> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shaktistudio.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Store and manage credentials used by integrations, clusters, registries, and deployments.

Secrets are secure credentials stored within the Shakti Studio platform that allow the platform to access external systems such as cloud accounts, container registries, model sources, or Kubernetes clusters.

Secrets typically include:

* Access keys
* API tokens
* Service account credentials
* Cluster authentication details

All secrets are stored securely and are only used for the specific integrations or deployments where they are referenced.

## Why secrets are used

Secrets are required to:

* Access cloud infrastructure for cluster creation or import
* Pull containers from private registries
* Download models from external sources
* Authenticate with Kubernetes clusters

Using secrets ensures credentials are not exposed in plain text, access can be centrally managed, and integrations can be reused across deployments.

## Add a Secret

<Steps>
  <Step title="Navigate to Secrets Management">
    Go to **Integrations → Secrets** in the Shakti Studio UI.
  </Step>

  <Step title="Initiate Secret Creation">
    Click the **Create Secret** button to open the secret creation form.

    <img src="https://mintcdn.com/simplismart-2/vmFWbTNy7o_dyCSF/images/model-suite/integrations/secrets/1-secrets-list.png?fit=max&auto=format&n=vmFWbTNy7o_dyCSF&q=85&s=b1d285e1d504675313c46c38ae8378d2" alt="List of secrets with Create Secret button" width="3024" height="1000" data-path="images/model-suite/integrations/secrets/1-secrets-list.png" />
  </Step>

  <Step title="Define Secret Details">
    Enter a descriptive **secret name** and choose the appropriate **secret type** from the dropdown menu (e.g., `AWS`, `GCP`, `Azure`, `Docker Hub`, `Hugging Face`, `Kubernetes`, `Generic`).

    <img src="https://mintcdn.com/simplismart-2/vmFWbTNy7o_dyCSF/images/model-suite/integrations/secrets/2-create-secret.png?fit=max&auto=format&n=vmFWbTNy7o_dyCSF&q=85&s=4c99304a8c82062407254fa0b4165ddc" alt="Create secret form showing name and type fields" width="3024" height="1564" data-path="images/model-suite/integrations/secrets/2-create-secret.png" />
  </Step>

  <Step title="Input Credentials">
    Paste the credentials in the specified JSON format into the provided text area. Refer to the sections below for the required structure for each secret type.
  </Step>

  <Step title="Save the Secret">
    Click **Create** to securely store the secret.
  </Step>
</Steps>

Once created, the secret is available for use across your organization's integrations and deployments.

## Edit a Secret

<Steps>
  <Step title="Navigate to Secrets Management">
    Go to **Integrations → Secrets**.
  </Step>

  <Step title="Select and Edit">
    Locate the secret you wish to modify from the list, then click the **Edit** button in the top-right corner.

    <img src="https://mintcdn.com/simplismart-2/vmFWbTNy7o_dyCSF/images/model-suite/integrations/secrets/3-edit-secret.png?fit=max&auto=format&n=vmFWbTNy7o_dyCSF&q=85&s=22012da035ca5e9e8e63b28d81acdd83" alt="Secret detail view with Edit button highlighted" width="3024" height="1454" data-path="images/model-suite/integrations/secrets/3-edit-secret.png" />
  </Step>

  <Step title="Update Credentials">
    Adjust the credentials in the JSON format as needed.
  </Step>

  <Step title="Save Changes">
    Click **Save Changes** to update the secret.
  </Step>
</Steps>

***

## Cloud Credentials

Cloud credentials enable Shakti Studio to interact with your cloud infrastructure for tasks such as creating or importing Kubernetes clusters, managing storage resources, and deploying workloads.

<Info>
  The specific permissions required depend on the actions Shakti Studio will perform (e.g., cluster creation vs. ongoing maintenance). For initial setup, broader access simplifies configuration and can be refined to a more restrictive policy afterward.
</Info>

**Best practices for cloud credentials**

<CardGroup cols={2}>
  <Card title="Use Dedicated Accounts" icon="server">
    Allocate a dedicated cloud account, project, or subscription specifically for Shakti Studio operations to isolate resources and permissions.
  </Card>

  <Card title="Apply Least Privilege" icon="shield">
    Grant only the minimum necessary permissions required for Shakti Studio to perform its functions.
  </Card>

  <Card title="Rotate Credentials Regularly" icon="rotate-ccw">
    Implement periodic rotation of access keys and API tokens to reduce the risk of compromise.
  </Card>

  <Card title="Avoid Root Credentials" icon="user-x">
    Never use personal or root account credentials. Always use service accounts or roles with specific, limited permissions.
  </Card>
</CardGroup>

<Tabs>
  <Tab title="AWS">
    AWS secrets allow Shakti Studio to create or manage EKS clusters and access storage resources.

