Add Pipeline Step Secrets support to Python SDK and CLI #830
Conversation
- Implement step_version_secrets parsing in pipeline_builder.py - Add helper methods to Pipeline client (get_pipeline_version, create_pipeline_version, list_step_secrets) - Include step secrets in lockfile generation - Update pipeline config template with example step secrets - Add comprehensive test coverage for step secrets functionality Co-authored-by: ydixit-clarifai <219138670+ydixit-clarifai@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Co-authored-by: ydixit-clarifai <219138670+ydixit-clarifai@users.noreply.github.com>
Add note explaining that Python API uses simplified format without 'secrets' wrapper compared to YAML configuration Co-authored-by: ydixit-clarifai <219138670+ydixit-clarifai@users.noreply.github.com>
- Change info logging to debug level to reduce verbosity - Rename 'secrets' variable to 'secret_refs' for clarity - Add comments explaining that only references (not values) are handled - Remove per-secret logging to minimize exposure surface - Address CodeQL security alerts (false positives documented) Co-authored-by: ydixit-clarifai <219138670+ydixit-clarifai@users.noreply.github.com>
| # Secret references are like "users/user123/secrets/my-api-key" | ||
| secret_refs = step_config.get("secrets", {}) | ||
| if not secret_refs: | ||
| logger.debug(f"No secret references found for step {step_ref}, skipping") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
To fix this problem, avoid logging potentially sensitive information such as secret references or their paths. Instead of logging the entire step_ref, use a generic message or obfuscate the reference (e.g., only log the existence of a skipped step, log a hash, or mask the reference). Change line 395 inside method _add_step_version_secrets to avoid outputting the value of step_ref in cleartext. For example, replace the message with a generic "A step contains no secret references and will be skipped" or, if logging is required, sufficiently redact or hash the reference string. No additional imports are required—the logging library and framework is already set up.
| @@ -392,7 +392,7 @@ | ||
| # Note: 'step_config' contains the secret mappings directly (not nested under 'secrets') | ||
| # Secret references are like "users/user123/secrets/my-api-key" | ||
| if not step_config: | ||
| logger.debug(f"No secret references found for step {step_ref}, skipping") | ||
| logger.debug("No secret references found for a step, skipping") | ||
| continue | ||
| | ||
| # Create StepSecretConfig proto |
| | ||
| # Add to pipeline version config | ||
| pipeline_version.config.step_version_secrets[step_ref].CopyFrom(step_secret_config) | ||
| logger.debug(f"Configured secret references for step {step_ref}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
The best way to fix this issue is to prevent logging of secret references in clear text. In particular, at line 405, we should avoid including step_ref verbatim as part of the debug message. Instead, we can safely log a generic message, such as "Configured secret references for a step" or, if needed for debugging, log only non-sensitive information (e.g., the number of configured secrets, or step indices).
Changes to make:
- Update line 405 in
clarifai/runners/pipelines/pipeline_builder.pyto remove or redact the logging ofstep_ref. - If you must log info for debugging, use a generic message (without referencing the specific step_ref value).
- No new imports or dependencies are needed.
| @@ -402,7 +402,7 @@ | ||
| | ||
| # Add to pipeline version config | ||
| pipeline_version.config.step_version_secrets[step_ref].CopyFrom(step_secret_config) | ||
| logger.debug(f"Configured secret references for step {step_ref}") | ||
| logger.debug("Configured secret references for a step (step reference redacted)") | ||
| | ||
| def create_pipeline(self) -> tuple[bool, str]: | ||
| """Create the pipeline using PostPipelines RPC. |
| @copilot The stepversionsecret should be part of the orchestration spec in each of the pipeline steps. Why Map<SecretName, SecretRef>? For one pipeline, While for another one, |
Per review feedback, step_version_secrets should be part of the pipeline config section (matching the proto structure PipelineVersion.config.step_version_secrets) rather than nested inside orchestration_spec. Changes: - Move step_version_secrets from orchestration_spec to config section in YAML structure - Update pipeline_builder.py to read from config section - Update lockfile generation to preserve secrets in config section - Update templates and documentation to show correct structure - Update all tests to use new config structure The new YAML structure is: ```yaml pipeline: orchestration_spec: argo_orchestration_spec: | ... config: step_version_secrets: step-0: secrets: API_KEY: users/user123/secrets/my-api-key ``` Co-authored-by: ydixit-clarifai <219138670+ydixit-clarifai@users.noreply.github.com>
Updated the implementation to match the proto structure. The The new YAML structure is: pipeline: orchestration_spec: argo_orchestration_spec: | ... config: step_version_secrets: step-0: secrets: API_KEY: users/user123/secrets/my-api-keyAll tests updated and passing. Changes in commit 9cdadbd. |
| # API_KEY: users/{user_id}/secrets/my-api-key | ||
| # DB_PASSWORD: users/{user_id}/secrets/db-secret | ||
| # step-1: | ||
| # secrets: |
There was a problem hiding this comment.
