Secrets - Simplismart

Secrets are secure credentials stored within Simplismart platform that allow the platform to access external systems such as cloud accounts, container registries, model sources, or Kubernetes clusters. Secrets typically include:

Access keys
API tokens
Service account credentials
Cluster authentication details

All secrets are stored securely and are only used for the specific integrations or deployments where they are referenced.

Token-based and certificate-based authentication cannot be used together. Choose only one method.

Why secrets are used

Secrets are required to:

Access cloud infrastructure for cluster creation or import
Pull containers from private registries
Download models from external sources
Authenticate with Kubernetes clusters

Using secrets ensures:

Credentials are not exposed in plain text
Access can be centrally managed
Integrations can be reused across deployments

Add a Secret

Navigate to Secrets Management

Go to Integrations → Secrets in the Simplismart UI.

Initiate Secret Creation

Click the Create Secret button to open the secret creation form.

Define Secret Details

Enter a descriptive secret name and choose the appropriate secret type from the dropdown menu (e.g., AWS, GCP, Docker Hub, Hugging Face, Kubernetes, Generic).

Input Credentials

Paste the credentials in the specified JSON format into the provided text area. Refer to the sections below for examples of required structures for each secret type.

Save the Secret

Click Create to securely store the secret.

Once created, the secret is securely stored and available for use across your organization’s integrations and deployments.

Using Secrets

Secrets can be used in:

Cloud account integrations
Cluster creation or import
Container registry access
Model source authentication

When configuring an integration or deployment, select the relevant secret from the dropdown.

Edit Secrets

To modify an existing secret:

Navigate to Secrets Management

Go to Integrations → Secrets.

Select and Edit

Locate the secret you wish to modify from the list, then click the Edit button on the top right corner of the screen.

Update Credentials

Adjust the credentials in the JSON format as needed. Ensure the new credentials are valid for the secret type.

Save Changes

Click Save Changes to update the secret.

Cloud Credentials

Cloud credentials (often referred to as cloud secrets) enable Simplismart to interact with your cloud infrastructure for tasks such as:

Creating or importing Kubernetes clusters
Managing storage resources for model artifacts and training data
Deploying workloads to your cloud environment

Best Practices for Cloud Credentials When configuring cloud credentials, follow these best practices to maintain a secure and efficient environment:

Use Dedicated Accounts

Allocate a dedicated cloud account, project, or subscription specifically for Simplismart operations to isolate resources and permissions.

Apply Least Privilege

Grant only the minimum necessary permissions required for Simplismart to perform its functions. Avoid overly broad access.

Rotate Credentials Regularly

Implement a policy for periodic rotation of access keys and API tokens to reduce the risk of compromise.

Avoid Root Credentials

Never use personal or root account credentials. Always use service accounts or roles with specific, limited permissions.

The specific permissions required depend on the actions Simplismart will perform (e.g., cluster creation vs. ongoing maintenance). For initial setup, broader access might simplify configuration, which can then be refined to a more restrictive policy.

Required Permissions for Cloud Providers

Below are the recommended initial roles for integrating with major cloud providers. These roles provide sufficient permissions for Simplismart to manage resources effectively. You can refine these permissions after the initial setup.

AWS
GCP
Azure
QBlocks

AWS secrets allow Simplismart to create or manage EKS clusters and access storage resources.

Required Credentials

Provide the following fields in the JSON format:

access_key_id
secret_access_key

IAM Policies

S3 Access: Required for model storage, logs, and artifacts. Permissions: s3:ListBucket, s3:GetObject, s3:PutObject.
EKS Full Access (Create Cluster): Required when creating new clusters from the platform. Recommended policies: AmazonEKSClusterPolicy, AmazonEKSServicePolicy, or AdministratorAccess (recommended for initial setup).
EKS Maintenance Access (Import Cluster): Required when importing an existing cluster. Permissions: Node group access, cluster read/write operations, networking updates.

Best practices

Create a separate AWS sub-account for Simplismart.
Avoid using root credentials.
Use role-based access where possible.

AWS Credentials JSON Example

{
  "access_key_id": "<access_key>",
  "secret_access_key": "<secret_key>"
}

GCP secrets allow Simplismart to manage GKE clusters and access storage.

