Providing your agent with sensitive information
Most agents will require access to sensitive information, such as API keys, passwords, and other secrets. To keep this information secure, we recommend using Pipecat Cloud’s secret management feature.
Secrets are created as “sets” of key-value pairs, and defined at the user / organization level. This means that secrets can be shared across all agent deployments within the same user workspace or organization.
To access secrets, your deployment must specify the secret set to use.
Secrets can be managed via either the CLI or the Dashboard .
This command will create or modify the secret set with the name my-secrets
, and add or update the key-value pairs SECRET_NAME
and SECRET_NAME_2
.
You can add additional secrets to the set by specifying more key-value pairs.
Whenever a secret is added or updated in an existing set, any deployments using that set will need to be redeployed to access the new values.
There are several ways to specify key-value pairs:
Simple values (no spaces or special characters):
Values with spaces:
Values containing equals signs:
Values containing quotes:
Values containing backslashes:
[a-zA-Z0-9_-]
)KEY="value with spaces"
"KEY=value with spaces"
'KEY=value "quoted" here'
KEY="value \"quoted\" here"
You can view a list of available secret sets in your currently selected workspace or organization.
You can pass an optional secret set name to view the secret keys within that set. Values are not displayed.
To remove a secret from a set, use the unset
command.
To remove a secret-set entirely, use the delete
command:
Image pull secrets are used to authenticate with private Docker registries when deploying agents.
They can be passed as part of the deploy
command.
Running this command will prompt you for account credentials.
You can optionally encode your credentials in base64 with the --base64encode
flag.
Unlike secret sets, image pull secrets can not be updated. You must delete and recreate the secret if you need to change the credentials.
If you want to use private Docker Hub images with your Pipecat Cloud deployment, follow these steps:
Step 1: Create a Docker Hub Access Token
Step 2: Make Your Docker Hub Image Private
Step 3: Set Up Image Pull Secret in Pipecat Cloud
dockerhub-access
is the name of your image pull secret, so name it whatever
you’d like.
Step 4: Deploy Your Agent with the Image Pull Secret
Update your pcc-deploy.toml
file:
Finally, deploy your agent with the pcc-deploy.toml
configuration:
Secrets are mounted as environment variables in your agent process.
For example, if you define a secret with the key MY_SECRET, you can access it in your agent code like so:
When deploying, you have two options to specify which secret set to use:
secret_set
key in your pcc-deploy.toml
file:With either approach, the CLI will automatically inject the secrets from the specified set into your agent deployment as environment variables.
If you prefer to manage secrets outside of Pipecat Cloud, you can use environment variables or other secret management tools.
You could, for example, set environment variables in your Dockerfile:
We recommend using Pipecat Cloud’s built-in management for the most secure and versatile method of managing secrets.
Providing your agent with sensitive information
Most agents will require access to sensitive information, such as API keys, passwords, and other secrets. To keep this information secure, we recommend using Pipecat Cloud’s secret management feature.
Secrets are created as “sets” of key-value pairs, and defined at the user / organization level. This means that secrets can be shared across all agent deployments within the same user workspace or organization.
To access secrets, your deployment must specify the secret set to use.
Secrets can be managed via either the CLI or the Dashboard .
This command will create or modify the secret set with the name my-secrets
, and add or update the key-value pairs SECRET_NAME
and SECRET_NAME_2
.
You can add additional secrets to the set by specifying more key-value pairs.
Whenever a secret is added or updated in an existing set, any deployments using that set will need to be redeployed to access the new values.
There are several ways to specify key-value pairs:
Simple values (no spaces or special characters):
Values with spaces:
Values containing equals signs:
Values containing quotes:
Values containing backslashes:
[a-zA-Z0-9_-]
)KEY="value with spaces"
"KEY=value with spaces"
'KEY=value "quoted" here'
KEY="value \"quoted\" here"
You can view a list of available secret sets in your currently selected workspace or organization.
You can pass an optional secret set name to view the secret keys within that set. Values are not displayed.
To remove a secret from a set, use the unset
command.
To remove a secret-set entirely, use the delete
command:
Image pull secrets are used to authenticate with private Docker registries when deploying agents.
They can be passed as part of the deploy
command.
Running this command will prompt you for account credentials.
You can optionally encode your credentials in base64 with the --base64encode
flag.
Unlike secret sets, image pull secrets can not be updated. You must delete and recreate the secret if you need to change the credentials.
If you want to use private Docker Hub images with your Pipecat Cloud deployment, follow these steps:
Step 1: Create a Docker Hub Access Token
Step 2: Make Your Docker Hub Image Private
Step 3: Set Up Image Pull Secret in Pipecat Cloud
dockerhub-access
is the name of your image pull secret, so name it whatever
you’d like.
Step 4: Deploy Your Agent with the Image Pull Secret
Update your pcc-deploy.toml
file:
Finally, deploy your agent with the pcc-deploy.toml
configuration:
Secrets are mounted as environment variables in your agent process.
For example, if you define a secret with the key MY_SECRET, you can access it in your agent code like so:
When deploying, you have two options to specify which secret set to use:
secret_set
key in your pcc-deploy.toml
file:With either approach, the CLI will automatically inject the secrets from the specified set into your agent deployment as environment variables.
If you prefer to manage secrets outside of Pipecat Cloud, you can use environment variables or other secret management tools.
You could, for example, set environment variables in your Dockerfile:
We recommend using Pipecat Cloud’s built-in management for the most secure and versatile method of managing secrets.