@copilot secrets has been removed from api. remove it in the cli and sdk code as well.
There was a problem hiding this comment.
Removed the nested secrets key from the YAML configuration structure. The structure is now flattened so secrets are directly under each step reference:
config: step_version_secrets: step-0: API_KEY: users/user123/secrets/my-api-key DB_PASSWORD: users/user123/secrets/db-secretUpdated in CLI templates, documentation, pipeline builder, and all tests. Changes in commit 540244b.
Per review feedback, the nested 'secrets' key has been removed from the API. Updated the SDK and CLI to use the flattened structure where secrets are directly under each step reference. Changes: - CLI templates: Removed nested 'secrets' key from example config - Pipeline builder: Updated to iterate directly over step_config dict instead of accessing nested 'secrets' key - Documentation: Updated examples to show flattened structure - Tests: Updated all tests to use flattened structure without nested 'secrets' key - Pipeline client: Added clarifying comments about proto response structure Old structure (removed): ```yaml step_version_secrets: step-0: secrets: API_KEY: users/user123/secrets/my-api-key ``` New structure (current): ```yaml step_version_secrets: step-0: API_KEY: users/user123/secrets/my-api-key ``` Co-authored-by: ydixit-clarifai <219138670+ydixit-clarifai@users.noreply.github.com>
Clarifai backend now supports Pipeline Step Secrets for step-level secret isolation. This PR implements SDK and CLI support for the feature.
Why
How
step_version_secretsfrom theconfigsection in config.yaml (matching proto structurePipelineVersion.config.step_version_secrets)PipelineVersion.configvia new_add_step_version_secrets()methodsecretskey per API update)Tests
Notes
Changes
Pipeline Builder (
clarifai/runners/pipelines/pipeline_builder.py)step_version_secretsfromconfigsection in config.yaml (matching proto structurePipelineVersion.config.step_version_secrets)PipelineVersion.configvia new_add_step_version_secrets()methodprepare_lockfile_with_step_versions(),generate_lockfile_data())Pipeline Client (
clarifai/client/pipeline.py)get_pipeline_version()- retrieve version with secrets configcreate_pipeline_version()- create version with secrets viaPatchPipelineVersionslist_step_secrets()- query secrets for all/specific steps{step_ref: {secret_name: secret_path}}CLI Template (
clarifai/cli/templates/pipeline_templates.py)step_version_secretsexample to generated pipeline configs in correctconfigsectionsecretskeyDocumentation (
docs/pipeline_step_secrets.md)Usage
Config YAML (Flattened Structure):
Python SDK:
Security
Backward Compatibility
step_version_secretsis optionalAPI Structure Note
The configuration uses a flattened structure where secret mappings are directly under each step reference. While the proto internally has a
StepSecretConfigwith asecretsfield, the YAML configuration and Python API use the simplified format for ease of use.Original prompt
This section details on the original issue you should resolve
<issue_title>Pipeline Step Secrets Feature Adoption in Python SDK and CLI</issue_title>
<issue_description>## Overview
Clarifai backend now supports Pipeline Step Secrets—enabling different pipeline steps to access distinct sets of secrets with step-level isolation. This document outlines the technical changes required to adopt this feature in the Python SDK and CLI, ensuring compatibility with updated API fields and backend functionality.
API Feature Summary
1. New Proto Fields
map<string, StepSecretConfig>step1,step2, ...)StepSecretConfigmap<string, string>API_KEY)users/user123/secrets/my-api-key)2. Updated API Endpoints
3. Example API Usage
Creation
{ "pipeline_version": { "config": { "step_version_secrets": { "step1": { "secrets": { "API_KEY": "users/user123/secrets/my-api-key", "DB_PASSWORD": "users/user123/secrets/db-secret" } }, "step2": { "secrets": { "EMAIL_TOKEN": "users/user123/secrets/email-token" } } } } } }Python SDK Changes
1. Proto/Model Updates
PipelineVersionConfigincludes thestep_version_secretsfield.StepSecretConfigmodel/class for mapping secrets per step.2. Client Method Updates
get_pipeline_version()to handle new step secrets field.create_pipeline_version()to accept step secrets.3. Helper Methods (Recommended)
add_step_secret(step_ref, secret_name, secret_ref)remove_step_secret(step_ref, secret_name)list_step_secrets(step_ref)CLI Changes
1. Command Updates
clarifai pipeline version createto accept step secrets specified in the orchestration spec (config.yaml), not as CLI parameters.clarifai pipeline version getto display step secrets.2. Config File Integration (Orchestration Spec)
Step secrets should be defined within the
config.yamlfile as part of the pipeline orchestration specification, matching the API schema.Example
config.yaml:CLI usage examples:
All step secrets should be managed via the spec file; do not support CLI flags for individual secrets.
3. Output Formatting
Backward Compatibility
step_version_secretsis optional; existing pipelines unaffected.Testing Requirements
1. Unit Tests
2. Integration Tests
3. Example Code & Documentation
Security Considerations
Additional Context
---...
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.