Secrets
Secrets allow workflows to securely access sensitive data from H2O Secure Store. Define secrets at the workflow level and reference them throughout the workflow using expressions.
Defining secrets
Define all secrets at the workflow level in the secrets field.
Location: Top-level secrets field
Example:
secrets:
- name: workspaces/abc123/secrets/xyz789
as: registry_token
- name: workspaces/abc123/secrets/def456
as: data_key
Secret fields
name (required)
The resource path of the secret in H2O Secure Store.
Type: string (non-empty)
Format: workspaces/{workspace-id}/secrets/{secret-id} for the latest version, or workspaces/{workspace-id}/secrets/{secret-id}/versions/{version-id} for a specific version.
Example:
name: workspaces/abc123/secrets/xyz789
With specific version:
name: workspaces/abc123/secrets/xyz789/versions/v1
as (required)
The internal reference name used to access this secret in expressions.
Type: string (non-empty)
Naming convention: Use lowercase with underscores (snake_case) for consistency.
Example:
as: registry_token
Using secrets
Access secrets in expressions using ${{ .secrets.<as> }}. For more details, see Expressions.
Basic usage:
secrets:
- name: workspaces/abc123/secrets/xyz789
as: registry_token
jobs:
deploy:
env:
REGISTRY_TOKEN: "${{ .secrets.registry_token }}"
steps:
- name: Deploy model
run: python deploy.py --token ${REGISTRY_TOKEN}
Best practices
Internal reference naming
Use snake_case for the as field to match environment variable conventions.
Recommended:
secrets:
- name: workspaces/abc123/secrets/xyz789
as: registry_token
- name: workspaces/abc123/secrets/def456
as: data_key
Avoid:
secrets:
- name: workspaces/abc123/secrets/ghi789
as: prodDBPassword # camelCase - inconsistent
Environment variable naming
When mapping secrets to environment variables, use UPPERCASE with underscores:
secrets:
- name: workspaces/abc123/secrets/def456
as: data_key
env:
DATA_API_KEY: "${{ .secrets.data_key }}" # Uppercase for env var name
Minimize secret exposure
Only use secrets where needed:
jobs:
train:
# No secrets needed for training
steps:
- name: Train model
run: python train.py
deploy:
# Only use secrets in deployment
env:
REGISTRY_TOKEN: "${{ .secrets.registry_token }}"
steps:
- name: Deploy model
run: python deploy.py --token ${REGISTRY_TOKEN}
Security considerations
Follow the principle of least privilege when working with secrets.
Principle of least privilege
- Only define secrets that are actually needed
- Use different secrets for different environments
- Rotate secrets regularly in H2O Secure Store
Avoid logging secrets
- Don't echo or print secret values in scripts
- Be careful with verbose logging modes
- Review run commands for accidental exposure
Complete example
id: secure-deployment
name: Secure Model Deployment
secrets:
- name: workspaces/abc123/secrets/registry-token
as: registry_token
- name: workspaces/abc123/secrets/api-key
as: api_key
jobs:
build:
steps:
- name: Build model artifact
run: python build.py
deploy:
depends_on: [build]
env:
REGISTRY_TOKEN: "${{ .secrets.registry_token }}"
API_KEY: "${{ .secrets.api_key }}"
steps:
- name: Push to registry
run: |
docker login -u bot -p ${REGISTRY_TOKEN} registry.example.com
docker push registry.example.com/model:latest
- name: Deploy to production
run: |
curl -H "Authorization: Bearer ${API_KEY}" \
-X POST https://api.example.com/deploy
- Submit and view feedback for this page
- Send feedback about H2O Orchestrator | Docs to cloud-feedback@h2o.ai