Passing secrets to remote machine

[ErwannMillon]

Hi there,
Was wondering what the best practices are for passing secrets/keys to a worker provisioned with skypilot.
Currently, I'm using skypilot to run a docker image.

I saw this example in your docs for wandb creds:

file_mounts:
  ~/.netrc: ~/.netrc

For docker, I could do the same file_mount for a .env file and then mount the .env to the docker container.

Just wanted to know if this is the best way to manage secrets with skypilot, and how secure this approach would be.
Best,
Erwann

[Michaelvll]

Thanks for the question @ErwannMillon! This approach should be safe as long as you trust the cloud provider and the VMs you created.
We have several ways to pass the secret:

1. sky launch --env WANDB_API_KEY which will pass the environment variable to the remote VM, when your job is running.
2. In your task yaml, you can specify the envvar as the following:

envs:
  MY_ENVVAR: env-var-value
  MY_ENVVAR2: env-var-value2

We are also figuring out the easiest way for our users to manage the secrets. Please let us know which way you prefer. : )

[ErwannMillon]

Hi,
Thanks a lot for the quick answer!
Will implement this. For future, I like the idea of adding env vars from a .env file
Thanks for the great work :))

[Michaelvll]

This issue seesms to be resolved by #2295 #2296. You could now have a .env file and run your job with sky launch --env-file .env : )