> ## Documentation Index
> Fetch the complete documentation index at: https://docs.simplismart.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Store and manage credentials used by integrations, clusters, registries, and deployments.

Secrets are secure credentials stored within Simplismart platform that allow the platform to access external systems such as cloud accounts, container registries, model sources, or Kubernetes clusters.

Secrets typically include:

* Access keys
* API tokens
* Service account credentials
* Cluster authentication details

All secrets are stored securely and are only used for the specific integrations or deployments where they are referenced.

<Warning>
  Token-based and certificate-based authentication cannot be used together. Choose only one method.
</Warning>

## Why secrets are used

Secrets are required to:

* Access cloud infrastructure for cluster creation or import
* Pull containers from private registries
* Download models from external sources
* Authenticate with Kubernetes clusters

Using secrets ensures:

* Credentials are not exposed in plain text
* Access can be centrally managed
* Integrations can be reused across deployments

## Add a Secret

<Steps>
  <Step title="Navigate to Secrets Management">
    Go to **Integrations → Secrets** in the Simplismart UI.
  </Step>

  <Step title="Initiate Secret Creation">
    Click the **Create Secret** button to open the secret creation form.

    <img src="https://mintcdn.com/simplismart-3f10d72e/OBeYobCv0x6Baj9r/images/integrations/secrets/1-list-secret.png?fit=max&auto=format&n=OBeYobCv0x6Baj9r&q=85&s=a76eabb35a4c01be15775ca7f8b4594d" alt="" width="3024" height="1650" data-path="images/integrations/secrets/1-list-secret.png" />
  </Step>

  <Step title="Define Secret Details">
    Enter a descriptive **secret name** and choose the appropriate **secret type** from the dropdown menu (e.g., `AWS`, `GCP`, `Docker Hub`, `Hugging Face`, `Kubernetes`, `Generic`).

    <img src="https://mintcdn.com/simplismart-3f10d72e/OBeYobCv0x6Baj9r/images/integrations/secrets/2-create-secret.png?fit=max&auto=format&n=OBeYobCv0x6Baj9r&q=85&s=49acc8535b61f805b9c76ec1c01b7024" alt="" width="3024" height="1650" data-path="images/integrations/secrets/2-create-secret.png" />
  </Step>

  <Step title="Input Credentials">
    Paste the credentials in the specified JSON format into the provided text area. Refer to the sections below for examples of required structures for each secret type.
  </Step>

  <Step title="Save the Secret">
    Click **Create** to securely store the secret.
  </Step>
</Steps>

Once created, the secret is securely stored and available for use across your organization's integrations and deployments.

## Using Secrets

Secrets can be used in:

* Cloud account integrations
* Cluster creation or import
* Container registry access
* Model source authentication

When configuring an integration or deployment, select the relevant secret from the dropdown.

## Edit Secrets

To modify an existing secret:

<Steps>
  <Step title="Navigate to Secrets Management">
    Go to **Integrations → Secrets**.
  </Step>

  <Step title="Select and Edit">
    Locate the secret you wish to modify from the list, then click the **Edit** button on the top right corner of the screen.

    <img src="https://mintcdn.com/simplismart-3f10d72e/OBeYobCv0x6Baj9r/images/integrations/secrets/3-edit-secret.png?fit=max&auto=format&n=OBeYobCv0x6Baj9r&q=85&s=1c400f0390b669417926c58064e4d5c2" alt="" width="3024" height="1650" data-path="images/integrations/secrets/3-edit-secret.png" />
  </Step>

  <Step title="Update Credentials">
    Adjust the credentials in the JSON format as needed. Ensure the new credentials are valid for the secret type.
  </Step>

  <Step title="Save Changes">
    Click **Save Changes** to update the secret.
  </Step>
</Steps>

## Cloud Credentials

Cloud credentials (often referred to as cloud secrets) enable Simplismart to interact with your cloud infrastructure for tasks such as:

* Creating or importing Kubernetes clusters
* Managing storage resources for model artifacts and training data
* Deploying workloads to your cloud environment

**Best Practices for Cloud Credentials**

When configuring cloud credentials, follow these best practices to maintain a secure and efficient environment:

