Secret Keys Manager
The Secret Keys Manager lets you store and manage key-value data on the platform. It supports two types of entries:
- Secrets — Encrypted values for sensitive credentials such as API keys, database passwords, and tokens. Secret values are never displayed in the UI or CLI output.
- Variables — Plain-text configuration values such as feature flags, connection strings, and environment-specific settings. Variable values are visible in the UI and CLI.
Both secrets and variables are accessible from your jobs, workflows, apps, and services at runtime through the Python SDK or CLI.
How It Works
Store a value once, then read it from any compute process that has the right permissions. This keeps credentials out of your source code and lets you change configuration without redeploying.
import datatailr as dt
# Read a secret at runtime
db_password = dt.kv.get("db/password", secure=True)
# Read a variable
feature_flag = dt.kv.get("config/enable_cache")
Managing in the Dashboard
Navigate to Secret Keys Manager in the left sidebar. Use the Secrets and Variables tabs at the top to switch between the two types.
Creating an entry
- Click Add New in the top-right corner.
- Enter a key name (use
/to organize keys into a hierarchy, e.g.prod/db/password). - Enter the value.
- Select the target environment (
dev,pre, orprod). - Configure group permissions to control which groups can read or write this entry.
- Click Save.
Editing and deleting
Right-click any row to Edit or Delete an entry. Editing lets you change the value and permissions while keeping the same key.
CLI
Secrets and variables can also be managed with the dt kv commands.
| Action | Command |
|---|---|
| Store a value | dt kv put <key> <value> |
| Store a secret | dt kv put -s <key> <value> |
| Read a value | dt kv get <key> |
| Read a secret | dt kv get -s <key> |
| List keys | dt kv ls |
| List secrets | dt kv ls -s |
| Delete a key | dt kv rm <key> |
| Delete a secret | dt kv rm -s <key> |
Examples:
# Store a database password as a secret
dt kv put -s db/password my_secret_pass
# Store a config variable
dt kv put config/max_retries 5
# Store a variable scoped to an environment
dt kv put -e prod config/api_url https://api.example.com
# List all variables
dt kv ls
# List all secrets
dt kv ls -s
# Read a value
dt kv get config/max_retries
Use -e to target a specific environment, -g to set group permissions, and -p for pretty-printed output.
Accessing from Python
The Python SDK provides direct access to the key-value store:
import datatailr as dt
# Write
dt.kv.put("config/threshold", "0.95")
dt.kv.put("api/key", "sk-abc123", secure=True)
# Read
threshold = dt.kv.get("config/threshold")
api_key = dt.kv.get("api/key", secure=True)
# List
keys = dt.kv.ls()
secret_keys = dt.kv.ls(secure=True)
# Delete
dt.kv.rm("config/old_key")
See the Python SDK Reference for the full API.