Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:Bentoml BentoML CLI Secret

From Leeroopedia
Knowledge Sources
Domains CLI, Secret Management
Last Updated 2026-02-13 15:00 GMT

Overview

Implements the bentoml secret CLI command group for managing secrets (environment variables and mounted files) on BentoCloud.

Description

The secret.py module defines a Click command group named secret that provides CRUD operations for BentoCloud secrets. Secrets can be mounted as environment variables or files in deployed containers. The module contains:

Commands:

  • list -- Lists all secrets on BentoCloud with optional search filtering. Displays secret name, creation date, mount type (Environment Variable or File), stage, keys, path, and cluster in table, JSON, or YAML format.
  • create -- Creates a new secret with key-value pairs passed as positional arguments (key1=value1 key2=value2) or loaded from dotenv files (-f .env). Values can reference files using the @ prefix (key1=@./path_to_file). Supports two types: env (environment variable) or file (mounted file). Secrets can be scoped to a specific stage (build, runtime, or all) and optionally targeted to a specific cluster.
  • delete -- Deletes a secret by name, optionally scoped to a specific cluster.
  • apply -- Updates an existing secret with new key-value pairs. Uses the same argument format and options as the create command.

Helper Functions:

  • parse_kvs_argument_callback() -- Click callback that parses positional key=value arguments, supporting file references via @ prefix.
  • read_dotenv_callback() -- Click callback that reads and parses dotenv files into key-value pairs.
  • raise_secret_error() -- Translates HTTP error codes into user-friendly error messages.
  • map_choice_to_type() -- Maps the CLI choice "file" to the internal type "mountfile".

All commands use dependency injection via simple_di to obtain the BentoCloudClient and use the BentoMLCommandGroup for consistent CLI behavior.

Usage

Use these CLI commands to manage secrets that need to be available in BentoCloud deployments, such as API keys, database credentials, or configuration files.

Code Reference

Source Location

Signature

@click.group(name="secret", cls=BentoMLCommandGroup)
def secret_command(): ...

@secret_command.command(name="list")
@click.option("--search", ...)
@click.option("-o", "--output", type=click.Choice(["json", "yaml", "table"]), default="table")
@inject
def list_command(
    search: str | None,
    output: t.Literal["json", "yaml", "table"],
    _cloud_client: BentoCloudClient = Provide[BentoMLContainer.bentocloud_client],
): ...

@secret_command.command(name="create")
@click.argument("name", ...)
@click.argument("key_vals", nargs=-1, callback=parse_kvs_argument_callback)
@click.option("-d", "--description", ...)
@click.option("-t", "--type", type=click.Choice(["env", "file"]), default="env", callback=map_choice_to_type)
@click.option("-s", "--stage", type=click.Choice(["build", "runtime", "all"]), default="runtime")
@click.option("--cluster", ...)
@click.option("-p", "--path", ...)
@click.option("-f", "--from-file", callback=read_dotenv_callback, multiple=True)
@inject
def create(
    name: str,
    description: str | None,
    type: t.Literal["env", "mountfile"],
    cluster: str | None,
    path: str | None,
    key_vals: t.List[tuple[str, str]],
    from_literal: bool,
    from_file: t.List[tuple[str, str]],
    stage: t.Literal["build", "runtime", "all"],
    _cloud_client: BentoCloudClient = ...,
): ...

@secret_command.command(name="delete")
@click.argument("name", ...)
@click.option("--cluster", ...)
@inject
def delete(name: str, cluster: str | None, _cloud_client: BentoCloudClient = ...): ...

@secret_command.command(name="apply")
@click.argument("name", ...)
@click.argument("key_vals", nargs=-1, callback=parse_kvs_argument_callback)
# ... (same options as create)
@inject
def apply(name: str, description: str | None, ...): ...

def parse_kvs_argument_callback(ctx, params, value) -> t.List[tuple[str, str]]: ...
def read_dotenv_callback(ctx, params, value) -> t.List[tuple[str, str]]: ...
def raise_secret_error(err: BentoMLException, action: str) -> t.NoReturn: ...
def map_choice_to_type(ctx, params, value): ...

Import

from bentoml_cli.secret import secret_command

I/O Contract

Inputs

Name Type Required Description
name str Yes (create/delete/apply) Name of the secret
key_vals str (variadic) Yes (create/apply) Key-value pairs in key=value format; values starting with @ reference file contents
--search str No Filter string for listing secrets
-t / --type Choice[env, file] No Mount type: environment variable (default) or mounted file
-s / --stage Choice[build, runtime, all] No Availability stage (default: runtime)
--cluster str No Target cluster name
-p / --path str No Mount path in the container for file-type secrets (defaults to $BENTOML_HOME)
-f / --from-file str (multiple) No Path to dotenv files to read key-value pairs from
-d / --description str No Description of the secret
-o / --output Choice[json, yaml, table] No Output format (default: table)

Outputs

Name Type Description
table output Rich Table Formatted table of secret information printed to stdout
json output str JSON-serialized secret data printed to stdout
yaml output str YAML-serialized secret data printed to stdout (syntax highlighted)
success message str Confirmation message for create, apply, and delete operations

Usage Examples

# CLI: List all secrets
# $ bentoml secret list
# $ bentoml secret list --search my-secret -o json

# CLI: Create a secret with environment variables
# $ bentoml secret create my-secret API_KEY=abc123 DB_HOST=localhost

# CLI: Create a secret from a dotenv file
# $ bentoml secret create my-secret -f .env

# CLI: Create a file-mounted secret
# $ bentoml secret create my-config -t file config.yaml=@./config.yaml -p /home/bentoml/config

# CLI: Create a secret with file content reference
# $ bentoml secret create my-certs cert=@./server.pem

# CLI: Update a secret
# $ bentoml secret apply my-secret NEW_KEY=new_value

# CLI: Delete a secret
# $ bentoml secret delete my-secret

# CLI: Scope a secret to a cluster
# $ bentoml secret create my-secret API_KEY=abc123 --cluster my-cluster --stage build

# Programmatic usage
import click
from bentoml_cli.secret import secret_command

@click.group()
def cli():
    pass

cli.add_command(secret_command)

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:Bentoml_BentoML_CLI_Secret&oldid=5105"