<CardGroup cols={2}>
  <Card title="Use Dedicated Accounts" icon="server">
    Allocate a dedicated cloud account, project, or subscription specifically for Simplismart operations to isolate resources and permissions.
  </Card>

  <Card title="Apply Least Privilege" icon="shield">
    Grant only the minimum necessary permissions required for Simplismart to perform its functions. Avoid overly broad access.
  </Card>

  <Card title="Rotate Credentials Regularly" icon="rotate-ccw">
    Implement a policy for periodic rotation of access keys and API tokens to reduce the risk of compromise.
  </Card>

  <Card title="Avoid Root Credentials" icon="user-x">
    Never use personal or root account credentials. Always use service accounts or roles with specific, limited permissions.
  </Card>
</CardGroup>

<Info>
  The specific permissions required depend on the actions Simplismart will perform (e.g., cluster creation vs. ongoing maintenance). For initial setup, broader access might simplify configuration, which can then be refined to a more restrictive policy.
</Info>

### Required Permissions for Cloud Providers

Below are the recommended initial roles for integrating with major cloud providers. These roles provide sufficient permissions for Simplismart to manage resources effectively. You can refine these permissions after the initial setup.

<Tabs>
  <Tab title="AWS">
    AWS secrets allow Simplismart to create or manage EKS clusters and access storage resources.

    #### Required Credentials

    Provide the following fields in the JSON format:

    * `access_key_id`
    * `secret_access_key`

    #### IAM Policies

    * **S3 Access**: Required for model storage, logs, and artifacts. Permissions: `s3:ListBucket`, `s3:GetObject`, `s3:PutObject`.
    * **EKS Full Access (Create Cluster)**: Required when creating new clusters from the platform. Recommended policies: `AmazonEKSClusterPolicy`, `AmazonEKSServicePolicy`, or `AdministratorAccess` (recommended for initial setup).
    * **EKS Maintenance Access (Import Cluster)**: Required when importing an existing cluster. Permissions: Node group access, cluster read/write operations, networking updates.

    #### Best practices

    * Create a separate AWS sub-account for Simplismart.
    * Avoid using root credentials.
    * Use role-based access where possible.

    ```json AWS Credentials JSON Example theme={null}
    {
      "access_key_id": "<access_key>",
      "secret_access_key": "<secret_key>"
    }
    ```
  </Tab>

  <Tab title="GCP">
    GCP secrets allow Simplismart to manage GKE clusters and access storage.

    #### Required Credentials

    Provide the JSON service account key for a dedicated service account.

    #### IAM Policies

    * **GCS Access**: Required for model storage, logs, and artifacts. Recommended role: `Storage Object Admin`.
    * **GKE Full Access (Create Cluster)**: Required when creating clusters. Recommended roles: `Kubernetes Engine Admin`, `Compute Admin`.
    * **GKE Maintenance Access (Import Cluster)**: Required when importing existing clusters. Recommended roles: `Kubernetes Engine Developer`, cluster read/write permissions.

    #### Best practices

    * Create a separate GCP project for Simplismart.
    * Use a dedicated service account.
    * Avoid using personal credentials.

    ```json GCP Credentials JSON Example theme={null}
    {
      "auth_provider_x509_cert_url": "<auth_provider_x509_cert_url>",
      "auth_uri": "<auth_uri>",
      "client_email": "<client_email>",
      "client_id": "<client_id>",
      "client_x509_cert_url": "<client_x509_cert_url>",
      "private_key": "<private_key>",
      "private_key_id": "<private_key_id>",
      "project_id": "<project_id>",
      "token_uri": "<token_uri>",
      "type": "<account_type>",
      "universe_domain": "<universe_domain>"
    }
    ```
  </Tab>

  <Tab title="Azure">
    Azure secrets allow Simplismart to manage AKS clusters and storage resources.

    #### Required Credentials

    Provide the following fields in the JSON format:

    * `tenant_id`
    * `client_id`
    * `client_secret`
    * `subscription_id`

    #### IAM Policies

    * **Azure Blob Storage Access**: Required for model artifacts, logs, and outputs. Recommended role: `Storage Blob Data Contributor`.
    * **AKS Full Access (Create Cluster)**: Required when creating clusters. Recommended role: `Contributor` on the subscription or resource group.
    * **AKS Maintenance Access (Import Cluster)**: Required when importing existing clusters. Recommended role: `Contributor` on the cluster resource group.

