Skip to main content
Truss allows you to securely manage API keys, access tokens, passwords, and other secrets without exposing them in code.

Create a secret

  1. Go to the workspace settings and select Secret.
  2. Enter the name and value of the secret, for examplehf_access_token and hf_....
  3. Select Add secret.

Use secrets in your model

Once you’ve created a secret, declare it in your config.yaml and access it in your model code.
Never store actual secret values in config.yaml. Use null as a placeholder. The secret in your config.yaml is a reference to the key in the secret manager.
Specify the reference to the secret in config.yaml:
config.yaml
secrets:
  hf_access_token: null
Secrets are passed as keyword arguments to the Model class. To access them, store the secrets in __init__:
main.py
def __init__(self, **kwargs):
    self._secrets = kwargs["secrets"]
Then use the secret in load or predict section of your model by accessing the secret using the key:
main.py
def load(self):
    self._model = pipeline(
        "fill-mask",
        model="baseten/docs-example-gated-model",
        use_auth_token=self._secrets["hf_access_token"]
    )

Use secrets in custom Docker images

When using custom Docker images, Truss injects secrets into your container at /secrets/{secret_name} instead of passing them through kwargs. You must specify the reference to the secret and then access it in your start_command or application code. Specify the reference to the secret in config.yaml:
config.yaml
secrets:
  hf_access_token: null

Read secrets in your start_command

To read a secret in your start_command:
config.yaml
docker_server:
  start_command: sh -c "HF_TOKEN=$(cat /secrets/hf_access_token) my-server --port 8000"

Read secrets in application code

To read a secret in application code:
main.py
with open("/secrets/hf_access_token", "r") as f:
    hf_token = f.read().strip()