Skip to main content

What are Secrets?

Secrets are encrypted key-value pairs for storing sensitive data like API keys, database credentials, and tokens. They are scoped to your project and automatically injected into runs as environment variables.

How Secrets Work

  1. Create a secret with a key name and value
  2. Secrets are encrypted at rest using AWS KMS
  3. Automatically injected into all runs as environment variables
  4. Referenced by name in data source and catalog configurations

Creating a Secret

  1. Navigate to Secrets in your project sidebar
  2. Click Create secret
  3. Enter a key name (e.g., DATABASE_URL, API_KEY)
  4. Enter the secret value
  5. Click Create
The secret will be available as an environment variable in all future runs.

Secret Key Naming

Keys must contain only:
  • Alphanumeric characters (a-z, A-Z, 0-9)
  • Dashes (-)
  • Underscores (_)
  • Dots (.)
Examples: DATABASE_URL, api.key, my-secret-key, AWS_ACCESS_KEY_ID

Using Secrets

As Environment Variables

Secrets are automatically available as environment variables in your runs: 
import os

# Access a secret in your code
database_url = os.environ["DATABASE_URL"]
api_key = os.environ["API_KEY"]

In Data Sources and Catalogs

When configuring data sources and catalogs, you can reference secrets by name: S3 Data Source credentials: 
{
  "aws_access_key_id": "AKIA...",
  "aws_secret_access_key": "..."
}
Supabase Storage credentials: 
{
  "access_key_id": "...",
  "secret_access_key": "..."
}
Unity Catalog token: 
dapi123456789abcdef...

Security

  • Encrypted at rest: All secrets use AWS KMS encryption
  • Project isolation: Secrets are only accessible within their project
  • Value masking: Secret values are never displayed after creation
  • Audit trail: Creation and update timestamps are tracked

Best Practices

  1. Use descriptive names: PROD_DATABASE_URL is better than DB
  2. Rotate regularly: Update secrets periodically for security
  3. Minimal access: Only create secrets that are needed
  4. Separate environments: Use different secrets for dev/staging/prod