Secrets

Runhouse provides a convenient interface for managing your secrets in a secure manner. Secrets are stored in Vault, and never on Runhouse servers.

See the Accessibility API tutorial for more details on using the Secrets API.

Secrets Factory Methods

runhouse.secret(name: str | None = None, values: Dict | None = None, provider: str | None = None, load_from_den: bool = True, dryrun: bool = False) Secret[source]

Builds an instance of Secret.

Parameters:
  • name (str, optional) – Name to assign the secret resource.

  • values (Dict, optional) – Dictionary of secret key-value pairs.

  • load_from_den (bool) – Whether to try loading the secret from Den. (Default: True)

  • dryrun (bool, optional) – Whether to create in dryrun mode. (Default: False)

Returns:

The resulting Secret object.

Return type:

Secret

Example

>>> rh.secret("in_memory_secret", values={"secret_key": "secret_val"})
runhouse.provider_secret(provider: str | None = None, name: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, load_from_den: bool = True, dryrun: bool = False) ProviderSecret[source]

Builds an instance of ProviderSecret. At most one of values, path, and env_vars can be provided, to maintain one source of truth. If None are provided, will infer the values from the default path or env vars for the given provider.

Parameters:
  • provider (str) – Provider corresponding to the secret. Currently supported options are: [“aws”, “azure”, “huggingface”, “lambda”, “github”, “gcp”, “ssh”]

  • name (str, optional) – Name to assign the resource. If none is provided, resource name defaults to the provider name.

  • values (Dict, optional) – Dictionary mapping of secret keys and values.

  • path (str, optional) – Path where the secret values are held.

  • env_vars (Dict, optional) – Dictionary mapping secret keys to the corresponding environment variable key.

  • load_from_den (bool) – Whether to try loading the secret from Den. (Default: True)

  • dryrun (bool) – Whether to create in dryrun mode. (Default: False)

Returns:

The resulting provider secret object.

Return type:

ProviderSecret

Example

>>> aws_secret = rh.provider_secret("aws") >>> gcp_secret = rh.provider("gcp", path="~/.gcp/credentials") >>> lamdba_secret = rh.provider_secret("lambda", values={"api_key": "xxxxx"})

Secret Class

class runhouse.Secret(name: str | None, values: Dict | None = None, dryrun: bool = False, **kwargs)[source]
__init__(name: str | None, values: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Runhouse Secret object.

Note

To create a Secret, please use one of the factory methods.

classmethod builtin_providers(as_str: bool = False) List[source]

Return list of all Runhouse providers (as class objects) supported out of the box.

Parameters:

as_str (bool, optional) – Whether to return the providers as a string or as a class. (Default: False)

delete(headers: Dict | None = None)[source]

Delete the secret config from Den and from Vault/local.

classmethod extract_provider_secrets(names: List[str] | None = None) Dict[str, Secret][source]

Extract secret values from providers. Returns a Dict mapping the provider name to Secret.

Parameters:

names (List[str]) – List of provider names to extract secrets for. If None, returns secrets for all detected providers. (Default: None)

static from_config(config: dict, dryrun: bool = False, _resolve_children: bool = True)[source]

Load or construct resource from config.

Parameters:
  • config (Dict) – Resource config.

  • dryrun (bool, optional) – Whether to construct resource or load as dryrun (Default: False)

classmethod from_name(name, load_from_den: bool = True, dryrun: bool = False, _alt_options: Dict | None = None, _resolve_children: bool = True)[source]

Load existing Resource via its name.

Parameters:
  • name (str) – Name of the resource to load from name.

  • load_from_den (bool, optional) – Whether to try loading the module from Den. (Default: True)

  • dryrun (bool, optional) – Whether to construct the object or load as dryrun. (Default: False)

in_local()[source]

Whether the secret config is stored locally (as opposed to Vault).

in_vault(headers=None)[source]

Whether the secret is stored in Vault

classmethod local_secrets(names: List[str] | None = None) Dict[str, Secret][source]

Get list of local secrets.

Parameters:

names (List[str], optional) – Specific names of local secrets to retrieve. If None, returns all locally detected secrets. (Default: None)

save(name: str | None = None, save_values: bool = True, headers: Dict | None = None, folder: str | None = None)[source]

Save the secret config to Den. Save the secret values into Vault if the user is logged in, or to local if not or if the resource is a local resource.

Parameters:
  • name (str, optional) – Name to save the secret resource as.

