Signature
Parameters
| Name | Type | Purpose |
|---|---|---|
name | str | Secret name as configured on the Cirron platform |
name map to underscores when resolving the env var
form; ci.secret("openai-api-key") reads CIRRON_SECRET_OPENAI_API_KEY.
Resolution order
First match wins:CIRRON_SECRET_<NAME>: environment variable. Standard cloud and on-prem mechanism.<NAME>isname.upper()with hyphens replaced by underscores./etc/cirron/secrets/<name>: file mount. Used in air-gapped environments where env-var injection isn’t the deployment mechanism. Trailing newlines are stripped.CirronSecretNotFound: raised if neither is present. The message points at the platform’s secrets UI.
Examples
Guarantees
- Secret values are never logged, even at
DEBUG. - Secret values are never included in trace spans, marks, or snapshots.
- Secret values are never flushed to disk through the spool.
ci.scope() or ci.mark().
When the secret isn’t mounted
CirronSecretNotFound is raised with a message pointing at the
platform’s secrets UI. Typical causes:
- The secret hasn’t been configured on the dashboard for this workspace / pipeline / deployment.
- The deployment hasn’t been restarted since the secret was added (env-var injection requires a fresh container).
- You’re running standalone (not inside a Cirron pipeline or deployment) and the secret isn’t set as a local env var or file.
Related
ci.env
For non-sensitive config. Never read credentials through
ci.env.CirronSecretNotFound
How to handle a missing secret.