Secret Management#

NVIDIA Cloud Function (NVCF) allows you to configure secrets to manage sensitive data that your container needs at runtime. Secrets can be specified during function creation or updated if they were specified upon creation. Secret values can be simple strings in the UI or JSON objects via the API.

Adding Secrets During Function Creation#

When creating a new function, you can specify secrets that your container will use. This can be done via the NVCF UI or API. The total Max Size for all secrets per function is 8KB. If certificates are being specified as secrets, then they must be base64 encoded.

Using the UI#

  1. Navigate to a function.

  2. Click the three dots on the right under Actions and select Manage Secrets.

  3. In the Secrets section, enter the key and value for each secret:

    1. Key: Enter the name of the secret.

    2. Value: Enter the value of the secret.

  4. Click Add Secret to include additional secrets.

  5. Complete the rest of the function configuration and save.

Note

Secret values can only be simple strings in the UI at this time. Specifying JSON objects as secret values is currently not available in the UI.

Using the API#

You can specify secrets with JSON values when creating a function using the API.

POST /v2/nvcf/function
Authorization: Bearer <ssa-jwt> with register_function scope
Content-Type: application/json

 {
 "name": "secrets",
 "inferenceUrl": "/test",
 "inferencePort": 8000,
 "containerImage": "nvcr.io/your-repo/secret-sample-container:1.0.0",
 "health": {
     "protocol": "HTTP",
     "uri": "/health",
     "port": 8000,
     "timeout": "PT10S",
     "expectedStatusCode": 200
 },
 "secrets": [
     {
     "name": "AWS_ACCESS_KEY_ID",
     "value": "root-key-id"
     },
     {
     "name": "AWS_SECRET_ACCESS_KEY",
     "value": "root-access-key"
     },
     {
     "name": "testing.site.com",
     "value": {
         "AWS_REGION": "us-west-2",
         "AWS_BUCKET": "content",
         "AWS_ACCESS_KEY_ID": "content-key-id",
         "AWS_SECRET_ACCESS_KEY": "content-access-key",
         "AWS_SESSION_TOKEN": "content-session-token"
     }
     },
     {
     "name": "test.s3.us-west-2.amazonaws.com",
     "value": {
         "AWS_ACCESS_KEY_ID": "s3.us-west-2-key-id",
         "AWS_SECRET_ACCESS_KEY": "s3.us-west-2-access-key"
     }
     }
 ]
}

Managing Secrets for Existing Functions#

Secrets for existing functions can be managed through the NVCF UI or API. Depending on the function’s state, different actions are allowed.

Function States and Secret Management Rules#

  • Inactive Functions (with or without existing secrets):

    • Add and edit secrets.

  • Active Functions with existing secrets:

    • Edit secrets only.

  • Functions in Deploying or Error state, or Active functions without existing secrets:

    • Secret management is not allowed.

Using the UI#

To manage secrets for an existing function:

  1. Navigate to the function’s details page.

  2. Click on Actions and select Manage Secrets.

  3. Depending on the function’s state:

    1. If the function is inactive or active with existing secrets, you can add or edit secrets:

      1. Key: Enter the name of the secret.

      2. Value: Enter the value of the secret.

      3. Click Add Secret to include additional secrets.

      4. Click Save Secrets to save changes.

  4. If the function is active without existing secrets, the UI will display the following message:

    Note

    No Secrets to Manage

    This selected function has no secrets to manage.

    To add secrets, first stop this function version’s active deployment.

  5. Click Cancel to exit without saving changes if needed.

Using the API#

To update secrets for an existing function, use the following API call:

PUT /v2/nvcf/secrets/functions/{functionId}/versions/{functionVersionId}
Authorization: Bearer <ssa-jwt> with update_secrets scope
Content-Type: application/json

{
    "secrets": [
        {
            "name": "s3.eu-north-1.amazonaws.com",
            "value": {
                "AWS_ACCESS_KEY_ID": "s3.eu-north-1-key-id",
                "AWS_SECRET_ACCESS_KEY": "s3.eu-north-1-access-key"
            }
        },
        {
            "name": "example.com",
            "value": {
                "API_KEY": "example-api-key",
                "API_SECRET": "example-api-secret"
            }
        }
        // Additional secrets can be added here
    ]
}

Note

When updating secrets via the API, you can specify JSON objects as secret values.

Listing Secrets in the API#

When listing functions, you will only see the secret names, not the values. Secret values are kept secure and are not displayed.

Using Secrets In Inference Container#

Note

The Inference Container reads secrets from /var/secrets/secrets.json to authenticate with external systems. However, the inotify API cannot monitor this file for changes. When secrets are updated or new ones are added via the UI or API, /var/secrets/secrets.json is automatically updated. Make sure the Inference Container periodically checks this file and reloads it to use the latest secrets.

Secrets in Container-based Functions#

The secrets will be mounted into the container at /var/secrets/secrets.json. Here is a sample file:

{
    "secret-key-1": "value-1",
    "secret-key-2": "value-2",
    "secret-key-3": {
        "nested-things-1": "test"
    }
}

Secrets in Helm Chart Functions#

The secrets will be mounted into all containers in the helm chart at /var/secrets/secrets.json.

Considerations and Limitations#

  • Secret Values in UI - Secret values can only be simple strings in the UI at this time.

  • The total Max Size for all secrets per function is 8KB.

  • If certificates are being specified as secrets, then they must be base64 encoded.