    #### Required credentials

    * `access_key_id`
    * `secret_access_key`

    #### IAM policies

    * **S3 Access**: Required for model storage, logs, and artifacts. Permissions: `s3:ListBucket`, `s3:GetObject`, `s3:PutObject`.
    * **EKS Full Access (Create Cluster)**: Recommended policies: `AmazonEKSClusterPolicy`, `AmazonEKSServicePolicy`, or `AdministratorAccess` for initial setup.
    * **EKS Maintenance Access (Import Cluster)**: Node group access, cluster read/write operations, networking updates.

    #### Best practices

    * Create a separate AWS sub-account for Shakti Studio.
    * Avoid using root credentials.
    * Use role-based access where possible.

    ```json AWS theme={null}
    {
      "access_key_id": "<access_key>",
      "secret_access_key": "<secret_key>"
    }
    ```
  </Tab>

  <Tab title="GCP">
    GCP secrets allow Shakti Studio to manage GKE clusters and access storage.

    #### Required credentials

    Provide the JSON service account key for a dedicated service account.

    #### IAM policies

    * **GCS Access**: Required for model storage, logs, and artifacts. Recommended role: `Storage Object Admin`.
    * **GKE Full Access (Create Cluster)**: Recommended roles: `Kubernetes Engine Admin`, `Compute Admin`.
    * **GKE Maintenance Access (Import Cluster)**: Recommended roles: `Kubernetes Engine Developer`, cluster read/write permissions.

    #### Best practices

    * Create a separate GCP project for Shakti Studio.
    * Use a dedicated service account.
    * Avoid using personal credentials.

    ```json GCP theme={null}
    {
      "auth_provider_x509_cert_url": "<auth_provider_x509_cert_url>",
      "auth_uri": "<auth_uri>",
      "client_email": "<client_email>",
      "client_id": "<client_id>",
      "client_x509_cert_url": "<client_x509_cert_url>",
      "private_key": "<private_key>",
      "private_key_id": "<private_key_id>",
      "project_id": "<project_id>",
      "token_uri": "<token_uri>",
      "type": "<account_type>",
      "universe_domain": "<universe_domain>"
    }
    ```
  </Tab>

  <Tab title="Azure">
    Azure secrets allow Shakti Studio to manage AKS clusters and storage resources.

    #### Required credentials

    * `tenant_id`
    * `client_id`
    * `client_secret`
    * `subscription_id`

    #### IAM policies

    * **Azure Blob Storage Access**: Recommended role: `Storage Blob Data Contributor`.
    * **AKS Full Access (Create Cluster)**: Recommended role: `Contributor` on the subscription or resource group.
    * **AKS Maintenance Access (Import Cluster)**: Recommended role: `Contributor` on the cluster resource group.

    #### Best practices

    * Create a separate resource group for Shakti Studio.
    * Use a dedicated service principal.
    * Avoid using global subscription credentials.

    ```json Azure theme={null}
    {
      "client_id": "<client_id>",
      "client_secret": "<client_secret>",
      "subscription_id": "<subscription_id>",
      "tenant_id": "<tenant_id>"
    }
    ```
  </Tab>
</Tabs>

***

## Container Registries

Container registry secrets enable Shakti Studio to pull private container images for your deployments and model serving.

<Tabs>
  <Tab title="Docker Hub">
    Docker Hub secrets are used to pull private container images from Docker Hub repositories. Use a **Personal Access Token** instead of your account password.

    #### Set up a personal access token

    1. Log in to [Docker Hub](https://hub.docker.com).
    2. Go to **Account Settings → Security**.
    3. Create a new **Access Token** and copy it.
    4. Add it as a secret in Shakti Studio.

    #### Best practices

    * Use read-only tokens where possible.
    * Create a dedicated organization for Shakti Studio images.

    ```json Docker Hub theme={null}
    {
      "username": "<docker_hub_username>",
      "password": "<docker_hub_access_token>"
    }
    ```
  </Tab>

  <Tab title="Depot">
    Depot secrets enable pulling private containers stored in Depot registries.

    #### Set up a personal access token

    1. Log in to [Depot](https://depot.dev).
    2. Generate a personal access token from your project settings.
    3. Add the token as a secret in Shakti Studio.

