Secrets in Realtime Feature Views
This feature is currently in Private Preview.
- Must be enabled by Tecton support.
Realtime Feature Views (RTFVs) allow you to define and serve features computed in real-time, enabling dynamic and context-aware feature generation for machine learning models. Many RTFVs interact with external APIs, databases or services, which often require sensitive credentials such as API keys. Managing these credentials securely is critical to prevent unauthorized access and ensure operational integrity. With Tecton’s Secrets Management, you can securely store and retrieve these secrets in your RTFVs.
Using Secrets in Realtime Feature Views​
Secrets are only available for Realtime Feature Views executing in Transform Server Groups. Please ensure that Transform Server Groups are enabled for your deployment.
Create a Scope and a Secret in Tecton​
Scopes allow you to organize and manage secrets in Tecton. Use the Secrets CLI Commands to create a scope and a Secret in the scope.
tecton secrets create-scope -s my-scope
tecton secrets put -s my-scope -k MY_API_KEY -f secretvalue.txt
- Replace
my-scopewith your desired scope name. - Replace
MY_API_KEYwith a key name for the Secret. - Replace
secretvalue.txtwith the path to the file containing the API key.
Please refer to our Secrets Documentation for more information on creating and managing Secrets.
The above example uses the secretvalue.txt file to pass in the secret value,
so that we avoid having the secret live in our shell command history. See the
put command reference
for alternative options.
Give Your Workspace Access to the Secret Scope​
To allow your workspace to access the secret scope, assign the appropriate role using the assign-role command as shown below.
tecton access-control assign-role -w <workspace> -r secret_scope_reader -c my-scope
- Replace
workspacewith your workspace name. - Replace
my-scopewith the name of the secret scope. - Refer to Managing Access to Secrets for more information on managing access.
Apply a Realtime Feature View using the Secret​
Below is an example RTFV that uses the OpenWeatherMap API and API Key is passed in as a Secret.
from tecton import realtime_feature_view, RequestSource, Attribute
from tecton.types import Field, Int64, String
from tecton import Secret
request_schema = [Field("location", String)]
weather_request = RequestSource(schema=request_schema)
@realtime_feature_view(
sources=[weather_request],
mode="python",
features=[
Attribute("City", String),
Attribute("Summary", String),
Attribute("Description", String),
Attribute("Average Temperature", String),
],
secrets={"openweathermap_apikey": Secret(scope="my-scope", key="MY_API_KEY")},
)
def weather_fv(request, context):
import requests
api_key = context.secrets["openweathermap_apikey"]
base_url = "http://api.openweathermap.org/data/2.5/weather"
params = {"q": request["location"], "appid": api_key, "units": "metric"} # city name
try:
response = requests.get(base_url, params=params)
response.raise_for_status()
data = response.json()
weather_info = {
"City": data.get("name", "N/A"),
"Summary": data["weather"][0].get("main", "N/A"),
"Description": data["weather"][0].get("description", "N/A"),
"Average Temperature": f"{data['main'].get('temp', 'N/A')}°C",
}
return weather_info
except requests.exceptions.RequestException:
return {}
- Replace
my-scopewith the name of your Secret Scope - Replace
MY_API_KEYwith the name of your Secret key - Note that RTFVs using Secrets will need to accept a
contextparameter in their feature transformations, and retrieve the secret value(s) using thecontext. Refer to Realtime Context for more information.
Apply a Transform Server Group​
Secrets are currently enabled for Realtime Feature Views only when executed in a Transform Server Group. If you haven’t already, you’ll need to create and apply a Transform Server Group in your workspace. Transform Server Groups provide the infrastructure necessary to execute RTFVs securely and at scale.
Here’s an example configuration for applying a Transform Server Group:
from tecton import ProvisionedScalingConfig
from tecton import TransformServerGroup
my_team_tsg = TransformServerGroup(
name="my_team_tsg",
description="Transform Server Group for executing RTFVs",
environment="tecton-transform-server-core:1.0.1",
scaling_config=ProvisionedScalingConfig(
desired_nodes=2,
),
)
For detailed steps on creating and managing Transform Server Groups, refer to the Managing Transform Server Groups Documentation .
The above example uses the Tecton core environment
tecton-transform-server-core:1.0.1. If your Realtime Feature View requires
third-party or first-party dependencies, please
create a Custom Environment
and use it in the Transform Server Group instead.
Apply a Feature Service with the RTFV and the Transform Server Group​
Once the Transform Server Group is ready, you may apply a Feature Service using the Transform Server Group for your Realtime Feature View.
from tecton import FeatureService
from path.to.weather_fv import weather_fv
from path.to.transform_server_group import my_team_tsg
weather_feature_service = FeatureService(
name="weather_feature_service",
prevent_destroy=False,
online_serving_enabled=True,
transform_server_group=my_team_tsg,
features=[weather_fv],
)
Once you apply your Feature Service definition (also using tecton apply), you
are ready to query features! You can use the HTTP API to query the features from
the FeatureService, as described in
Reading Feature data for inference
.
Please note that newly updated Feature Services may take upto 60s to be updated in the requests to the Online Serving API.
FAQs​
-
What are the prerequisites for using a secret in a Realtime Feature View (RTFV)?
- RTFVs using secrets must be part of a Feature Service with a Transform Server Group. Refer to the Transform Server Group for more information. on provisioning Transform Server Groups for Feature Services.
- The workspace must have at least
secret_scope_readeraccess to the Secret Scope. Refer to Managing Access to Secrets for more information on managing access.
-
Can I update secrets after applying a Realtime Feature View?
- Yes, you can update secrets using the tecton secrets put command. The updated secret will be automatically used in subsequent requests. Please note that updates to secrets may take upto 60s to be propagated to online serving.
-
Can I use multiple secrets in a single Realtime Feature View?
- Yes, you can use multiple secrets by adding them to the
secretsdictionary in the RTFV definition. For example,
- Yes, you can use multiple secrets by adding them to the
secrets = {
"api_secret": Secret(scope="api-scope", key="API_KEY"),
"db_secret": Secret(scope="db-scope", key="DB_PASSWORD"),
}
Each secret will then be accessible in the context.secrets dictionary.
-
My
tecton applyis failing for an RTFV using a secret.- Applying an RTFV using a secret could fail for any of the following reasons:
- The Tecton SDK version does not support secrets. Ensure that your Tecton SDK version is greater than or equal to 1.1.
- The secret scope or the secret referenced in the RTFV does not exist. Please use the Secrets CLI Command Family to list all available scopes and secrets.
- The workspace does not have access to the secret scope. Refer to the Access Control Assign Role command to assign the workspace necessary access to the secret scope.
- Applying an RTFV using a secret could fail for any of the following reasons:
-
Why is my RTFV transformation throwing a
KeyErrorwhen accessing a secret through thecontext.secretsdictionary?- Please note that any updates to secrets may take upto 60s to be propagated to the Transform Server Group. If the error persists, please contact Tecton Support for further assistance.