Support Injecting Secrets into Apps Running in the Cloud #14612
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
app (removed)
12 tasks
alecmerdler
force-pushed
the
LAI2-10393
branch
from
3fcff82 to
e51a6cc
Compare
awaelchli
approved these changes
Sep 8, 2022
manskx
reviewed
Sep 8, 2022
manskx
reviewed
Sep 8, 2022
manskx
approved these changes
Sep 8, 2022
alecmerdler
requested review from
tchaton,
hhsecond,
williamFalcon,
Borda,
kaushikb11 and
rohitgr7
as code owners
alecmerdler
force-pushed
the
LAI2-10393
branch
from
f34bd5f to
b2c75eb
Compare
|
This needs documentation @Felonious-Spellfire |
alecmerdler
force-pushed
the
LAI2-10393
branch
from
eafc08b to
d1dcf86
Compare
alecmerdler
force-pushed
the
LAI2-10393
branch
from
61c91db to
5d286d0
Compare
rohitgr7
approved these changes
Sep 12, 2022
12 tasks
alecmerdler
force-pushed
the
LAI2-10393
branch
3 times, most recently
from
8751291 to
f9529e5
Compare
alecmerdler
force-pushed
the
LAI2-10393
branch
6 times, most recently
from
4a6c0c2 to
abfd373
Compare
krshrimali
approved these changes
Sep 14, 2022
alecmerdler
force-pushed
the
LAI2-10393
branch
from
abfd373 to
b3d0cab
Compare
Borda
reviewed
Sep 14, 2022
alecmerdler
force-pushed
the
LAI2-10393
branch
2 times, most recently
from
e1acedd to
e807d20
Compare
|
@hhsecond The |
hhsecond
approved these changes
Sep 14, 2022
alecmerdler
force-pushed
the
LAI2-10393
branch
from
e807d20 to
d7829ce
Compare
Adds a new '--secret' flag to 'lightning run app': lightning run app --cloud --secret MY_SECRET=my-secret-name app.py When the Lightning App runs in the cloud, the 'MY_SECRET' environment variable will be populated with the value of the referenced Secret. The value of the Secret is encrypted in the database, and will only be decrypted and accessible to the Flow/Work processes in the cloud.
alecmerdler
force-pushed
the
LAI2-10393
branch
from
d7829ce to
60f4013
Compare
| Encrypted Secrets | ||
| ################# | ||
|
|
||
| We understand that many Apps require access to private data like API keys, access tokens, database passwords, or other credentials. And that you need to protect this data. |
There was a problem hiding this comment.
I would remove "We understand", just say "Many apps require access..."
There was a problem hiding this comment.
There was a problem hiding this comment.
Please review my PR. The structure was completely changed
|
|
||
| We understand that many Apps require access to private data like API keys, access tokens, database passwords, or other credentials. And that you need to protect this data. | ||
|
|
||
| Secrets provie a secure way to make private data like API keys or passwords accessible to your app, without hardcoding. You can use secrets to authenticate third-party services/solutions. |
There was a problem hiding this comment.
There was a problem hiding this comment.
Please review my PR. The structure was completely changed and this typo came across when it was.
Comment on lines
+14
to
+23
| ******************* | ||
| Overview of Secrets | ||
| ******************* | ||
|
|
||
| The ``--secret`` option has been added to the **lightning run app** command. ``--secret`` can be used by itself or alongside ``--env``. | ||
|
|
||
| When a Lightning App (App) **runs in the cloud**, the Secret can be exposed to the App using environment variables. | ||
| The value of the Secret is encrypted in the Lightning.ai database, and is only decrypted and accessible to | ||
| LightningFlow (Flow) or LightningWork (Work) processes in the cloud (when you use the ``--cloud`` option running your App). | ||
|
|
There was a problem hiding this comment.
There was a problem hiding this comment.
Please review my PR. The structure was completely changed
| ---- | ||
|
|
||
| ********************* | ||
| Use Encrypted Secrets |
There was a problem hiding this comment.
If this is specific to lightning cloud, we should say "Add secrets to Lightning Cloud"
There was a problem hiding this comment.
There was a problem hiding this comment.
I'm gonna disagree on this. It's called out that this is only available in the cloud in several places. What we want to point out is how they should be using the feature correctly.
| Use Encrypted Secrets | ||
| ********************* | ||
|
|
||
| First, a Secret must be created using the admin web UI. Once you create a Secret, you can bind it to any of your Apps. You do not need to create a new Secret for each App if the Secret value is the same. |
There was a problem hiding this comment.
Step 1- Log into lighning.ai to add your secrets.
