> ## Documentation Index > Fetch the complete documentation index at: https://tensorfuse.io/docs/llms.txt > Use this file to discover all available pages before exploring further. # Secrets > Use secrets in your deployments for sensitive information Very often, deployments require sensitive information such as passwords, API keys, or certificates. Tensorkube provides a built-in feature called **Secrets** to securely store and manage such sensitive data. ## Creating a secret To create a secret in tensorkube, you can use the following command: ``` tensorkube secret create KEY1=VAL1 KEY2=VAL2 KEY3=VAL3 ... ``` The secret name must follow the following rules: * Contain only lowercase alphanumeric characters (a-z, 0-9), hyphens(-) and, period(.) * Start and end with an alphanumeric character (a-z, 0-9). * Be a maximum of 253 characters. ### Arguments: * SECRET\_NAME: **\[required]** * KEYVALUES...: **\[required]**, Space-separated KEY=VALUE items * \--env ENV\_NAME: **\[optional]**, Environment in which the secret is created. If not specified, default environment is used. * \--force: **\[optional]**, Overwrite the secret if it already exists. When updating a secret, it's important to redeploy any application that uses this secret. Failure to do so may result in inconsistencies in application behavior, as any running pods might still be using the old secret value but any new onces created will use the updated values. To ensure consistent behavior, always redeploy your applications after updating a secret. If you have quotes in secret value, you should escape them with a backslash to preserve the quotes. For example, if you want to store `password=my_pa"ss"word`, you should use `tensorkube secret create dummy-secret password=my_pa\"ss\"word`. Doing this will let you store actual value which is `password=my_pa"ss"word`. ## Listing secrets You can list out created secrets using the command: ``` tensorkube list secrets ``` ### Arguments: * \--env ENV\_NAME: **\[Optional]** Specify the environment to list the secrets from. If not specified, secrets from the default environment will be listed. ## Deleting secrets You can delete a secret using the command: ``` tensorkube secret delete SECRET_NAME ``` ### Arguments: * SECRET\_NAME: **\[Required]**, The name of the secret you want to delete. * \--env ENV\_NAME: **\[Optional]**, Specify the environment from which the secret should be deleted. If not specified, the secret will be deleted from the default environment. ## Using secrets in deployments You can use secrets in a deployment using the `--secret` flag in the deploy command. Secrets are exposed as environment variables in your deployed code. ``` tensorkube deploy --secret secret1 --secret secret2 ... ``` If you are deploying in a particular environment, make sure the secrets have also been created in that particular environment. ### Example Let's say you create a secret with the command ``` tensorkube secret create secret1 KEY1=VAL1 key2=val2 ``` And deploy your app with the command ``` tensorkube deploy --secret secret1 ``` Now the secret is available for use, both during builds as well as during runtime. The way you access these secrets differs during build and runtime. ## Container builds with secrets If you want to access your secrets during container builds, you can use them in your Dockerfile by mounting them as type `secret` in Dockerfile. You would need to specify the following `RUN` command before the step where you want to use the secret. ```Dockerfile theme={null} RUN --mount=type=secret,id=KEY1,env=KEY1 ``` Remember to use key names such as `KEY1` as `id` and `env` values in the `--mount` flag. \*\* Do not use the secret name as the key name.\*\* Also, do not forget to deploy the service with the `--secret` flag to make the secret available during both build and runtime. ### Example 1: Echo secret during build ```shell theme={null} tensorkube secret create demo-secret DEMO_KEY=demo ``` ```Dockerfile theme={null} FROM python:3.9-slim RUN --mount=type=secret,id=DEMO_KEY,env=DEMO_KEY echo $DEMO_KEY ``` ```shell theme={null} tensorkube deploy --secret demo-secret ``` For eg you can use the following Dockerfile to print the value of `KEY1` from `secret1` during build: If you have **multiple secrets**, you can mount them as follows: ```Dockerfile Dockerfile theme={null} RUN --mount=type=secret,id=DEMO_KEY,env=DEMO_KEY --mount=type=secret,id=DEMO_KEY_2,env=DEMO_KEY_2 echo $DEMO_KEY $DEMO_KEY_2 ``` Run the deploy command with both the secrets - ``` tensorkube deploy --secret demo-secret --secret demo-secret-2 ``` ### Example 2: Cloning a private repository during build If you want to clone a private repository during build with Personal access tokens, you can use secrets using below steps. Ensure that your token has proper permissions. ```shell theme={null} tensorkube secret create github-secrets GITHUB_TOKEN=github_pat_xxx ``` ```Dockerfile theme={null} FROM python:3.11-slim # Install git RUN apt-get update && apt-get install -y --no-install-recommends git \ && rm -rf /var/lib/apt/lists/* # Clone repository (replace with your GitHub URL) RUN --mount=type=secret,id=GITHUB_TOKEN,env=GITHUB_TOKEN git clone https://samagra14:${GITHUB_TOKEN}@github.com/samagra14/vllm.git ``` Note that I am using `GITHUB_TOKEN` here, which was the `KEY` of our secret insread of `github-secrets` which was the secret name. ```shell theme={null} tensorkube deploy --secret github-secrets ``` ### Accessing secrets during deployment runtime Using secrets in deployment is straightforward. You can access these in your code as follows during runtime: ```python main.py theme={null} import os VAL1 = os.environ.get("KEY1") val2 = os.environ.get("key2") ## Use VAL1 and val2 in your code as required print(f'Value of secret KEY1 is {VAL1}') print(f'Value of secret key2 is {val2}') ```