    #### Best practices

    * Create a separate resource group for Simplismart.
    * Use a dedicated service principal.
    * Avoid using global subscription credentials.

    ```json Azure Credentials JSON Example theme={null}
    {
      "client_id": "<client_id>",
      "client_secret": "<client_secret>",
      "subscription_id": "<subscription_id>",
      "tenant_id": "<tenant_id>"
    }
    ```
  </Tab>

  <Tab title="QBlocks">
    QBlocks secrets allow Simplismart to access QBlocks infrastructure resources for cluster provisioning and resource management.

    #### Best practices

    * Use a dedicated account for Simplismart.
    * Limit permissions to required resources.

    ```json QBlocks Credentials JSON Example theme={null}
    {
      "API_KEY": "<your-monster-api-key>"
    }
    ```
  </Tab>
</Tabs>

## Container Registries

Secrets for container registries enable Simplismart to pull private container images for your deployments and model serving. Each registry type has specific credential requirements.

<Tabs>
  <Tab title="Docker Hub">
    Docker Hub secrets are used to pull private container images from Docker Hub repositories. Use a **Personal Access Token** instead of your password for authentication.

    #### Set up a personal access token

    1. Log in to Docker Hub.
    2. Go to **Account Settings → Security**.
    3. Create a new **Access Token**.
    4. Copy the token.
    5. Add it as a secret in Simplismart.

    #### Best practices

    * Create a separate registry or organisation for Simplismart.
    * Use read-only tokens where possible.

    ```json Docker Hub Credentials JSON Example theme={null}
    {
      "username": "<username>",
      "password": "<personal_access_token>"
    }
    ```
  </Tab>

  <Tab title="Depot">
    Depot secrets facilitate pulling private containers stored in Depot registries. A **Personal Access Token** is required to authenticate.

    #### Set up a personal access token

    1. Log in to Depot.
    2. Generate a personal access token.
    3. Add the token as a secret in Simplismart.

    #### Best practices

    * Use a dedicated registry or repository for Simplismart.
    * Restrict token scope to required repositories.

    ```json Depot Credentials JSON Example theme={null}
    {
      "username": "x-token",
      "token": "<personal_access_token>"
    }
    ```
  </Tab>

  <Tab title="NVIDIA NIM">
    NVIDIA NIM secrets provide access to NVIDIA model containers and other resources on NVIDIA NGC.

    #### Set up a personal access token

    1. Generate a token from the NVIDIA NGC portal.
    2. Add it as a secret in Simplismart.

    #### Best practices

    * Use a dedicated account for Simplismart.
    * Limit token scope to required images.

    ```json NVIDIA NIM Credentials JSON Example theme={null}
    {
      "server": "nvcr.io",
      "password": "",
      "username": "$oauthtoken"
    }
    ```
  </Tab>

  <Tab title="Amazon ECR">
    Amazon ECR secrets are used to pull private container images from Amazon Elastic Container Registry. Authentication uses an AWS IAM access key with permission to pull from ECR.

    #### Set up AWS credentials

    1. In the AWS IAM console, create (or reuse) an IAM user with ECR pull permissions (e.g. `AmazonEC2ContainerRegistryReadOnly`).
    2. Generate an **access key** and **secret access key** for that user.
    3. Note the **region** of your ECR registry (e.g. `us-west-2`).
    4. Add them as a secret in Simplismart.

    #### Best practices

    * Use an IAM user scoped to read-only ECR access.
    * Restrict permissions to the specific repositories Simplismart needs to pull.

    ```json Amazon ECR Credentials JSON Example theme={null}
    {
      "region": "<aws_cloud_region>",
      "accessKey": "<aws_access_key_id>",
      "secretKey": "<aws_secret_access_key>"
    }
    ```
  </Tab>
</Tabs>

## Model Sources

Secrets for model sources allow Simplismart to access and download private or gated models from external platforms.

<Tabs>
  <Tab title="Hugging Face">
    Hugging Face secrets enable the download of private or gated models from the Hugging Face Hub. A **Personal Access Token** is required for authentication.