    #### Best practices

    * Use a dedicated registry or repository for Shakti Studio.
    * Restrict token scope to required repositories.

    ```json Depot theme={null}
    {
      "username": "x-token",
      "token": "<personal_access_token>"
    }
    ```
  </Tab>

  <Tab title="Nvidia Docker Secret">
    NVIDIA Docker secrets provide access to NVIDIA model containers and other resources on NVIDIA NGC (`nvcr.io`).

    #### Set up an NGC API key

    1. Log in to the [NVIDIA NGC portal](https://ngc.nvidia.com).
    2. Generate an API key from your account settings.
    3. Add it as a secret in Shakti Studio.

    #### Best practices

    * Use a dedicated account for Shakti Studio.
    * Limit token scope to required images.

    ```json Nvidia Docker Secret theme={null}
    {
      "server": "nvcr.io",
      "password": "<ngc_api_key>",
      "username": "$oauthtoken"
    }
    ```
  </Tab>
</Tabs>

***

## Model Sources

Model source secrets allow Shakti Studio to access and download private or gated models from external platforms.

<Tabs>
  <Tab title="Hugging Face">
    Hugging Face secrets enable the download of private or gated models from the Hugging Face Hub.

    #### Set up an access token

    1. Log in to [Hugging Face](https://huggingface.co).
    2. Go to **Settings → Access Tokens**.
    3. Create a new token with at least **Read** access.
    4. Copy the token and add it as a secret in Shakti Studio.

    #### Best practices

    * Use tokens with **read-only access**.
    * Grant access only to the repositories you need.

    ```json Hugging Face theme={null}
    {
      "token": "<huggingface_access_token>"
    }
    ```
  </Tab>

  <Tab title="GitHub">
    GitHub secrets allow Shakti Studio to access models or containers stored in private GitHub repositories or GitHub Container Registry (GHCR).

    #### Set up a personal access token

    1. Log in to [GitHub](https://github.com).
    2. Go to **Settings → Developer settings → Personal access tokens**.
    3. Generate a new token with the required repository or package read permissions.
    4. Copy the token and add it as a secret in Shakti Studio.

    #### Best practices

    * Use fine-grained tokens scoped to only the repositories you need.
    * Grant read-only access.

    ```json GitHub theme={null}
    {
      "token": "<github_personal_access_token>"
    }
    ```
  </Tab>
</Tabs>

***

## Kubernetes Cluster Credentials

Kubernetes cluster credentials store the authentication details needed to connect Shakti Studio to an existing Kubernetes cluster. These are used when importing clusters or deploying workloads to an imported cluster.

<Warning>
  Token-based and certificate-based authentication cannot be used together. Choose only one method.
</Warning>

**Best practices**

* Use a dedicated cluster for Shakti Studio workloads.
* Avoid sharing clusters with unrelated production systems.

<Tabs>
  <Tab title="Token-based">
    Authenticate using a service account token:

    ```json Kubernetes — Token theme={null}
    {
      "token": "<service_account_token>",
      "server": "<cluster_api_server_url>",
      "ca_certificate": "<base64_encoded_ca_certificate>"
    }
    ```
  </Tab>

  <Tab title="Certificate-based">
    Authenticate using client certificates:

    ```json Kubernetes — Certificate theme={null}
    {
      "server": "<cluster_api_server_url>",
      "client_key": "<base64_encoded_client_key>",
      "ca_certificate": "<base64_encoded_ca_certificate>",
      "client_certificate": "<base64_encoded_client_certificate>"
    }
    ```
  </Tab>
</Tabs>

***

## Shakti Cloud S3

Shakti Cloud S3 secrets allow Shakti Studio to access storage hosted on the Shakti Cloud S3-compatible object store.

<Note>
  Reach out to the Shakti Cloud team to obtain credentials for Shakti Cloud S3.
</Note>

```json Shakti Cloud S3 theme={null}
{
  "endpoint_url": "<endpoint_url>",
  "access_key_id": "<access_key_id>",
  "secret_access_key": "<secret_access_key>"
}
```

***

## Generic Secrets

Generic secrets provide a flexible way to securely store any custom credentials or sensitive information not covered by the specific secret types above. These can include third-party API keys, custom authentication tokens, or other environment variables.

1. Go to **Integrations → Secrets**.
2. Click **Create Secret**.
3. Select **Generic** as the secret type.
4. Enter key-value pairs in the required JSON format.
5. Click **Create** to save.

```json Generic theme={null}
{
  "KEY_NAME": "VALUE"
}
```