  • save_values (str, optional) – Whether to save the values of the secret to Vault in addition to saving the metadata to Den. (Default: True)

  • headers (Dict, optional) – Request headers to provide for the request to RNS. Contains the user’s auth token. Example: {"Authorization": f"Bearer {token}"} (Default: None)

  • folder (str, optional) – If specified, save the secret to that folder in Den (e.g. saving secrets for a cluster associated with an organization). (Default: None)

to(system: str | Cluster, name: str | None = None, env: Env | None = None)[source]

Return a copy of the secret on a system.

Parameters:
  • system (str or Cluster) – Cluster to send the secret to

  • name (str, optional) – Name to assign the resource on the cluster.

  • env (Env, optional) – Env to send the secret to.

Example

>>> secret.to(my_cluster, path=secret.path)
classmethod vault_secrets(headers: Dict | None = None) List[str][source]

Get secret names that are stored in Vault

ProviderSecret Class

class runhouse.ProviderSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]
__init__(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Provider Secret class. Built-in provider classes contain default path and/or environment variable mappings, based on it’s expected usage.

Currently supported built-in providers: anthropic, aws, azure, gcp, github, huggingface, lambda, langchain, openai, pinecone, ssh, sky, wandb.

Note

To create a ProviderSecret, please use the factory method provider_secret().

delete(headers: Dict | None = None, contents: bool = False)[source]

Delete the secret config from Den and from Vault/local. Optionally also delete contents of secret file or env vars.

static from_config(config: dict, dryrun: bool = False, _resolve_children: bool = True)[source]

Create a ProviderSecret object from a config dictionary.

save(name: str | None = None, save_values: bool = True, headers: Dict | None = None, folder: str | None = None)[source]

Save the secret config to Den. Save the secret values into Vault if the user is logged in, or to local if not or if the resource is a local resource.

Parameters:
  • name (str, optional) – Name to save the secret resource as.

  • save_values (str, optional) – Whether to save the values of the secret to Vault in addition to saving the metadata to Den. (Default: True)

  • headers (Dict, optional) – Request headers to provide for the request to RNS. Contains the user’s auth token. Example: {"Authorization": f"Bearer {token}"} (Default: None)

  • folder (str, optional) – If specified, save the secret to that folder in Den (e.g. saving secrets for a cluster associated with an organization). (Default: None)

to(system: str | Cluster, path: str | None = None, env: str | Env | None = None, values: bool | None = None, name: str | None = None)[source]

Return a copy of the secret on a system.

Parameters:
  • system (str or Cluster) – Cluster to send the secret to

  • path (str or Path, optional) – Path on cluster to write down the secret values to. If not provided and secret is not already associated with a path, the secret values will not be written down on the cluster.

  • env (str or Env, optional) – Env to send the secret to. This will save down the secrets as env vars in the env.

  • values (bool, optional) – Whether to save down the values in the resource config. By default, save down values if the secret is not being written down to a file or environment variable. Otherwise, values are not written down. (Default: None)

  • name (str, ooptional) – Name to assign the resource on the cluster.

Example

>>> secret.to(my_cluster, path=secret.path)

AWSSecret Class

class runhouse.resources.secrets.provider_secrets.aws_secret.AWSSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ProviderSecret

Note

To create an AWSSecret, please use the factory method provider_secret() with provider="aws".

_PROVIDER = 'aws'
_DEFAULT_CREDENTIALS_PATH = '~/.aws/credentials'
_DEFAULT_ENV_VARS = {'access_key': 'AWS_ACCESS_KEY_ID', 'secret_key': 'AWS_SECRET_ACCESS_KEY'}

AzureSecret Class

class runhouse.resources.secrets.provider_secrets.azure_secret.AzureSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ProviderSecret

Note

To create an AzureSecret, please use the factory method provider_secret() with provider="azure".

_PROVIDER = 'azure'
_DEFAULT_CREDENTIALS_PATH = '~/.azure/clouds.config'
_DEFAULT_ENV_VARS = {'subscription_id': 'AZURE_SUBSCRIPTION_ID'}

GCPSecret Class

class runhouse.resources.secrets.provider_secrets.gcp_secret.GCPSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ProviderSecret

Note

To create a GCPSecret, please use the factory method provider_secret() with provider="gcp".

_PROVIDER = 'gcp'
_DEFAULT_CREDENTIALS_PATH = '~/.config/gcloud/application_default_credentials.json'
_DEFAULT_ENV_VARS = {'client_id': 'CLIENT_ID', 'client_secret': 'CLIENT_SECRET'}

GitHubSecret Class

class runhouse.resources.secrets.provider_secrets.github_secret.GitHubSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ProviderSecret

Note

To create a GitHubSecret, please use the factory method provider_secret() with provider="github".