    #### Set up an API key

    1. Log in to Hugging Face.
    2. Go to **Settings → Access Tokens**.
    3. Create a new token.
    4. Copy the token.
    5. Add it as a secret in Simplismart.

    #### Best practices

    * Create a separate account for Simplismart.
    * Use tokens with **read-only access**.
    * Grant access only to required models.

    ```json Hugging Face Credentials JSON Example theme={null}
    {
      "token": "<access_token>"
    }
    ```
  </Tab>

  <Tab title="GitHub (Coming Soon)">
    Support for integrating GitHub-based model or container sources will be available in a future Simplismart release.
  </Tab>
</Tabs>

## Kubernetes Cluster Credentials

Kubernetes cluster credentials store the necessary authentication details to connect Simplismart to an existing Kubernetes cluster. These are used when importing clusters or deploying workloads to an imported cluster.

<Note>
  Use either token-based or certificate-based authentication, not both.
</Note>

Kubernetes secrets are required to:

* Import clusters into the platform
* Authenticate API access
* Manage deployments

\*\* Best practices\*\*

* Use a dedicated cluster for Simplismart workloads.
* Avoid sharing clusters with unrelated production systems.
* Use a dedicated subdomain for the cluster.

<Tabs>
  <Tab title="Token-based">
    To authenticate using a service account token:

    ```json Kubernetes Token JSON Example theme={null}
    {
      "token": "<token>",
      "server": "<server>",
      "ca_certificate": "<ca_certificate>"
    }
    ```
  </Tab>

  <Tab title="Certificate-based">
    To authenticate using client certificates:

    ```json Kubernetes Certificate JSON Example theme={null}
    {
      "server": "<server>",
      "client_key": "<client_key>",
      "ca_certificate": "<ca_certificate>",
      "client_certificate": "<client_certificate>"
    }
    ```
  </Tab>
</Tabs>

## OCI Cluster Credentials

OCI credentials enable Simplismart to securely integrate with your Oracle Cloud Infrastructure (OCI) environment. These credentials are required to import existing OCI clusters, allowing you to deploy, manage, and scale models directly on your OCI-hosted infrastructure.

<Note>
  Simplismart supports both token-based and certificate-based authentication for OCI clusters.
</Note>

<Tabs>
  <Tab title="Token-based">
    To authenticate using an OCI token:

    ```json OCI Token JSON Example theme={null}
    {
      "token": "<token>",
      "server": "<server>",
      "client_key": "<client_key>",
      "ca_certificate": "<ca_certificate>",
      "client_certificate": "<client_certificate>"
    }
    ```
  </Tab>

  <Tab title="Certificate-based">
    To authenticate using OCI certificates:

    ```json OCI Certificate JSON Example theme={null}
    {
      "server": "<server>",
      "client_key": "<client_key>",
      "client_certificate": "<client_certificate>",
      "ca_certificate": "<ca_certificate>"
    }
    ```
  </Tab>
</Tabs>

## SSH Public Key

<Info>
  SSH Public Key secrets are used to SSH into a running deployment container. See [SSH Access](/model-suite/deployments/ssh-access) for the full setup flow.
</Info>

Generate a key pair on your local machine:

```bash theme={null}
ssh-keygen -t ed25519 -f simplismart_key
cp simplismart_key simplismart_key.pem
```

* `simplismart_key.pem` — private key, used when connecting via `ssh -i`
* `simplismart_key.pub` — public key, add this to Simplismart as the secret

Paste the contents of `simplismart_key.pub` when creating the secret:

```json SSH Public Key JSON Example theme={null}
{
  "public_key": "ssh-ed25519 AAAAC3Nza... user@host"
}
```

## Generic Secrets

Generic secrets provide a flexible way to securely store any custom credentials or sensitive information not covered by the specific secret types above. These can include third-party API keys, custom authentication tokens, or other environment variables.

#### How to add a generic secret?

1. Go to **Integrations → Secrets**.
2. Click **Create Secret**.
3. Select **Generic Secret**.
4. Enter key-value pairs in the required JSON format.
5. Save the secret.

```json Generic Secret JSON Example theme={null}
{
  "KEY_NAME": "VALUE"
}
```
