Managing secrets¶
Managing Secrets in Bauplan¶
Bauplan lets you securely manage sensitive information like API keys, database URIs, or credentials. Secrets are encrypted, versioned, and injected into your pipeline code at runtime avoiding hardcoding.
This guide shows how to add a secret to your project and use it safely inside a model or function.
Adding Secrets¶
Use the CLI to define a secret. For example, to store an OpenAI API key:
bauplan parameter set --name openai_api_key --value sk-abc123... --type secret
This writes an encrypted entry into your bauplan_project.yml
file:
parameters:
openai_api_key:
type: secret
default: kUg6q4141413...
key: awskms:///arn:aws:kms:us-east-1:...
The
default
is an encrypted string (not the raw secret)The
key
is the KMS encryption reference used to decrypt it at runtime
Secrets are never stored or transmitted in plaintext.
Using Secrets in a pipeline¶
To use a secret in your code, declare it as a parameter using bauplan.Parameter
. At runtime, Bauplan decrypts the value and injects it as a regular Python variable — no environment variables or manual handling required.
Granting internet access to models¶
If your model needs to call an external API (e.g. OpenAI, Slack), you can grant it internet access explicitly in the bauplan.model()
decorator by setting the parameter internet_access=True
. This ensures that outbound calls are allowed — but only for that model.
@bauplan.model(internet_access=True) # Enable access to external services
@bauplan.python('3.11', pip={'openai': '1.57.2'})
def enrich_data(
data=bauplan.Model('your_table'),
openai_key=bauplan.Parameter('openai_api_key') # Decrypted and injected at runtime
):
import openai
openai.api_key = openai_key
response = openai.ChatCompletion.create(
model="gpt-4",
messages=[{"role": "user", "content": "Hello!"}]
)
# Process and return the enriched result
...
return response
This pattern is ideal when using secrets to authenticate with:
AI models (OpenAI, Anthropic)
SaaS APIs (Slack, HubSpot, Stripe)
Private services (e.g., your own backend)
You can version and manage the secret securely using the CLI, and keep internet access scoped to only the models that truly need it.
Best Practices¶
Use secrets for anything you wouldn’t commit to Git: API keys, DB passwords, Webhook tokens, etc.
Test in branches: Secrets are inherited across branches, so you can safely test in isolation.