Secrets#
Secrets in the AMD AI Workbench are credentials and sensitive information that your AI models, workspaces, and workloads need to access external services and resources. The Secrets page provides a secure way to store, manage, and use authentication tokens, API keys, and other sensitive data without exposing them in your code or configuration files.
Overview#
The Secrets management system allows you to securely store sensitive credentials required for:
Model deployment authentication — Hugging Face tokens for accessing gated models
Container registry authentication — Docker credentials for pulling images
Cloud storage access — AWS S3 or other cloud provider credentials
Database connections — Connection strings and credentials for databases
Generic credentials — Any other sensitive information your workloads require
Managing Secrets#
View Secrets#
The Secrets page displays all secrets available in your current project namespace. Each secret shows:
Secret name — The identifier used by your models and workloads
Use case — The category of secret (HuggingFace, S3, ImagePullSecret, or Generic)
Created date — When the secret was added
Creator — The user who originally created the secret
Use the search field and filters to find specific secrets when you have multiple secrets saved.
Note
Secret values are never displayed for security reasons. Only metadata (name, type, and creation information) is visible in the Secrets page.
Create a Secret#
To create a new secret:
Click the Create new secret button on the Secrets page
Fill in the secret details:
Name — A unique identifier for your secret (lowercase letters, numbers, and hyphens only)
Use case — Select the secret use case type from the dropdown menu
Secret value(s) — Enter your credentials, token, or other sensitive information
Click Add secret to save the secret
The secret type you select determines which fields you need to provide:
HuggingFace Token#
Use this type when you need to access model weights on Hugging Face Hub that require authentication.
Fields: Hugging Face API token
Used by: Model deployments that require gated model access
Example: Personal access token from your Hugging Face account
Docker Registry (ImagePullSecret)#
Use this type to authenticate with container registries when pulling private images for Workspaces or custom workloads.
Fields: Docker configuration JSON (passed in as encoded
.dockerconfigjson) containing registry credentialsUsed by: Deployments that need to pull images from private Docker registries
Example: Docker Hub credentials or private enterprise registry authentication
The Docker configuration must be a valid JSON object. If you’re uncertain about the format, consult your container registry documentation.
Generic#
Use this type for any sensitive credentials that don’t fit the predefined categories.
Field: Your sensitive information as key-value pairs
Used by: Workloads and services that need custom credentials or other secrets
Example: API keys for custom services, SSH keys, or tokens for non-standard systems
Naming Guidelines#
Secret names must follow these rules:
Length: Between 2 and 253 characters
Characters: Lowercase letters (a-z), numbers (0-9), and hyphens (-) only
Format: Must start with a letter and end with a letter or number
Examples:
huggingface-token,s3-training-data,api-key-1
Using Secrets with Models and Workloads#
When you deploy a model or create a workload that requires authentication, you’ll be able to select from your available secrets. The system automatically applies the appropriate secret without exposing the credential values in your deployment configuration or logs.
For example, when deploying an AIM that uses gated model from Hugging Face Hub, you select your HuggingFace token secret from the dropdown menu during the deployment process.
Security Considerations#
Best Practices#
Workspace isolation: Secrets are scoped to your project namespace and cannot be accessed by other projects
Secure storage: Secrets are stored securely in your cluster and are never shown in plain text through the UI
Audit trail: The system records which user created each secret for accountability
Least privilege: Only create secrets with the minimum credentials needed for their specific purpose
Important Notes#
No secret visibility: Once a secret is created, its value cannot be viewed through the UI — only its metadata (name, type, creation info)
Deletion is permanent: Deleting a secret immediately removes it from the system
Update via deletion: To change a secret’s value, delete the old secret and create a new one with the updated credentials
Warning
Do not share secret values through unsecured channels. Keep your credentials confidential and only add them to AMD AI Workbench if they are needed for your specific deployment or workload.
Note
If you need to utilize external secret sources or provide secret access across projects in your organization, you can use the advanced secret management features in the AI Resource Manager.
Common Use Cases#
Deploying Gated Models from Hugging Face#
Some of the available models with weights sourced from Hugging Face Hub require you to request access. To deploy these models:
Create a Hugging Face API token in your Hugging Face account settings
Create a HuggingFace secret in the Secrets page with your token
When deploying a model that requires authentication, select your HuggingFace secret
The platform automatically handles authentication with Hugging Face during deployment
Using Private Container Images#
To deploy workspaces or custom workloads using private Docker images:
Create a Docker Registry (ImagePullSecret) with your registry credentials
When creating a workload that uses a private image, select your Docker Registry secret
The platform automatically authenticates with the registry and pulls your image
Additional Resources#
For more information on deploying models and using workloads, see: