Skip to main content

Keyring Secret Store

The keyring store enables Spice to access secrets from the secure/credential store of the host operating system:

  • Linux: The secret-service and kernel keyutils.
  • macOS: The keychain.
  • Windows: The Credential Manager.

The Keyring Store will read entries for names formatted as spice_secret_<secret-name> and where the entry account or user is set to spiced.

Note: For compatibility with Spice secret objects, secret values are required to be stored as JSON strings, as the keyring store only supports string values.

Example​

For setting spiceai api key secret using macOS keychain, create new keychain entry, with following JSON string value

"{ key: "<your spice.ai app api key>" }"

Then set store field of the secrets section in the Spicepod manifest:

secrets:
  store: keyring