Avatar > Profile > secrets > add a secret
Add a screenshot/gif of how to do that
There was a problem hiding this comment.
|
|
||
| First, a Secret must be created using the admin web UI. Once you create a Secret, you can bind it to any of your Apps. You do not need to create a new Secret for each App if the Secret value is the same. | ||
|
|
||
| .. note:: |
There was a problem hiding this comment.
Step 2- Add a secret
There was a problem hiding this comment.
|
|
||
| In the example below, we already used the admin UI to create a Secret named ``my-secret`` with the value ``some-value``` and will bind it to the environment variable ``MY_APP_SECRET`` within our App. The binding is accomplished by using the ``--secret`` option when running the App from the Lightning CLI. | ||
|
|
||
| The ``--secret``` option works similar to ``--env``, but instead of providing a value, you provide the name of the Secret which will be replaced with with the value that you want to bind to the environment variable: |
There was a problem hiding this comment.
Step 3- Add env variable to your app
There was a problem hiding this comment.
|
|
||
| The ``--secret``` option works similar to ``--env``, but instead of providing a value, you provide the name of the Secret which will be replaced with with the value that you want to bind to the environment variable: | ||
|
|
||
| .. code:: bash |
There was a problem hiding this comment.
Step 4- add the secret to the lighnging app
There was a problem hiding this comment.
@nohalon |
Borda
pushed a commit
that referenced
this pull request
Oct 19, 2022
Adds a new '--secret' flag to 'lightning run app': lightning run app --cloud --secret MY_SECRET=my-secret-name app.py When the Lightning App runs in the cloud, the 'MY_SECRET' environment variable will be populated with the value of the referenced Secret. The value of the Secret is encrypted in the database, and will only be decrypted and accessible to the Flow/Work processes in the cloud. Co-authored-by: Sherin Thomas <[email protected]> Co-authored-by: Noha Alon <[email protected]> Co-authored-by: thomas chaton <[email protected]> (cherry picked from commit 71719b9)
Borda
pushed a commit
that referenced
this pull request
Oct 19, 2022
Adds a new '--secret' flag to 'lightning run app': lightning run app --cloud --secret MY_SECRET=my-secret-name app.py When the Lightning App runs in the cloud, the 'MY_SECRET' environment variable will be populated with the value of the referenced Secret. The value of the Secret is encrypted in the database, and will only be decrypted and accessible to the Flow/Work processes in the cloud. Co-authored-by: Sherin Thomas <[email protected]> Co-authored-by: Noha Alon <[email protected]> Co-authored-by: thomas chaton <[email protected]> (cherry picked from commit 71719b9)
lantiga
pushed a commit
that referenced
this pull request
Oct 20, 2022
* Support Injecting Secrets into Apps Running in the Cloud (#14612) Adds a new '--secret' flag to 'lightning run app': lightning run app --cloud --secret MY_SECRET=my-secret-name app.py When the Lightning App runs in the cloud, the 'MY_SECRET' environment variable will be populated with the value of the referenced Secret. The value of the Secret is encrypted in the database, and will only be decrypted and accessible to the Flow/Work processes in the cloud. Co-authored-by: Sherin Thomas <[email protected]> Co-authored-by: Noha Alon <[email protected]> Co-authored-by: thomas chaton <[email protected]> (cherry picked from commit 71719b9) * secrets docs (#14951) * secrets docs * Update docs/source-app/glossary/secrets.rst Co-authored-by: Yurij Mikhalevich <[email protected]> * Apply suggestions from code review Co-authored-by: Adrian Wälchli <[email protected]> * Update secrets.rst * links Co-authored-by: Yurij Mikhalevich <[email protected]> Co-authored-by: Jirka Borovec <[email protected]> Co-authored-by: Adrian Wälchli <[email protected]> Co-authored-by: Jirka <[email protected]> (cherry picked from commit 8715cd0) # Conflicts: # docs/source-app/glossary/secrets.rst * Add support for command descriptions (#15193) (cherry picked from commit 4acb10f) * docs: temp drop S3 from index (#15099) Co-authored-by: awaelchli <[email protected]> (cherry picked from commit 05d91c8) * version 0.7.0 * chlog join 0.6.3 & 0.7 Co-authored-by: Alec Merdler <[email protected]> Co-authored-by: edenlightning <[email protected]> Co-authored-by: Ethan Harris <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds a new '--secret' flag to 'lightning run app':
lightning run app --cloud --secret MY_SECRET=my-secret-name app.pyWhen the Lightning App runs in the cloud, the
'MY_SECRET'environment variable will be populated with the value of the
referenced Secret. The value of the Secret is encrypted in the
database, and will only be decrypted and accessible to the
Flow/Work processes in the cloud.
Before submitting
PR review
Anyone in the community is welcome to review the PR.
Before you start reviewing, make sure you have read the review guidelines. In short, see the following bullet-list:
Did you have fun?
Make sure you had fun coding 🙃