Skip to main content
Use the W&B Secrets Manager with the W&B Python SDK to access sensitive information such as API keys and tokens in a sandbox. To use a secret in a sandbox, first add it to your team’s Secrets Manager. Then reference that secret by name when you create the sandbox. Do not include the secret’s value directly in your code or in the sandbox configuration. W&B injects each requested secret into the sandbox as an environment variable. By default, the environment variable name matches the secret name. You can customize the environment variable name with the env_var parameter. For structured secrets, you can also use the field parameter to expose a specific field from the secret value.
See Manage secrets for information about creating and managing secrets in your W&B account.

Access secrets in a sandbox

Use wandb.sandbox.Secret to request access to secrets stored in your team’s Secrets Manager. Pass one or more Secret objects to the secrets parameter of Sandbox.run(). Each Secret object identifies a secret by name. W&B injects the secret value into the sandbox as an environment variable.
Pass the secret name, not the secret value. Within the sandbox, read the secret from the corresponding environment variable.
The following example makes two existing secrets available in the sandbox: HF_TOKEN and OPENAI_API_KEY. 
from wandb.sandbox import Sandbox, Secret

with Sandbox.run(
    secrets=[
        Secret(name="HF_TOKEN"),
        Secret(name="OPENAI_API_KEY"),
    ],
) as sandbox:
    result = sandbox.exec([
        "python",
        "-c",
        """
import os
print(f"HF token: {os.environ['HF_TOKEN'][:8]}...")
print(f"OpenAI key: {os.environ['OPENAI_API_KEY'][:8]}...")
""",
    ]).result()
    print(result.stdout)
Inside the sandbox, access each secret through its environment variable. In this example, HF_TOKEN is available as os.environ["HF_TOKEN"], and OPENAI_API_KEY is available as os.environ["OPENAI_API_KEY"]. To use a different environment variable name, see Use a custom environment variable name.

Use a custom environment variable name

By default, a secret’s environment variable name matches the secret name. To use a different name in the sandbox, set the env_var parameter on Secret (Secret(env_var="CUSTOM_NAME")). The following example makes the HF_TOKEN secret available as HUGGINGFACE_TOKEN inside the sandbox: 
from wandb.sandbox import Sandbox, Secret

with Sandbox.run(
    secrets=[
        Secret(name="HF_TOKEN", env_var="HUGGINGFACE_TOKEN")
    ],
) as sandbox:
    result = sandbox.exec([
        "python",
        "-c",
        """
import os
print(f"Hugging Face token: {os.environ['HUGGINGFACE_TOKEN'][:8]}...")
""",
    ]).result()
    print(result.stdout)

Extract a field from a structured secret

Use the field parameter (Secret(field="field_name")) to extract a specific field from a structured secret. For example, suppose the db-credentials secret contains a JSON object with several fields. The following example extracts the password field and exposes it in the sandbox as the DB_PASS environment variable: 
from wandb.sandbox import Sandbox, Secret

with Sandbox.run(
    secrets=[
        Secret(name="db-credentials", field="password", env_var="DB_PASS")
    ],
) as sandbox:
    result = sandbox.exec([
        "python",
        "-c",
        """
import os
print(f"Database password: {os.environ['DB_PASS'][:8]}...")
""",
    ]).result()
    print(result.stdout)
In this example, the sandbox does not receive the full structured secret. It receives only the extracted password field as the value of DB_PASS.