Required Credentials

Provide the JSON service account key for a dedicated service account.

IAM Policies

GCS Access: Required for model storage, logs, and artifacts. Recommended role: Storage Object Admin.
GKE Full Access (Create Cluster): Required when creating clusters. Recommended roles: Kubernetes Engine Admin, Compute Admin.
GKE Maintenance Access (Import Cluster): Required when importing existing clusters. Recommended roles: Kubernetes Engine Developer, cluster read/write permissions.

Best practices

Create a separate GCP project for Simplismart.
Use a dedicated service account.
Avoid using personal credentials.

GCP Credentials JSON Example

{
  "auth_provider_x509_cert_url": "<auth_provider_x509_cert_url>",
  "auth_uri": "<auth_uri>",
  "client_email": "<client_email>",
  "client_id": "<client_id>",
  "client_x509_cert_url": "<client_x509_cert_url>",
  "private_key": "<private_key>",
  "private_key_id": "<private_key_id>",
  "project_id": "<project_id>",
  "token_uri": "<token_uri>",
  "type": "<account_type>",
  "universe_domain": "<universe_domain>"
}

Azure secrets allow Simplismart to manage AKS clusters and storage resources.

Required Credentials

Provide the following fields in the JSON format:

tenant_id
client_id
client_secret
subscription_id

IAM Policies

Azure Blob Storage Access: Required for model artifacts, logs, and outputs. Recommended role: Storage Blob Data Contributor.
AKS Full Access (Create Cluster): Required when creating clusters. Recommended role: Contributor on the subscription or resource group.
AKS Maintenance Access (Import Cluster): Required when importing existing clusters. Recommended role: Contributor on the cluster resource group.

Best practices

Create a separate resource group for Simplismart.
Use a dedicated service principal.
Avoid using global subscription credentials.

Azure Credentials JSON Example

{
  "client_id": "<client_id>",
  "client_secret": "<client_secret>",
  "subscription_id": "<subscription_id>",
  "tenant_id": "<tenant_id>"
}

QBlocks secrets allow Simplismart to access QBlocks infrastructure resources for cluster provisioning and resource management.

Best practices

Use a dedicated account for Simplismart.
Limit permissions to required resources.

QBlocks Credentials JSON Example

{
  "API_KEY": "<your-monster-api-key>"
}

Container Registries

Secrets for container registries enable Simplismart to pull private container images for your deployments and model serving. Each registry type has specific credential requirements.

Docker Hub
Depot
NVIDIA NIM

Docker Hub secrets are used to pull private container images from Docker Hub repositories. Use a Personal Access Token instead of your password for authentication.

Set up a personal access token

Log in to Docker Hub.
Go to Account Settings → Security.
Create a new Access Token.
Copy the token.
Add it as a secret in Simplismart.

Best practices

Create a separate registry or organisation for Simplismart.
Use read-only tokens where possible.

Docker Hub Credentials JSON Example

{
  "username": "<username>",
  "password": "<personal_access_token>"
}

Depot secrets facilitate pulling private containers stored in Depot registries. A Personal Access Token is required to authenticate.

Set up a personal access token

Log in to Depot.
Generate a personal access token.
Add the token as a secret in Simplismart.

Best practices

Use a dedicated registry or repository for Simplismart.
Restrict token scope to required repositories.

Depot Credentials JSON Example

{
  "username": "x-token",
  "token": "<personal_access_token>"
}

NVIDIA NIM secrets provide access to NVIDIA model containers and other resources on NVIDIA NGC.

Set up a personal access token

Generate a token from the NVIDIA NGC portal.
Add it as a secret in Simplismart.

Best practices

Use a dedicated account for Simplismart.
Limit token scope to required images.

NVIDIA NIM Credentials JSON Example

{
  "server": "nvcr.io",
  "password": "",
  "username": "$oauthtoken"
}

Model Sources

Secrets for model sources allow Simplismart to access and download private or gated models from external platforms.

Hugging Face
GitHub (Coming Soon)

Hugging Face secrets enable the download of private or gated models from the Hugging Face Hub. A Personal Access Token is required for authentication.

