Secrets allow providing sensitive values to your functions in a secure manner without having to put them into your code.

Storing secrets

You can store secrets on Tensorlake Serverless using the CLI: 
tensorlake secrets set AWS_ACCESS_KEY=MY_AWS_ACCESS_KEY
tensorlake secrets set OPENAI_API_KEY=MY_OPENAI_API_KEY

Using secrets

Stored secrets are available as environment variables within your Tensorlake Serverless functions: 
@tensorlake_function(secrets=["AWS_ACCESS_KEY", "OPENAI_API_KEY"])
def node() -> str:
    aws_access_key = os.environ["AWS_ACCESS_KEY"]
    openai_api_key = os.environ["OPENAI_API_KEY"]
    ...

graph = Graph(name="secret-graph", start_node=node)

CLI Commands

List Secrets

List secrets that have been previously set. Values are not shown for security reasons. 
$ tensorlake secrets list

| Name        | Created At |
| ----------- | ---------- |
| SECRET_NAME | Date       |

Set a Secret

Set a secret will create or update a secret. 
$ tensorlake secrets set <SECRET_NAME>=<SECRET_VALUE> [<SECRET_NAME>=<SECRET_VALUE>]

Unset a Secret

tensorlake secrets unset <SECRET_NAME> [<SECRET_NAME>]

Security

Secrets use envelope encryption with AES-256-GCM, providing strong confidentiality and integrity. Each project has a dedicated Data Encryption Key (DEK) wrapped by a root Key Encryption Key (KEK) managed by AWS KMS, creating strict isolation boundaries. Secrets remain encrypted at rest and are only decrypted in-memory on dataplane machines running workflows that requires those secrets, with all communication secured through mutual TLS (mTLS).