search
GitHubStart free

user-secretSecrets

Registering and using secrets.

ZenML secrets are groupings of key-value pairs which are securely stored in the ZenML secrets store. Additionally, a secret always has a name that allows you to fetch or reference them in your pipelines and stacks. Secrets are essential for both traditional ML workflows (database credentials, model registry access) and AI agent development (LLM API keys, third-party service credentials).

hashtag
How to create a secret

To create a secret with a name <SECRET_NAME> and a key-value pair, you can run the following CLI command:

zenml secret create <SECRET_NAME> \
    --<KEY_1>=<VALUE_1> \
    --<KEY_2>=<VALUE_2>

# Another option is to use the '--values' option and provide key-value pairs in either JSON or YAML format.
zenml secret create <SECRET_NAME> \
    --values='{"key1":"value2","key2":"value2"}'

# Example: Create secrets for LLM API keys
zenml secret create openai_secret \
    --api_key=sk-proj-... \
    --organization_id=org-...

zenml secret create anthropic_secret \
    --api_key=sk-ant-api03-...

# Example: Create secrets for multi-agent system credentials
zenml secret create agent_tools_secret \
    --google_search_api_key=AIza... \
    --weather_api_key=abc123 \
    --database_url=postgresql://user:pass@host/db

# Create a private secret (only you can access it)
zenml secret create my_private_secret --private \
    --api_key=secret-value
circle-info

By default, secrets are public (visible to other users based on RBAC). Use --private or -p to create a secret only you can access. See Private and public secrets for more details.

Alternatively, you can create the secret in an interactive session (in which ZenML will query you for the secret keys and values) by passing the --interactive/-i parameter:

For secret values that are too big to pass as a command line argument, or have special characters, you can also use the special @ syntax to indicate to ZenML that the value needs to be read from a file:

The CLI also includes commands that can be used to list, update and delete secrets. A full guide on using the CLI to create, access, update and delete secrets is available herearrow-up-right.

Interactively register missing secrets for your stack

If you're using components with secret references in your stack, you need to make sure that all the referenced secrets exist. To make this process easier, you can use the following CLI command to interactively register all secrets for a stack:

hashtag
Private and public secrets

ZenML secrets can be either private or public:

  • Private secrets are only accessible to the user who created them. No other user can view, use, or manage a private secret, regardless of their role or permissions.

  • Public secrets (the default) are accessible to other users based on your RBAC configuration. On ZenML Pro, access to public secrets is governed by your role-based access control settings.

circle-info

The private property takes precedence over RBAC. A private secret is only visible to its creator, even if RBAC would otherwise grant access to other users.

hashtag
Creating private secrets

By default, secrets are created as public (private=False). To create a private secret:

circle-exclamation

Currently, setting the private status is only available via the CLI and Python SDK. The dashboard UI does not yet support creating or modifying private secrets.

hashtag
Fetching secrets with the same name

Since private and public secrets exist in separate namespaces, you can have both a private and a public secret with the same name. When fetching a secret by name without specifying its visibility:

  • ZenML searches private secrets first, then public secrets

  • The first match is returned

To explicitly fetch a secret of a specific visibility:

hashtag
Updating secret visibility

You can change a secret's visibility after creation:

hashtag
Accessing registered secrets

hashtag
Reference secrets in stack component attributes and settings

Some of the components in your stack require you to configure them with sensitive information like passwords or tokens, so they can connect to the underlying infrastructure. Secret references allow you to configure these components in a secure way by not specifying the value directly but instead referencing a secret by providing the secret name and key. Referencing a secret for the value of any string attribute of your stack components, simply specify the attribute using the following syntax: {{<SECRET_NAME>.<SECRET_KEY>}}

For example:

When using secret references in your stack, ZenML will validate that all secrets and keys referenced in your stack components exist before running a pipeline. This helps us fail early so your pipeline doesn't fail after running for some time due to some missing secret.

This validation by default needs to fetch and read every secret to make sure that both the secret and the specified key-value pair exist. This can take quite some time and might fail if you don't have permission to read secrets.

You can use the environment variable ZENML_SECRET_VALIDATION_LEVEL to disable or control the degree to which ZenML validates your secrets:

  • Setting it to NONE disables any validation.

  • Setting it to SECRET_EXISTS only validates the existence of secrets. This might be useful if the machine you're running on only has permission to list secrets but not actually read their values.

  • Setting it to SECRET_AND_KEY_EXISTS (the default) validates both the secret existence as well as the existence of the exact key-value pair.

hashtag
Fetch secret values in a step

If you are using centralized secrets management, you can access secrets directly from within your steps through the ZenML Client API. This allows you to use your secrets for querying APIs from within your step without hard-coding your access keys:

ZenML Scarf
PreviousCode RepositoriesNextEnvironment Variables

Last updated

Was this helpful?