Set up an API key

Log in to Hugging Face.
Go to Settings → Access Tokens.
Create a new token.
Copy the token.
Add it as a secret in Simplismart.

Best practices

Create a separate account for Simplismart.
Use tokens with read-only access.
Grant access only to required models.

Hugging Face Credentials JSON Example

{
  "token": "<access_token>"
}

Kubernetes Cluster Credentials

Kubernetes cluster credentials store the necessary authentication details to connect Simplismart to an existing Kubernetes cluster. These are used when importing clusters or deploying workloads to an imported cluster.

Use either token-based or certificate-based authentication, not both.

Kubernetes secrets are required to:

Import clusters into the platform
Authenticate API access
Manage deployments

** Best practices**

Use a dedicated cluster for Simplismart workloads.
Avoid sharing clusters with unrelated production systems.
Use a dedicated subdomain for the cluster.

Token-based
Certificate-based

To authenticate using a service account token:

Kubernetes Token JSON Example

{
  "token": "<token>",
  "server": "<server>",
  "ca_certificate": "<ca_certificate>"
}

To authenticate using client certificates:

Kubernetes Certificate JSON Example

{
  "server": "<server>",
  "client_key": "<client_key>",
  "ca_certificate": "<ca_certificate>",
  "client_certificate": "<client_certificate>"
}

OCI Cluster Credentials

OCI credentials enable Simplismart to securely integrate with your Oracle Cloud Infrastructure (OCI) environment. These credentials are required to import existing OCI clusters, allowing you to deploy, manage, and scale models directly on your OCI-hosted infrastructure.

Simplismart supports both token-based and certificate-based authentication for OCI clusters.

Token-based
Certificate-based

To authenticate using an OCI token:

OCI Token JSON Example

{
  "token": "<token>",
  "server": "<server>",
  "client_key": "<client_key>",
  "ca_certificate": "<ca_certificate>",
  "client_certificate": "<client_certificate>"
}

To authenticate using OCI certificates:

OCI Certificate JSON Example

{
  "server": "<server>",
  "client_key": "<client_key>",
  "client_certificate": "<client_certificate>",
  "ca_certificate": "<ca_certificate>"
}

Generic Secrets

Generic secrets provide a flexible way to securely store any custom credentials or sensitive information not covered by the specific secret types above. These can include third-party API keys, custom authentication tokens, or other environment variables.

How to add a generic secret?

Go to Integrations → Secrets.
Click Create Secret.
Select Generic Secret.
Enter key-value pairs in the required JSON format.
Save the secret.

Generic Secret JSON Example

{
  "KEY_NAME": "VALUE"
}

Get Started

Types of Inference

Playground

Model Compilation

Deployment

Benchmarking

Training

Settings

Observability

References

​Why secrets are used

​Add a Secret

​Using Secrets

​Edit Secrets

​Cloud Credentials

Use Dedicated Accounts

Apply Least Privilege

Rotate Credentials Regularly

Avoid Root Credentials

​Required Permissions for Cloud Providers

​Required Credentials

​IAM Policies

​Best practices

​Required Credentials

​IAM Policies

​Best practices

​Required Credentials

​IAM Policies

​Best practices

​Best practices

​Container Registries

​Set up a personal access token

​Best practices

​Set up a personal access token

​Best practices

​Set up a personal access token

​Best practices

​Model Sources

​Set up an API key

​Best practices

​Kubernetes Cluster Credentials

​OCI Cluster Credentials

​Generic Secrets

​How to add a generic secret?

Why secrets are used

Add a Secret

Using Secrets

Edit Secrets

Cloud Credentials

Required Permissions for Cloud Providers

Required Credentials

IAM Policies

Best practices

Required Credentials

IAM Policies

Best practices

Required Credentials

IAM Policies

Best practices

Best practices

Container Registries

Set up a personal access token

Best practices

Set up a personal access token

Best practices

Set up a personal access token

Best practices

Model Sources

Set up an API key

Best practices

Kubernetes Cluster Credentials

OCI Cluster Credentials

Generic Secrets

How to add a generic secret?