spice-secrets
SKILL.md
Spice Secret Stores
Secret stores securely manage sensitive data like API keys, passwords, and tokens.
Basic Configuration
secrets:
- from: <store_type>
name: <store_name>
Supported Secret Stores
| Store | From Format | Description |
|---|---|---|
env |
env |
Environment variables (default) |
kubernetes |
kubernetes:<secret_name> |
Kubernetes secrets |
aws_secrets_manager |
aws_secrets_manager |
AWS Secrets Manager |
keyring |
keyring |
OS keyring (macOS/Linux/Windows) |
Default: Environment Variables
The env store is loaded automatically. It reads from environment variables and .env / .env.local files.
secrets:
- from: env
name: env
Using Secrets
Reference secrets in component parameters with ${ store_name:KEY }:
datasets:
- from: postgres:my_table
name: my_table
params:
pg_user: ${ env:PG_USER }
pg_pass: ${ env:PG_PASSWORD }
models:
- from: openai:gpt-4o
name: gpt4
params:
openai_api_key: ${ secrets:OPENAI_API_KEY }
Multiple Secret Stores
Configure multiple stores with precedence (last defined wins):
secrets:
- from: env
name: env
- from: keyring
name: keyring
Use ${ secrets:KEY } to search all stores in precedence order:
params:
api_key: ${ secrets:API_KEY } # checks keyring first, then env
Examples
Kubernetes Secrets
secrets:
- from: kubernetes:my-app-secrets
name: k8s
AWS Secrets Manager
secrets:
- from: aws_secrets_manager
name: aws
params:
aws_region: us-east-1
Within Connection Strings
params:
mysql_connection_string: mysql://${env:USER}:${env:PASSWORD}@localhost:3306/db
Documentation
Weekly Installs
4
Repository
spiceai/skillsInstalled on
opencode4
claude-code4
windsurf3
codex3
github-copilot3
antigravity3