Manage Secrets
Create, inspect, list, and delete centralized secrets from the Kitaru CLI
Use kitaru secrets ... to manage credentials and other sensitive values.
If you want the full LLM setup story — secret, model alias, and
kitaru.llm() inside a flow — start with
Secrets + Model Registration.
Create or update a secret
kitaru secrets set openai-creds --OPENAI_API_KEY=sk-...set is an upsert command:
- If the secret does not exist, Kitaru creates it.
- If it already exists, Kitaru updates the provided keys.
New secrets are private by default.
Secret key naming
Use real environment-variable-style key names so downstream tooling can consume credentials directly:
OPENAI_API_KEYANTHROPIC_API_KEYAZURE_OPENAI_API_KEY
Show one secret
kitaru secrets show openai-credsThis prints metadata and key names. To include raw values when available:
kitaru secrets show openai-creds --show-valuesIf your current context cannot access one or more values, those keys appear as
unavailable.
List all accessible secrets
kitaru secrets listDelete a secret
kitaru secrets delete openai-credsUse a secret inside a checkpoint (current low-level pattern)
Today, Kitaru only auto-resolves linked secrets for kitaru.llm().
If you need credentials for some other external service, the current pattern is to load the secret explicitly inside your checkpoint or flow function body:
from zenml.client import Client
from kitaru import checkpoint
@checkpoint
def call_external_service() -> str:
secret = Client().get_secret(
name_id_or_prefix="github-creds",
allow_partial_name_match=False,
allow_partial_id_match=False,
)
token = secret.secret_values["GITHUB_TOKEN"]
return f"Loaded token with length {len(token)}"Keep the lookup inside the function body so it happens in the actual runtime context. Do not load secrets at import time.
This is the current low-level pattern. Kitaru does not yet expose a general
get_secret() helper in its public Python API.