Spice Secret Stores

Secret stores manage sensitive data like API keys, passwords, and tokens. The env store is loaded by default.

Basic Configuration

secrets:
  - from: <store_type>
    name: <store_name>

Supported Secret Stores

Store	From Format	Description
Environment	env	Environment variables + .env / .env.local files (default)
Kubernetes	kubernetes:<secret_name>	Kubernetes secrets
AWS Secrets Manager	aws_secrets_manager	AWS Secrets Manager
Keyring	keyring	OS keyring (macOS Keychain, Linux, Windows)

Default: Environment Variables

Loaded automatically. Reads from environment variables and any .env.local or .env files in the project directory.

secrets:
  - from: env
    name: env

Referencing Secrets

Use ${ store_name:KEY_NAME } syntax in component parameters:

datasets:
  - from: postgres:my_table
    name: my_table
    params:
      pg_user: ${ env:PG_USER }
      pg_pass: ${ env:PG_PASSWORD }

models:
  - from: openai:gpt-4o
    name: gpt4
    params:
      openai_api_key: ${ secrets:OPENAI_API_KEY }

Also works within strings:

params:
  mysql_connection_string: mysql://${env:USER}:${env:PASSWORD}@localhost:3306/db

Searching All Stores

Use ${ secrets:KEY } to search all configured stores in precedence order (last defined wins):

secrets:
  - from: env
    name: env
  - from: keyring
    name: keyring

datasets:
  - from: postgres:my_table
    name: my_table
    params:
      pg_user: ${ secrets:pg_user }     # checks keyring first, then env
      pg_pass: ${ secrets:pg_pass }

The <key_name> is automatically uppercased for the env secret store.

Examples

Kubernetes Secrets

secrets:
  - from: kubernetes:my-app-secrets
    name: k8s

AWS Secrets Manager

secrets:
  - from: aws_secrets_manager
    name: aws
    params:
      aws_region: us-east-1

Override Order (env overrides keyring)

secrets:
  - from: keyring
    name: keyring
  - from: env
    name: env

Documentation

• Secret Stores
• Environment Secret Store
• Kubernetes Secret Store
• AWS Secrets Manager
• Keyring Secret Store