Secrets
Secrets are named, write-only env-var bundles. Unlike --env / env=, their
values are never returned by the API and are injected into containers only at
run time.
Use secrets for anything sensitive: API keys, tokens, passwords. Use --env
for visible, per-deployment overrides you don't mind seeing in anycloud status output.
--env / env= | Secrets | |
|---|---|---|
| Visible in API responses | Yes | Never |
| Reusable across deployments | No (per-submit) | Yes (referenced by name) |
| Rotation | Terminate + resubmit with new values | Update secret, resubmit |
Create a secret
anycloud secrets new hf HF_TOKEN=hf_xxxxxxxxxxxx
anycloud secrets new wandb WANDB_API_KEY=xxxxx WANDB_ENTITY=myteam
Each secret is a bundle of one or more KEY=VALUE pairs. All keys in a bundle
are injected as env vars into the container when the bundle is referenced.
List and delete
anycloud secrets list # Names and timestamps only — values never returned
anycloud secrets delete hf
Deletion is blocked by default while any non-terminal deployment references
the secret; the API returns 409 Conflict listing the blocking deployment
IDs. Pass --force (CLI) or force=True (Python SDK) to override. A
container already running with the injected values is unaffected until its
VM terminates — the secret is only read from the store on VM start. The next
submit, resubmit, or spot-preemption recovery referencing a force-deleted
name fails fast.
anycloud secrets delete hf --force
Use in submit
- CLI
- Python
anycloud submit ghcr.io/me/train:latest \
--credentials my-aws --vm-type g6e.xlarge \
--secret hf --secret wandb
Pass --secret once per bundle.
import anycloud
ac = anycloud.Client()
ac.create_secret("hf", {"HF_TOKEN": "hf_xxxxxxxxxxxx"})
job = ac.submit(
"ghcr.io/me/train:latest",
gpu="h100:8",
secrets=["hf", "wandb"],
)
Also available on @anycloud.function(secrets=...) and
Function.submit(secrets=...).
Rotation
Update a secret's value in place, then resubmit. The next VM picks up the new value; running deployments keep the old one until they're resubmitted.
anycloud secrets new hf HF_TOKEN=hf_rotated # Overwrites the bundle
anycloud resubmit <deployment-id> # Pulls the new value
Precedence
An explicit --env KEY=VALUE on submit wins over any key coming from a
secret bundle. This lets you override a single value for a one-off deployment
without editing the stored bundle.
Storage and container injection
- Values are encrypted at rest with libsodium (XSalsa20-Poly1305) — same mechanism as credentials.
- The API only exposes create / list / delete routes. There is no route that returns values.
- At VM provisioning, resolved values are written to
/run/anycloud-secrets.env(tmpfs, mode0600) and passed to the container viadocker run --env-file.
Threat model note
Values reach the container via --env-file, which means Docker inlines them
into the container config on the VM. Anyone with root on the VM can read
them from docker inspect or /proc/<pid>/environ — the same reality as any
env-passed value. The primitive protects secrets from the API surface and
from plaintext storage, not from a VM-root attacker.
CLI sensitivity warning
When you pass a likely-sensitive key via --env (for example HF_TOKEN,
API_KEY, anything matching token, secret, password, key, and similar patterns), the CLI
prints a one-line warning pointing you at anycloud secrets new. The submit
still proceeds — the warning is advisory.