_PROVIDER = 'github'
_DEFAULT_CREDENTIALS_PATH = '~/.config/gh/hosts.yml'

HuggingFaceSecret Class

class runhouse.resources.secrets.provider_secrets.huggingface_secret.HuggingFaceSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ProviderSecret

Note

To create a HuggingFaceSecret, please use the factory method provider_secret() with provider="huggingface".

_PROVIDER = 'huggingface'
_DEFAULT_CREDENTIALS_PATH = '~/.cache/huggingface/token'

LambdaSecret Class

class runhouse.resources.secrets.provider_secrets.lambda_secret.LambdaSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ProviderSecret

Note

To create a LambdaSecret, please use the factory method provider_secret() with provider="lambda".

_PROVIDER = 'lambda'
_DEFAULT_CREDENTIALS_PATH = '~/.lambda_cloud/lambda_keys'

SSHSecret Class

class runhouse.resources.secrets.provider_secrets.ssh_secret.SSHSecret(name: str | None = None, provider: str | None = None, values: Dict = {}, path: str | None = None, key: str | None = None, dryrun: bool = True, **kwargs)[source]

Bases: ProviderSecret

Note

To create a SSHSecret, please use the factory method provider_secret() with provider="ssh".

_PROVIDER = 'ssh'
_DEFAULT_CREDENTIALS_PATH = '~/.ssh'
_DEFAULT_KEY = 'id_rsa'

SkySecret Class

class runhouse.resources.secrets.provider_secrets.sky_secret.SkySecret(name: str | None = None, provider: str | None = None, values: Dict = {}, path: str | None = None, dryrun: bool = True, **kwargs)[source]

Bases: SSHSecret

Note

To create a SkySecret, please use the factory method provider_secret() with provider="sky".

_PROVIDER = 'sky'
_DEFAULT_CREDENTIALS_PATH = '~/.ssh'
_DEFAULT_KEY = 'sky-key'

AnthropicSecret Class

class runhouse.resources.secrets.provider_secrets.anthropic_secret.AnthropicSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ApiKeySecret

Note

To create an AnthropicSecret, please use the factory method provider_secret() with provider="anthropic".

_PROVIDER = 'anthropic'
_DEFAULT_ENV_VARS = {'api_key': 'ANTHROPIC_API_KEY'}

CohereSecret Class

class runhouse.resources.secrets.provider_secrets.cohere_secret.CohereSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ApiKeySecret

Note

To create an CohereSecret, please use the factory method provider_secret() with provider="cohere".

_PROVIDER = 'cohere'
_DEFAULT_ENV_VARS = {'api_key': 'COHERE_API_KEY'}

LangChainSecret Class

class runhouse.resources.secrets.provider_secrets.langchain_secret.LangChainSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ApiKeySecret

Note

To create an LangChainSecret, please use the factory method provider_secret() with provider="langchain".

_PROVIDER = 'langchain'
_DEFAULT_ENV_VARS = {'api_key': 'LANGCHAIN_API_KEY'}

OpenAISecret Class

class runhouse.resources.secrets.provider_secrets.openai_secret.OpenAISecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ApiKeySecret

Note

To create an OpenAISecret, please use the factory method provider_secret() with provider="openai".

_PROVIDER = 'openai'
_DEFAULT_ENV_VARS = {'api_key': 'OPENAI_API_KEY'}

PineconeSecret Class

class runhouse.resources.secrets.provider_secrets.pinecone_secret.PineconeSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ApiKeySecret

Note

To create an PineconeSecret, please use the factory method provider_secret() with provider="pinecone".

_PROVIDER = 'pinecone'
_DEFAULT_ENV_VARS = {'api_key': 'PINECONE_API_KEY'}

WandBSecret Class

class runhouse.resources.secrets.provider_secrets.wandb_secret.WandBSecret(name: str | None = None, provider: str | None = None, values: Dict | None = None, path: str | None = None, env_vars: Dict | None = None, dryrun: bool = False, **kwargs)[source]

Bases: ApiKeySecret

Note

To create an WandBSecret, please use the factory method provider_secret() with provider="wandb".

_PROVIDER = 'wandb'
_DEFAULT_ENV_VARS = {'api_key': 'WANDB_API_KEY'}