Managing secrets

Managing Secrets in Bauplan

Bauplan lets you securely manage sensitive information like API keys, database URIs, or credentials. Secrets are encrypted, versioned, and injected into your pipeline code at runtime avoiding hardcoding.

This guide shows how to add a secret to your project and use it safely inside a model or function.

Adding Secrets

Use the CLI to define a secret. For example, to store an OpenAI API key:

bauplan parameter set --name openai_api_key --value sk-abc123... --type secret

This writes an encrypted entry into your bauplan_project.yml file:

parameters:
  openai_api_key:
    type: secret
    default: kUg6q4141413...
    key: awskms:///arn:aws:kms:us-east-1:...
  • The default is an encrypted string (not the raw secret)

  • The key is the KMS encryption reference used to decrypt it at runtime

Secrets are never stored or transmitted in plaintext.

Using Secrets in a pipeline

To use a secret in your code, declare it as a parameter using bauplan.Parameter. At runtime, Bauplan decrypts the value and injects it as a regular Python variable — no environment variables or manual handling required.

Granting internet access to models

If your model needs to call an external API (e.g. OpenAI, Slack), you can grant it internet access explicitly in the bauplan.model() decorator by setting the parameter internet_access=True. This ensures that outbound calls are allowed — but only for that model.

@bauplan.model(internet_access=True)  # Enable access to external services
@bauplan.python('3.11', pip={'openai': '1.57.2'})
def enrich_data(
    data=bauplan.Model('your_table'),
    openai_key=bauplan.Parameter('openai_api_key')  # Decrypted and injected at runtime
):
    import openai
    openai.api_key = openai_key

    response = openai.ChatCompletion.create(
        model="gpt-4",
        messages=[{"role": "user", "content": "Hello!"}]
    )
    # Process and return the enriched result
    ...
    return response

This pattern is ideal when using secrets to authenticate with:

  • AI models (OpenAI, Anthropic)

  • SaaS APIs (Slack, HubSpot, Stripe)

  • Private services (e.g., your own backend)

You can version and manage the secret securely using the CLI, and keep internet access scoped to only the models that truly need it.

Best Practices

  • Use secrets for anything you wouldn’t commit to Git: API keys, DB passwords, Webhook tokens, etc.

  • Test in branches: Secrets are inherited across branches, so you can safely test in isolation.