How to Use and Manage Paperspace Secrets

Secrets provide a mechanism to securely store and work with sensitive information (such as an API key) within Paperspace. Secrets can be safely injected into workloads as environment variables. An environment variable that uses a Secret does not reveal the contents of the secret itself.

When using other services that require authentication via an API key, this key can be stored as a Secret within Paperspace and then passed-into the workload that requires the API key. This would prevent the key itself from being visible to other team members. It would also guard against accidentally exposing the API key such as checking-in it into source control.

Secrets can be created at the following levels:

  • Team: these secrets are applied to all projects and all clusters

  • Project: these secrets are applied to all Workflows in a project

  • Cluster: these secrets are applied to all Workflows in a cluster

If the same secret name is created for more than one scope, only one is applied. Secrets with the same name have the following precedence:

  • Cluster secrets take precedence over Team secrets
  • Project secrets take precedence over both Cluster secrets and Team secrets.

Set a Secret

You can set secrets from the Settings tab in the console or through the CLI.

Navigate to one of the following:

  • The Secrets tab under Team settings

  • The Settings tab under a Project

  • The Secrets tab in the details of a Cluster under the Team settings Clusters tab

These correspond to Team, Project, and Cluster secrets respectively. Type in the name and value of the secret, and click Add to save.

Set secret

Set team secret:

gradient secrets set team --name=<name> --value=<secret>

Set project secret:

gradient secrets set project --id=<project_id> --name=<name> --value=<secret>

Set cluster secret:

gradient secrets set cluster --id=<cluster_id> --name=<name> --value=<secret>

For the full list of options, see the CLI reference.

You can inject secrets into workloads as environment variables using the secret:my_secret_env syntax. For example, you can pass an environment variable into your deployment spec as shown below:

env: # container environment variables
- name: some-env
  value: some-value
- name: secret-env
  value: secret:my_secret_env # stored as a project or team secret. Naming is arbitrary.

List Secrets

You can set secrets from the Settings tab in the console or through the CLI.

Navigate to the Project, Team, or Cluster page, as with setting a secret above. The names of secrets in that scope that are already stored are listed.

Secrets list

List team secrets:

gradient secrets list team

List project secrets:

gradient secrets list project --id=<Project ID>

List cluster secrets:

gradient secrets list cluster --id=<Cluster ID>

Delete a Secret

Navigate to the Project, Team, or Cluster page, as with setting a secret above. Click the Delete button and confirm the dialog.

Secrets list

Delete team secret:

gradient secrets delete team --name=<name>

Delete project secret:

gradient secrets delete project --id=<Project ID> --name=<name>

Delete cluster secrets:

gradient secrets delete cluster --id=<Cluster ID> --name=<name>

Store API Key as Secret

Certain actions within Gradient require incorporating your API key to authenticate requests. In cases where your API key is used within your code or commands that may be visible within your Gradient team (for example, a Notebook) or other locations (for example when checking your code into source control), you can use Secrets to mask your unique API key.

  1. Create a new API key.

    Go to the API Keys tab under team settings, type a name for the key, and click Add.

    API keys

    Once your key is created, copy the key to your clipboard.

  2. Save the key as a Secret.

    API keys can be added in a similar way to other secrets: type a name, paste the API key in the Value field, and click Add.

    API key as secret