Secrets
This guide shows you how to manage and use secrets in Ascend.
Prerequisites​
- An Ascend Workspace
- An Environment with a configured Vault
- An Ascend Project
- A Vault configured in your Project
Create a secret​
To use a secret in Ascend, you must first store it in a Vault that has been configured for the Environment you are working in.
- Ascend
- GCP
- AWS
- Azure
For Ascend-managed Vaults:
- Navigate to Settings > Secrets & Vaults
- Choose the Vault where you want to add a secret (Instance Vault or Environment Vault)
- Click Add Secret
- Enter a Name for your secret and paste the value in the Value field
Your secret is now ready to use!
Secrets stored in the Instance Vault are available throughout the entire Instance, while secrets in an Environment Vault are scoped only to that specific Environment.
See the instructions here for adding a secret to GCP Secret Manager. If you are using a prefix to delineate between environment and instance secrets, make sure to include the prefix in the secret name.
See the instructions here for adding a secret to AWS Secrets Manager. If you are using a prefix to delineate between environment and instance secrets, make sure to include the prefix in the secret name.
See the instructions here for adding a secret to Azure Key Vault.
Reference a secret in YAML files​
Secrets are commonly used in Connections to store passwords, tokens, or other sensitive information for authenticating to external systems.
The syntax for referencing a secret is:
${vaults.<vault-name>.<secret-name>}
Secrets can be stored as JSON objects in the vault, and child values can be accessed using dot notation:
${vaults.<vault-name>.<secret-name>.<path.to.secret>}
Reference a secret in Python files​
Secrets can be accessed by referencing them from the context object passed to the Python function:
from ascend.application.context import ComponentExecutionContext
from ascend.resources import custom_python
from ascend.vault.vault import Vault
@custom_python()
def custom_python_vault(context: ComponentExecutionContext):
vault: Vault = context.vaults["<vault-name>"]
vault.get("<secret-name>")
# for accessing child values in a json object
vault.get("<secret-name>.<path.to.secret>")
Examples​
With this project structure:
foo_project/
├── ascend_project.yaml
├── connections/
├── flows/
├── profiles/
└── vaults/
└── foo_vault.yaml
Example 1: MySQL Connection​
This secret in the foo_vault:
"mysql_password_value"
The secret can be referenced in a MySQL connection:
connection:
mysql:
host: mysql.hostname
port: 3306
database: some_database
user: mysql_user
password: "${vaults.foo_vault.foo_secret}"
Example 2: Nested Values​
If the secret is a string-encoded JSON object:
{
"mysql": {
"password": "mysql_password_value"
}
}
The secret can be accessed by appending the path to the secret:
connection:
mysql:
host: mysql.hostname
port: 3306
database: some_database
user: mysql_user
password: "${vaults.foo_vault.foo_secret.mysql.password}"
Example 3: API Key in Custom Python Read Component​
Secrets can also be accessed in custom Python read components. Here's an example of using an API key stored in a Vault to authenticate to an API and return a DataFrame:
"abc123"
import pandas as pd
import requests
from ascend.application.context import ComponentExecutionContext
from ascend.resources import custom_python
from ascend.vault.vault import Vault
@custom_python()
def custom_python_vault(context: ComponentExecutionContext):
vault: Vault = context.vaults["foo_vault"]
vault.get("api_key")
response = requests.get("https://api.example.com", headers={"Authorization": f"Bearer {vault.get('api_key')}"})
return pd.DataFrame(response.json())
Next steps​
- Learn more about Vault concepts
- Provision external Vault services for your organization
- Configure Environment Vaults for different environments
- Explore connection examples that use secrets