Skip to main content

Managing Secrets

Secrets are managed at the workspace level:
  1. Click Secrets in the sidebar.
  2. Click Add Secret.
  3. Enter a descriptive name (e.g., DATADOG_API_KEY).
  4. Select the secret storage type.
  5. Enter the secret value.

Secret Storage

By default, secrets are stored in the SPIN backend. Values are encrypted at rest, and access is controlled via RBAC. In the API, the default store_type is spin_store.

Providing Secrets via Runtime Environment

Secret values can also be provided to the runtime through environment variables. This approach ensures secrets are not stored in the SPIN backend and are not accessible via the API. 
docker run -e MY_SECRET=my-secret-value ...
When creating secrets via the API, set store_type to runtime_env to store the secret in the runtime environment. Provide the environment variable name in the store_ref field.

Environment Files

You can also provide secrets using environment files. (Add details here if needed.)

Using Secrets

Secrets can be accessed when executing notebook cells.

Python

In Python, use the saturn.get_secret function to retrieve a secret value: 
secret_value = saturn.get_secret("MY_SECRET")

Template Substitution

You can use the {{secret:<secret-name>}} syntax to substitute secret values in any string.

Connections

When creating connections, use the {{secret:<secret-name>}} syntax to substitute secret values in the connection configuration. Credentials in connections require you to create or select a secret.