ways to call environment variables! For example, you could also import the demand_env_var function from the ae5-tools package and call environment variables like this:

import os
from ae5_tools import load_ae5_user_secrets, demand_env_var

mlflow_secret: str = os.environ["MLFLOW_ACCESS_SECRET"]
redis_secret: str = demand_env_var("REDIS_ACCESS_TOKEN")

print(mlflow_secret)
print(redis_secret)

Editing a secret

  1. Open the My account dropdown menu, then select Settings.
  2. Open the actions dropdown menu for your secret and select Edit.
  3. Update the Value for your secret, then click Save.

If you edit the name of a secret, a new secret is created instead.

Deleting a secret

  1. Open the My account dropdown menu, then select Settings.
  2. Open the actions dropdown menu for your secret and select Delete.
  3. Click Delete.