Skip to main content
Secrets allow providing sensitive values to your Tensorlake functions in a secure manner without having to put them into your code.

Storing secrets

You can store secrets on Tensorlake Cloud using the CLI:

Using secrets

Stored secrets are available as environment variables within your Tensorlake functions:

Secrets and application deployment

When you add or update a secret used by an already deployed application, it needs to get redeployed for the new secret values to take effect.

CLI Commands

List Secrets

List secrets that have been previously set. Values are not shown for security reasons.

Set a Secret

Set a secret will create or update a secret.

Unset a Secret

Security

Secrets use envelope encryption with AES-256-GCM, providing strong confidentiality and integrity. Each project has a dedicated Data Encryption Key (DEK) wrapped by a root Key Encryption Key (KEK) managed by AWS KMS, creating strict isolation boundaries. Secrets remain encrypted at rest and are only decrypted in-memory on dataplane machines running workflows that requires those secrets, with all communication secured through mutual TLS (mTLS).