Best practices for secrets
Securely store and access passwords, tokens, keys, and more
Use the secrets dashboard in your Baseten workspace to store sensitive data like access tokens, API keys, and passwords.
Every secret is a key-value pair with a “name” and “token.” Tokens can be multiple lines, which is useful for secrets like SSH and PGP keys.
Adding, updating, and deleting secrets immediately affects all models that use said secrets.
Deploying models with secrets
When you deploy a model, use the --trusted flag to give it access to secrets in your Baseten workspace:
truss push --trusted
Using secrets in Truss
In your Truss, add the secret name in config.yaml but set the value to null:
...
secrets:
hf_access_token: null
...
Never set the actual value of the secret in config.yaml or any other file that gets committed to your codebase.
Then, access the secret from the secrets keyword argument in your model.py initialization:
def __init__(self, **kwargs):
self._secrets = kwargs["secrets"]
You can then use the self._secrets dictionary in the load and predict functions:
def load(self):
self._model = pipeline(
"fill-mask",
model="baseten/docs-example-gated-model",
use_auth_token=self._secrets["hf_access_token"]
)