Secrets

Secrets provide a dictionary of environment variables for images.

Secrets are a secure way to add credentials and other sensitive information to the containers your functions run in. You can create and edit secrets on the dashboard, or programmatically from Python code.

Using secrets

To inject secrets into the container running your function, you add the secret= or secrets=[...] argument to your stub.function annotation. For deployed secrets (typically secrets defined on the Modal website) you can refer to your secrets using ref(secret_name).

For example, if you have a secret called secret-keys containing the key MY_PASSWORD:

import os
import modal

stub = modal.Stub()

@stub.function(secret=modal.ref("secret-keys"))
def some_function():
    secret_key = os.environ["MY_PASSWORD"]
    ...

Each secret can contain multiple keys and values but you can also inject multiple secrets, allowing you to separate secrets into smaller reusable units:

@stub.function(secrets=[
    modal.ref("my-secret-name"),
    modal.ref("other-secret"),
])
def other_function():
    ...

Programmatic creation of secrets

In addition to defining secrets on the modal web page, you can programmatically create a secret directly in your script and send it along to your function using Secret(...). This can be useful if you want to send secrets from your local development machine to the remote modal App.

import os
import modal

stub = modal.Stub()
stub["my_local_secret"] = modal.Secret({"FOO": os.environ["LOCAL_FOO"]})

@stub.function(secret=stub["my_local_secret"])
def some_function():
    print(os.environ["FOO"])

Deploying secrets

Sometimes, it can be convenient to not have to go through the website to save or update secrets. You can then deploy secrets similar to how you deploy other objects to Modal, which has the same effect as publishing a secret on the web page:

# secret.py

import modal

stub = modal.Stub("my-secret-name")
stub["secret"] = modal.Secret({"FOO": "BAR"})

You can then run

modal app deploy secret.py

The secrets deployed this way will also show up on the dashboard.