Skip to main content
Secrets allow providing sensitive values to your functions in a secure manner without having to put them into your code.

Storing secrets

You can store secrets on Tensorlake Serverless using the CLI: 
tensorlake secrets set AWS_ACCESS_KEY=MY_AWS_ACCESS_KEY
tensorlake secrets set OPENAI_API_KEY=MY_OPENAI_API_KEY

Using secrets

Stored secrets are available as environment variables within your Tensorlake functions: 
@application()
@function(secrets=["AWS_ACCESS_KEY", "OPENAI_API_KEY"])
def my_function() -> str:
    aws_access_key = os.environ["AWS_ACCESS_KEY"]
    openai_api_key = os.environ["OPENAI_API_KEY"]
    ...

Secrets and application deployment

When you add or update a secret used by an already deployed application, it needs to get redeployed for the new secret values to take effect.

CLI Commands

List Secrets

List secrets that have been previously set. Values are not shown for security reasons. 
$ tensorlake secrets list

| Name        | Created At |
| ----------- | ---------- |
| SECRET_NAME | Date       |

Set a Secret

Set a secret will create or update a secret. 
$ tensorlake secrets set <SECRET_NAME>=<SECRET_VALUE> [<SECRET_NAME>=<SECRET_VALUE>]

Unset a Secret

tensorlake secrets unset <SECRET_NAME> [<SECRET_NAME>]

Security

Secrets use envelope encryption with AES-256-GCM, providing strong confidentiality and integrity. Each project has a dedicated Data Encryption Key (DEK) wrapped by a root Key Encryption Key (KEK) managed by AWS KMS, creating strict isolation boundaries. Secrets remain encrypted at rest and are only decrypted in-memory on dataplane machines running workflows that requires those secrets, with all communication secured through mutual TLS (mTLS).