A Ray native mechanism of interacting with cloud-provider secrets management.
Project description
Ray Secret Proxy
DISCLAIMER
The Ray Secret Proxy is not an officially supported project by Ray or Anyscale.
Background
Credentials are required for almost every application to interact with databases, external APIs, and 3rd party integrations. Meanwhile, securely assessing, storing, and applying them within application logic poses a risk for potential credential exposure.
A straightforward approach to credential management is the use of environment variables, however these variables are not encrypted and easily accessible by other processes on a machine.
To combat this, vendors have created Secret Management systems to provide mechanisms securely store, manage, and leverage secrets within applications. However, each of these systems requires intimate knowledge of the specific secret provider in order to build an application client.
Usage
Before you begin, you will need to grant an IAM Role an IAM Policy that allows your Ray cluster to access your target Secrets Proxy. It is highly recommended to only grant read and list permissions for the Secret Manager for the IAM Role attached to your Ray clusters.
For information on how to use the Ray Secrets Proxy, please visit our Walkthrough notebook.
Architecture
The Secrets Proxy leverages a Pluggable Ray Secret Operator that conforms to a standard interface to list and fetch credentials from a third party Secrets Manager.
Ray Secret Operators
Today, there are out of the box Ray Secret Operators for AWS and GCP Secret Managers. These Operators are based off of the RaySecretOperator class and implement the following methods:
- initialize: a public method that initializes the client within the Proxy Actor to connect to your 3rd party Secret Store
- _fetch: the private method that retrieves a secret from the underlying Secret Providor
- get_secret: the public method to return a RaySecret from the provider
- list_secrets: the public method to return a list of secrets from the provider
Additional Secret Managers can be added by implementing additional operators based off of the base Ray Secret Operator.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file raysecretsproxy-0.0.3.tar.gz.
File metadata
- Download URL: raysecretsproxy-0.0.3.tar.gz
- Upload date:
- Size: 15.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cbdd3e04e86a9f1d3cd77eed315fa20475837fbd976c14c2148cddc3cb2c3105
|
|
| MD5 |
de0e71943b034b431b13c3c868225570
|
|
| BLAKE2b-256 |
30d35db5c6770ae45d8167bee3b02cf5a98338958d3bf781a21a2d79f938e1f5
|
File details
Details for the file raysecretsproxy-0.0.3-py3-none-any.whl.
File metadata
- Download URL: raysecretsproxy-0.0.3-py3-none-any.whl
- Upload date:
- Size: 14.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
eef7dc600833eb0d899bd082a410c96fd4b6297aceacbb8c5122708917eed1be
|
|
| MD5 |
0f9d3099a49d957837f7806f6b66c658
|
|
| BLAKE2b-256 |
13c034c634554afe71112a3d7e0203e1caa9a3ac3a71d2194275ba7e1311c8fe
|
