Secrets

Secrets allow workflows to securely access sensitive data from the H2O Secure Store. Secrets are defined at the workflow level and referenced throughout the workflow using expressions.

Schema

See Schema Reference for the complete #Secret definition.

Workflow-Level Secrets

All secrets must be defined at the workflow level in the secrets field.

Location: Top-level secrets field

Example:

secrets:
  - name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/ayiffo22n6gu
    as: registry_token
  - name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/m7k3p9x2q8wt
    as: data_key

Secret Object Fields

name (required)

The resource path of the secret in the H2O Secure Store. The path format is workspaces/{workspace-id}/secrets/{secret-id} for the latest version, or workspaces/{workspace-id}/secrets/{secret-id}/versions/{version-id} for a specific version.

Type: string (non-empty)

Example:

name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/ayiffo22n6gu

Example with specific version:

name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/ayiffo22n6gu/versions/rfr9ig1r25bs

as (required)

The internal reference name used to access this secret in expressions.

Type: string (non-empty)

Naming Convention: Use lowercase with underscores (snake_case) for consistency.

Example:

as: registry_token

Using Secrets

Secrets are accessed in expressions as ${{ .secrets.<as> }} - see Expressions.

Basic Usage:

secrets:
  - name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/ayiffo22n6gu
    as: registry_token

jobs:
  deploy:
    env:
      REGISTRY_TOKEN: "${{ .secrets.registry_token }}"
    steps:
      - name: Deploy model
        run: python deploy.py --token ${REGISTRY_TOKEN}

Best Practices

Internal Reference Naming

Use snake_case for the as field to match environment variable conventions:

Good Examples:

secrets:
  - name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/ayiffo22n6gu
    as: registry_token
  - name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/m7k3p9x2q8wt
    as: data_key

Avoid:

secrets:
  - name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/j5n8r2p4k9xt
    as: prodDBPassword  # camelCase - inconsistent

Environment Variable Naming

When mapping secrets to environment variables, use UPPERCASE with underscores:

secrets:
  - name: workspaces/b9c6e0da-355c-4683-bfbb-b7bf876e7b6b/secrets/m7k3p9x2q8wt
    as: data_key

env:
  DATA_API_KEY: "${{ .secrets.data_key }}"  # Uppercase for env var name

Minimize Secret Exposure

Only use secrets where needed:

jobs:
  train:
    # No secrets needed for training
    steps:
      - name: Train model
        run: python train.py

  deploy:
    # Only use secrets in deployment
    env:
      REGISTRY_TOKEN: "${{ .secrets.registry_token }}"
    steps:
      - name: Deploy model
        run: python deploy.py --token ${REGISTRY_TOKEN}

Security Considerations

Principle of Least Privilege

• Only define secrets that are actually needed.
• Use different secrets for different environments.
• Rotate secrets regularly in H2O Secure Store.

Avoid Logging Secrets

• Don't echo or print secret values in scripts.
• Be careful with verbose logging modes.
• Review run commands for accidental exposure.

---

Feedback

• Submit and view feedback for this page
• Send feedback about H2O Workflows to cloud-feedback@h2o.ai