To ensure the the Rhino FCP can retrieve the correct secret for a Code Run, the secret's key ID in the Secrets Manager must exactly match the tag of the container image being executed. Example: If your container image is tagged v1, the corresponding secret in the Secrets Manager must also have the tag v1.
During a Code Run execution, the Rhino FCP dynamically injects the retrieved secret into the running container at a specific, standardized location:
- Injection Path: The secret is provided as a JSON file named
secret_run_params.jsonat the absolute path:/input/secret_run_params.json. - Runtime Access: The container's code, e.g.
decrypt_weightsfunction, accesses this file at runtime to securely retrieve the necessary keys (e.g.,decrypt_keyorencrypt_key). Note that the function used here (decrypt_weights) is just an example. But, there should be a file inside the container should be used for decrypting.