Secrets
The Secrets module provides secure management of sensitive data such as API keys, database passwords, authentication tokens, and other confidential information in the Datalayer platform. Secrets are encrypted at rest and securely transmitted to runtimes when needed.
Overview
Secrets in Datalayer provide a secure way to store and manage sensitive information that your applications need without hardcoding them in your source code. All secrets are encrypted and access-controlled, ensuring that only authorized users and runtimes can access them.
Key Features
- Secure Storage: All secrets are encrypted at rest using industry-standard encryption
- Access Control: Fine-grained access control based on user permissions and roles
- Multiple Types: Support for different secret types (generic, passwords, keys, tokens)
- Runtime Integration: Seamless integration with Datalayer runtimes for secure access
Secret Types
The platform supports several types of secrets:
- Generic: General-purpose secrets for any type of sensitive data
- Password: User passwords and authentication credentials
- Key: API keys, encryption keys, and access keys
- Token: Authentication tokens, JWT tokens, and OAuth tokens
Secret Class
The Secret class represents a secret with the following attributes:
- uid: Unique identifier for the secret
- name: Human-readable name of the secret
- description: Description of the secret's purpose
- secret_type: Type of secret (generic, password, key, token)
- kwargs: Additional metadata associated with the secret
Creating Secrets
Basic Secret Creation
Create a simple generic secret:
from datalayer_core import DatalayerClient
client = DatalayerClient()
secret = client.create_secret(
name="DATABASE_PASSWORD",
description="Production database password",
value="super-secure-password-123!"
)
print(f"Secret created: {secret.name}")
print(f"Secret UID: {secret.uid}")
Creating Typed Secrets
Create secrets with specific types for better organization:
from datalayer_core import DatalayerClient
from datalayer_core.secrets import SecretType
client = DatalayerClient()
# Create an API key secret
api_secret = client.create_secret(
name="OPENAI_API_KEY",
description="OpenAI API key for GPT access",
value="sk-1234567890abcdef...",
secret_type=SecretType.KEY
)
# Create a password secret
db_secret = client.create_secret(
name="POSTGRES_PASSWORD",
description="PostgreSQL database password",
value="secure_db_password_2024",
secret_type=SecretType.PASSWORD
)
# Create a token secret
auth_secret = client.create_secret(
name="JWT_SIGNING_TOKEN",
description="JWT token signing secret",
value="jwt-signing-secret-key-xyz789",
secret_type=SecretType.TOKEN
)
print(f"Created {api_secret.secret_type} secret: {api_secret.name}")
print(f"Created {db_secret.secret_type} secret: {db_secret.name}")
print(f"Created {auth_secret.secret_type} secret: {auth_secret.name}")
Listing and Managing Secrets
List All Secrets
View all secrets accessible to your account:
from datalayer_core import DatalayerClient
client = DatalayerClient()
secrets = client.list_secrets()
print(f"Found {len(secrets)} secrets:")
for secret in secrets:
print(f" - {secret.name}")
print(f" UID: {secret.uid}")
print(f" Type: {secret.secret_type}")
print(f" Description: {secret.description}")
print("---")
Filter Secrets by Type
Organize secrets by filtering by type:
from datalayer_core import DatalayerClient
from datalayer_core.secrets import SecretType
client = DatalayerClient()
all_secrets = client.list_secrets()
# Group secrets by type
secrets_by_type = {
SecretType.GENERIC: [],
SecretType.PASSWORD: [],
SecretType.KEY: [],
SecretType.TOKEN: []
}
for secret in all_secrets:
if secret.secret_type in secrets_by_type:
secrets_by_type[secret.secret_type].append(secret)
# Display organized results
for secret_type, secrets in secrets_by_type.items():
if secrets:
print(f"\n{secret_type.upper()} SECRETS ({len(secrets)}):")
for secret in secrets:
print(f" - {secret.name}: {secret.description}")
Search Secrets
Find secrets by name or description:
from datalayer_core import DatalayerClient
def find_secrets(client, search_term):
"""Find secrets by name or description."""
all_secrets = client.list_secrets()
matching_secrets = []
for secret in all_secrets:
if (search_term.lower() in secret.name.lower() or
search_term.lower() in secret.description.lower()):
matching_secrets.append(secret)
return matching_secrets
client = DatalayerClient()
# Search for database-related secrets
db_secrets = find_secrets(client, "database")
print(f"Found {len(db_secrets)} database-related secrets:")
for secret in db_secrets:
print(f" - {secret.name}: {secret.description}")
# Search for API keys
api_secrets = find_secrets(client, "api")
print(f"\nFound {len(api_secrets)} API-related secrets:")
for secret in api_secrets:
print(f" - {secret.name}: {secret.description}")
Deleting Secrets
Remove a secret by UID or Secret object:
from datalayer_core import DatalayerClient
client = DatalayerClient()
# Delete by UID
result = client.delete_secret("secret-uid-12345")
print(f"Deletion result: {result}")
# Delete by Secret object
secrets = client.list_secrets()
if secrets:
old_secret = secrets[0] # Delete the first secret
result = client.delete_secret(old_secret)
print(f"Deleted secret '{old_secret.name}': {result}")
Notes
- Encryption: All secrets are encrypted at rest and in transit
- Access Control: Secrets are subject to user permissions and role-based access control
- Audit Logging: All secret operations are logged for security auditing
- Value Limitations: Secret values have size limitations (typically 64KB max)
- Immutability: Secret values cannot be modified after creation; create new secrets for updates
- Cleanup: Regularly audit and clean up unused secrets to maintain security hygiene
- Integration: Secrets integrate seamlessly with Datalayer runtimes and environments
- Best Practices: Follow the principle of least privilege and rotate secrets regularly