Runhouse provides a convenient interface for managing your secrets in a secure manner. Secrets are stored in Vault, and never on Runhouse servers.

See Secrets in Vault for more details on using the Secrets API.


class runhouse.Secrets[source]

Handles cluster secrets management (reading and writing) across all major cloud providers. Secrets are securely stored in Hashicorp Vault.

classmethod builtin_providers(as_str: bool = False) list[source]

Return list of all Runhouse providers (as class objects) supported out of the box.

classmethod delete_from_local_env(providers: List[str] | None = None)[source]

Delete secrets credential files and use in Runhouse configs for list of specified providers. If none are provided, will delete secrets for all providers which have been enabled in the local environment.


>>> rh.Secrets.delete_from_local_env(provider=["lambda"])
classmethod delete_from_vault(providers: List[str] | None = None)[source]

Delete secrets from Vault for specified providers.


providers (List[str] or None) – Providers to delete from vault. If not set, will delete secrets for all providers which have been enabled in the local environment.


>>> rh.Secrets.delete_from_vault()
classmethod delete_secrets_file(file_path: str | tuple | None = None)[source]

Delete local credentials file. If no path is provided will use the default path set for the provider.


>>> rh.Secrets.delete_secrets_file() >>> rh.Secrets.delete_secrets_file("~/.aws/credentials")
classmethod download_into_env(save_locally: bool = True, providers: List[str] | None = None, headers: Dict | None = None, check_enabled: bool = True) Dict[source]

Get all user secrets from Vault. Optionally save them down to local config files (where relevant).


>>> rh.Secrets.download_into_env(providers=["aws", "lambda"])
classmethod enabled_providers(as_str: bool = False) List[source]

Returns a list of cloud provider classes which Runhouse supports out of the box. If as_str is True, return the names of the providers as strings.


>>> rh.Secrets.enabled_providers(as_str=True)
classmethod extract_and_upload(headers: Dict | None = None, interactive=False, providers: List[str] | None = None)[source]

Upload all locally configured secrets into Vault. Secrets are loaded from their local config files. (ex: ~/.aws/credentials). To upload custom secrets for custom providers, see Secrets.put()


>>> rh.Secrets.extract_and_upload(providers=["aws", "lambda"])
classmethod get(provider: str, save_to_env: bool = False, group: str | None = None) dict[source]

Read secrets from the Vault service for a given provider and optionally save them to their local config. If group is provided will read secrets for the specified group.


>>> rh.get(provider="lambda") >>> # returns {"api_key": *****}
classmethod load_provider_secrets(from_env: bool = False, providers: List | None = None) Dict[str, Dict][source]

Load secret credentials for all the providers which have been configured locally, or optionally provide a list of specific providers to load. Returns a dictionary with provider name as the key and secrets dictionary as value.


>>> rh.Secrets.load_provider_secrets(providers=["aws"])
classmethod put(provider: str, from_env: bool = False, file_path: str | None = None, secret: dict | None = None, group: str | None = None, headers: dict | None = None)[source]

Upload locally configured secrets for a specified provider into Vault. To upload custom provider secrets, include the secret param and specify the keys and values to upload.

  • from_env (bool) – Whether to read secrets from environment variables instead of local config files. (Default: False)

  • file_path (str or None) – If provided, will read secrets directly from specified file instead of default config file.

  • secret (dict or None) – Dict mapping provider secrets to value, if not loading from env or file.

  • group (str or None) – If provided, will attribute secrets to the specified group.


>>> rh.put(provider="lambda", secret={"api_key": *****}) >>> rh.put(provider="aws", file_path="~/.aws/credentials")
classmethod save_provider_secrets(secrets: dict, check_enabled=True)[source]

Save secrets for each provider to their respective local configs.


>>> rh.Secrets.save_provider_secrets(secrets={"lambda": {"api_key": ******}})
classmethod save_secrets(secrets: Dict, overwrite: bool = False) Dict[source]

Save secrets for providers to their respective configs.

classmethod to(system: str | Cluster, providers: List[str] | None = None)[source]

Copy secrets to the desired cluster for a list of builtin providers.

  • system (str or Cluster) – Cluster to send secrets to.

  • providers (List[str] or None) – Providers to send secrets for. If no providers are specified, will load all builtin providers that are already enabled.


>>>, providers=["aws", "lambda"])
classmethod update(provider: str, secrets: dict)[source]

Add new keys to existing secrets saved for a given provider in Vault.


>>> rh.Secrets.update(provider="lambda", secrets={"api_key": new_api_key})