diff --git a/docs/source-app/glossary/encrypted_secrets.rst b/docs/source-app/glossary/encrypted_secrets.rst new file mode 100644 index 0000000000000..33ad50dfe6af0 --- /dev/null +++ b/docs/source-app/glossary/encrypted_secrets.rst @@ -0,0 +1,48 @@ +.. _encrypted_secrets: + +################# +Encrypted Secrets +################# + +Private data (API keys, database passwords, or other credentials), required by Lightning Apps, can now be encrypted using the ``--secret`` flag. + +---- + +*************** +What did we do? +*************** + +The ``MY_SECRET`` environment variable has been added and the flag ``--secret`` has been added to the ``lightning run app`` command. + +When a Lightning App (App) **runs in the cloud**, the ``MY_SECRET`` environment variable is populated with the value of the +referenced secret. The value of the secret is encrypted in the database, and is only decrypted and accessible to +LightningFlow or LightningWork processes in the cloud. + +---- + +********************** +What were we thinking? +********************** + +We understand that many Lightning Apps require access to private data like API keys, database passwords, or other credentials. +We developed this feature because we know that you need a secure way to store this data in a way that is accessible to Apps so that they can authenticate third party services/solutions. + +---- + +**************** +Encrypt a secret +**************** + +.. note:: Secrets can only be used for Apps running in cloud. + +To encrypt your secret: + +.. code:: bash + + lightning run app --cloud --secret MY_SECRET= + +Here's an example: + +.. code:: bash + + lightning run app --cloud --secret MY_SECRET=my-super-secret-name app.py diff --git a/docs/source-app/glossary/environment_variables.rst b/docs/source-app/glossary/environment_variables.rst index fd41594656b0f..95008ba790efc 100644 --- a/docs/source-app/glossary/environment_variables.rst +++ b/docs/source-app/glossary/environment_variables.rst @@ -4,9 +4,9 @@ Environment Variables ********************* -If your app is using secrets or values you don't want to expose in your app code such as API keys or access tokens, you can use environment variables. +If your Lightning App (App) is using secrets or values you don't want to expose in your app code such as API keys or access tokens, you can use environment variables. -Lightning allows you to set environment variables when running the app from the CLI with the `lightning run app` command. You can use environment variables to pass any value such as API keys or other similar configurations to the app, avoiding having to stick them in the source code. +Lightning allows you to set environment variables when running the app from the CLI with the `lightning run app` command. You can use environment variables to pass any value such as API keys or other similar configurations to the App, avoiding having to stick them in the source code. Set one or multiple variables using the **--env** option: @@ -24,4 +24,4 @@ The environment variables are available in all flows and works, and can be acces print(os.environ["BAZ"]) # FAZ .. note:: - Environment variables are currently not encrypted. + Only the `MY_SECRET environment variable is encrypted `_. All other environment variables are not encrypted. diff --git a/docs/source-app/index.rst b/docs/source-app/index.rst index af0e7eb350827..d4fae85117ecf 100644 --- a/docs/source-app/index.rst +++ b/docs/source-app/index.rst @@ -268,8 +268,9 @@ Keep Learning Build Configuration Command Line Interface (CLI) DAG - Event Loop + Encrypted Secrets Environment Variables + Event Loop Frontend REST API Sharing Components