Spice Secret Stores
Secret stores manage sensitive data like API keys, passwords, and tokens. The env store is loaded by default.
Basic Configuration
secrets:
- from: <store_type>
name: <store_name>
Supported Secret Stores
| Store | From Format | Description |
|-------|-------------|-------------|
| Environment | env | Environment variables + .env / .env.local files (default) |
| Kubernetes | kubernetes:<secret_name> | Kubernetes secrets |
| AWS Secrets Manager | aws_secrets_manager | AWS Secrets Manager |
| Keyring | keyring | OS keyring (macOS Keychain, Linux, Windows) |
Default: Environment Variables
Loaded automatically. Reads from environment variables and any .env.local or .env files in the project directory.
secrets:
- from: env
name: env
Referencing Secrets
Use ${ store_name:KEY_NAME } syntax in component parameters:
datasets:
- from: postgres:my_table
name: my_table
params:
pg_user: ${ env:PG_USER }
pg_pass: ${ env:PG_PASSWORD }
models:
- from: openai:gpt-4o
name: gpt4
params:
openai_api_key: ${ secrets:OPENAI_API_KEY }
Also works within strings:
params:
mysql_connection_string: mysql://${env:USER}:${env:PASSWORD}@localhost:3306/db
Searching All Stores
Use ${ secrets:KEY } to search all configured stores in precedence order (last defined wins):
secrets:
- from: env
name: env
- from: keyring
name: keyring
datasets:
- from: postgres:my_table
name: my_table
params:
pg_user: ${ secrets:pg_user } # checks keyring first, then env
pg_pass: ${ secrets:pg_pass }
The <key_name> is automatically uppercased for the env secret store.
Examples
Kubernetes Secrets
secrets:
- from: kubernetes:my-app-secrets
name: k8s
AWS Secrets Manager
secrets:
- from: aws_secrets_manager
name: aws
params:
aws_region: us-east-1
Override Order (env overrides keyring)
secrets:
- from: keyring
name: keyring
- from: env
name: env