Skip to content

How to refer Instance Secret in other DataOS Resources?

To access the stored secret data in DataOS, you can reference them in your code using the dataosSecrets attribute. This identifier ensures secure referencing of Instance Secrets for various resources, enhancing system security and operational integrity.

Referring Instance Secret in Depot

To refer to an instance-secret in Depots, follow these steps:

  1. Ensure Creation of Instance-Secret: First, make sure you have created the respective instance-secrets.

  2. Use dataosSecrets Identifier: In the depot manifest, use the dataosSecrets identifier to refer to the instance-secret.

For read-only access to a depot, create read-only secrets. For read-write access, create both read and read-write instance-secrets. This is necessary because when providing someone else access to the Depot, you can grant either read or read-write access using either CLI or Bifrost UI. For either type of access, the person will have access to the respective instance-secret.

read_instance_secret.yaml
name: depotsecret-r # Resource name (mandatory)
version: v1 # Manifest version (mandatory)
type: instance-secret # Resource-type (mandatory)
tags: # Tags (optional)
  - just for practice
description: instance secret configuration # Description of Resource (optional)
layer: user
instance-secret: # Instance Secret mapping (mandatory)
  type: key-value-properties # Type of Instance-secret (mandatory)
  acl: r # Access control list (mandatory)
  data: # Data section mapping (mandatory)
    username: iamgroot
    password: yourpassword
read_write_instance_secret.yaml
name: depotsecret-rw # Resource name (mandatory)
version: v1 # Manifest version (mandatory)
type: instance-secret # Resource-type (mandatory)
tags: # Tags (optional)
  - just for practice
description: instance secret configuration # Description of Resource (optional)
layer: user
instance-secret: # Instance Secret mapping (mandatory)
  type: key-value-properties # Type of Instance-secret (mandatory)
  acl: rw # Access control list (mandatory)
  data: # Data section mapping (mandatory)
    username: iamgroot
    password: yourpassword

Now while creating the manifest file for your Depot, ensure to include a reference to the Instance Secret using the dataosSecrets identifier, instead of directly specifying the secret using the connectionSecrets attribute:

depot.yaml
name: depotsecret
version: v2alpha
type: depot
tags:
  - snowflake
  - depot
layer: user
depot:
  type: SNOWFLAKE
  description: testing instance secrets using snowflake depot
snowflake:
  warehouse: mywarehouse
  url: avengers.central-india.azure.snowflakecomputing.com
  database: mydatabase
  external: true
  dataosSecrets:
    - name: depotsecret-r
      keys:
        - depotsecret-r

    - name: depotsecret-rw
      keys:
        - depotsecret-rw

Refering Instance Secret in Workflow