Skip to main content
Secrets allow providing sensitive values to your Tensorlake functions in a secure manner without having to put them into your code.

Storing secrets

You can store secrets on Tensorlake Cloud using the CLI: 
tl secrets set AWS_ACCESS_KEY=MY_AWS_ACCESS_KEY
tl secrets set OPENAI_API_KEY=MY_OPENAI_API_KEY

Using secrets

Stored secrets are available as environment variables within your Tensorlake functions: 
@application()
@function(secrets=["AWS_ACCESS_KEY", "OPENAI_API_KEY"])
def my_function() -> str:
    aws_access_key = os.environ["AWS_ACCESS_KEY"]
    openai_api_key = os.environ["OPENAI_API_KEY"]
    ...

Secrets and application deployment

When you add or update a secret used by an already deployed application, it needs to get redeployed for the new secret values to take effect.

CLI Commands

List Secrets

List secrets that have been previously set. Values are not shown for security reasons. 
$ tl secrets list

| Name        | Created At |
| ----------- | ---------- |
| SECRET_NAME | Date       |

Set a Secret

Set a secret will create or update a secret. 
$ tl secrets set <SECRET_NAME>=<SECRET_VALUE> [<SECRET_NAME>=<SECRET_VALUE>]

Unset a Secret

tl secrets unset <SECRET_NAME> [<SECRET_NAME>]

Security

Secrets use envelope encryption with AES-256-GCM, providing strong confidentiality and integrity. Each project has a dedicated Data Encryption Key (DEK) wrapped by a root Key Encryption Key (KEK) managed by AWS KMS, creating strict isolation boundaries. Secrets remain encrypted at rest and are only decrypted in-memory on dataplane machines running workflows that requires those secrets, with all communication secured through mutual TLS (mTLS).

See Also

Product Scraper Tutorial

Tutorial that demonstrates using secrets with the OpenAI API in a deployed workflow.