Skip to main content

Secrets Management

Securely managing sensitive information like API keys, database credentials, and authentication tokens is critical for production workflows. This project provides the Secret class for task-level injection and FastAPIPassthroughAuthMiddleware for building applications that act on behalf of authenticated users.

Injecting Secrets into Tasks

You can inject secrets into your tasks by passing Secret objects to the @task decorator. By default, secrets are mounted as environment variables.

import os
import flyte
from flyte import Secret, task

# Default: Secret is available as MY_API_KEY (uppercase, - replaced with _)
@task(secrets=Secret(key="my-api-key"))
async def task_with_secret():
    api_key = os.environ["MY_API_KEY"]
    print(f"Using secret: {api_key}")

# Custom environment variable name
@task(secrets=Secret(key="openai-key", as_env_var="OPENAI_API_KEY"))
async def task_with_custom_env():
    api_key = os.environ["OPENAI_API_KEY"]

Mounting Secrets as Files

If your application requires secrets to be read from the filesystem, you can specify a mount path.

Note: Currently, the only supported mount path is /etc/flyte/secrets.

import pathlib
import flyte
from flyte import Secret, TaskEnvironment

# Define environment with a file-mounted secret
env = TaskEnvironment(
    "secret-env",
    secrets=Secret(
        group="user-creds", 
        key="ssh-key", 
        mount=pathlib.Path("/etc/flyte/secrets")
    ),
)

@env.task
def read_secret_file() -> str:
    # Secrets are mounted at /etc/flyte/secrets/{group}/{key}
    # The key in the filename is typically lowercase
    secret_path = pathlib.Path("/etc/flyte/secrets/user-creds/ssh-key")
    return secret_path.read_text()

Using Secrets in Image Builds

Secrets can also be used during the image build process, for example, to provide credentials for private package repositories or system updates.

from flyte import Image, Secret

image = (
    Image.from_debian_base(install_flyte=False)
    .with_apt_packages("vim", secret_mounts=["/tmp/secret1"])
    .with_pip_packages(
        "private-package", 
        secret_mounts=[Secret(group="aws", key="id", as_env_var="AWS_ACCESS_KEY_ID")]
    )
)

Authentication Passthrough for Applications

When building a web application (like a FastAPI webhook) that interacts with Flyte, you often want the application to perform actions using the credentials of the user making the request.

The FastAPIPassthroughAuthMiddleware automatically extracts authentication headers (like Authorization or Cookie) and propagates them to the Flyte control plane.

Implementation Example

To use passthrough authentication, you must initialize Flyte using init_passthrough() and add the middleware to your FastAPI app.

from fastapi import FastAPI
from flyte.app.extras._auth_middleware import FastAPIPassthroughAuthMiddleware
import flyte
from flyte.remote import User

app = FastAPI()

@app.on_event("startup")
async def startup_event():
    # Initialize Flyte with Passthrough auth mode
    await flyte.init_passthrough()

# Add middleware to extract headers and set Flyte context
app.add_middleware(
    FastAPIPassthroughAuthMiddleware, 
    excluded_paths={"/health"}
)

@app.get("/me")
async def get_current_user():
    # The Flyte context is automatically populated with the user's credentials
    # from the incoming request headers.
    user = await User.get.aio()
    return {"subject": user.subject()}

Manual Credential Propagation

If you are not using FastAPI or need to manually set authentication metadata for a specific block of code, use the auth_metadata context manager.

from flyte.remote import auth_metadata, User

async def manual_auth_call(token: str):
    # Manually inject a bearer token into the Flyte context
    with auth_metadata(("authorization", f"Bearer {token}")):
        user = await User.get.aio()
        return user.subject()

Troubleshooting

Invalid Environment Variable Names

The as_env_var parameter must match the regex ^[A-Z_][A-Z0-9_]*$. If you provide an invalid name (e.g., containing dashes or starting with a number), the Secret class will raise a ValueError during initialization.

Restricted Mount Paths

If you attempt to mount a secret to any path other than /etc/flyte/secrets, the SDK will raise a ValueError. This is a current limitation of the implementation in flyte._secret.Secret.

Missing Authentication Headers

If FastAPIPassthroughAuthMiddleware is active and a request arrives without Authorization or Cookie headers (and the path is not in excluded_paths), the middleware will return a 401 Unauthorized response immediately.