Truss manages API keys, access tokens, passwords, and other secrets so you don’t have to expose them in code.
Create a secret
- Go to Secrets in your account settings.
- Enter the name and value of the secret, for example
hf_access_token and hf_....
- Select Add secret.
To create a secret with the API, use the following command:curl --request POST \
--url https://api.baseten.co/v1/secrets \
--header "Authorization: Bearer $BASETEN_API_KEY" \
--data '{
"name": "hf_access_token",
"value": "hf_..."
}'
Use secrets in your model
Once you’ve created a secret, declare it in your config.yaml and access it in your model code.
Never store actual secret values in config.yaml. Use null as a placeholder.
The secret in your config.yaml is a reference to the key in the secret manager.
config.yaml:
secrets:
hf_access_token: null
Model class. To access them, store the secrets in __init__:
def __init__(self, **kwargs):
self._secrets = kwargs["secrets"]
load or predict method by accessing it with the key:
def load(self):
self._model = pipeline(
"fill-mask",
model="baseten/docs-example-gated-model",
use_auth_token=self._secrets["hf_access_token"]
)
Use secrets in custom Docker images
When using custom Docker images, Truss
injects secrets into your container at /secrets/{secret_name} instead of
passing them through kwargs.
You must specify the reference to the secret and then access it in your start_command or application code.
Specify the reference to the secret in config.yaml:
secrets:
hf_access_token: null
Read secrets in your start_command
To read a secret in your start_command:
docker_server:
start_command: sh -c "HF_TOKEN=$(cat /secrets/hf_access_token) my-server --port 8000"
Read secrets in application code
To read a secret in application code:
with open("/secrets/hf_access_token", "r") as f:
hf_token = f.read().strip()
