Deploying Python functions with vault integration
Integrate IBM Software Hub vault with watsonx.ai Runtime to deploy your applications. This integration enables you to securely store and retrieve sensitive information, such as tokens, by using IBM Software Hub vault. By integrating Vault with your Python function, you can ensure that sensitive data is protected and only accessible to authorized users.
Prerequisites
You must create a vault integration and vault secret in IBM Software Hub to use the vault functionality for deploying Python functions. For more information, see Managing secrets and vaults in the IBM Software Hub documentation.
Integrating vault for deploying Python functions
Follow these steps to deploy Python functions with IBM Software Hub vault integration in watsonx.ai Runtime:
-
Set up Python client SDK, account credentials, and secret name.
-
Connect to watsonx.ai Runtime and initialize your deployment space.
-
Retrieve the vault URN. Fetch the
vault_urnimport requests host = os.environ.get("RUNTIME_ENV_APSX_URL") token = client._get_icptoken()provider_name = "internal" url = host + "/zen-data/v2/vaults" headers = { "Content-Type": "application/json", "Authorization": "Bearer " + token } params = {"provider_name": provider_name} response = requests.get(url, headers=headers, params=params, verify=False) vault_list = response.json()["vaults"] vault_urn = vault_list[0]["vault_urn"] vault_urn -
Store secrets in vault. Use the
vault_urnurl = host + "/zen-data/v2/secrets" headers = { "Content-Type": "application/json", "Authorization": "Bearer " + token } data = { "secret_name": secret_name, "description": "This is my secret", "secret": { "credentials": { "username": username, "password": password } }, "type": "credentials", "vault_urn": vault_urn } response = requests.post(url, headers=headers, json=data) response.json() -
Define the Python function.
- During the deployment flow, initialize the client with the platform URL to extract the deployment token.
- Use this token to retrieve the stored secret from the vault.
- Use the retrieved vault secrets to initialize the client with the username and password, which is shared with the score method.
- Finally, use the client in the score function for further processing.
def my_deployable_fun_t1(space_id=space_id, secret_name=secret_name): from ibm_watsonx_ai import APIClient, Credentials import requests import os host = os.environ.get("RUNTIME_ENV_APSX_URL") credentials = Credentials( instance_id="openshift", url=host, version="5.1", ) wx_client = APIClient(credentials) token = wx_client._get_icptoken() def get_secret_urn(secret_name): nonlocal host url = host + "/zen-data/v2/secrets" headers = { "Content-Type": "application/json", "Authorization": "Bearer " + token } params = {"secret_name": secret_name} response = requests.get(url, headers=headers, params=params, verify=False) secrets_list = response.json()["secrets"] return secrets_list[0]["secret_urn"] def get_secret_details(secret_urn): nonlocal host url = host + "/zen-data/v2/secrets/" + secret_urn headers = { "Content-Type": "application/json", "Authorization": "Bearer " + token } response = requests.get(url, headers=headers, verify=False) secret_details = response.json() return secret_details['data']['secret']['credentials'] secret_urn = get_secret_urn(secret_name) client_credentials = get_secret_details(secret_urn) vault_username = client_credentials['username'] vault_password = client_credentials['password'] from ibm_watsonx_ai import APIClient, Credentials creds = Credentials( url=os.environ.get("RUNTIME_ENV_APSX_URL"), username=vault_username, password=vault_password, instance_id="openshift", version="5.1" ) wx_score_client = APIClient(credentials=creds) wx_score_client.set.default_space(space_id) def score(payload): use_score_token = wx_score_client.repository.list()["ID"].tolist() score_response = { "predictions": [ { "fields": [ "use_score_token" ], "values": [ use_score_token ] } ] } return score_response return score score = my_deployable_fun_t1()
Parent topic: Deploying Python functions