I understand that when environment variables are stored in code, they need to be explicitly called to be used. In Streamlit, as shown in this link (Secrets management - Streamlit Docs), I believe it’s typically accessed with st.secrets["key"]. However, in my app, I only put the API Key into the secrets section under Advanced settings without specifically calling it in the code, yet it still automatically detects and operates with the API Key. I’m wondering if this behavior is standard for Streamlit.
It’s documented in the linked section of the docs:
Access your secrets by querying the
st.secretsdict, or as environment variables.
See also the examples.
Yes, I have also read the documentation and reviewed the examples. However, it seems strange that in the chatbot app I created, the API Key is just placed inside settings - secrets and still works fine without explicitly calling it as an environment variable or using st.secrets, etc. But if I modify the API Key value stored in the secrets, it stops working. Doesn’t this mean that it works simply by being stored in the secrets?
There must be some code reading the value of the environment variable. Otherwise you could get away without the environment variable. But you apparentle cannot because…
So the API calls don’t work without a valid key. What else would you expect?
I don’t think I understand that question. What “works simply by being stored in the secrets”?
I feel like the meaning might not have been conveyed properly since I’m using a translator because my English isn’t very good.
First of all, there is no code that retrieves the stored Secret(API Key) in my code. I commented out all the existing code withst.secrets, and rebooted the app multiple times. I’m confident there’s no code that retrieves the stored secret. I stored the API key for using an API in the settings-secret. So, if the API key isn’t present, my app should encounter an error during execution. However, even though I only stored the API key in the secret and didn’t retrieve it, the API still works. If I remove the API key from the secret, the API stops working and an error occurs. Therefore, I understand why you might think there’s code in my app that reads the API key from the secret, but I’ve thoroughly checked, and there isn’t any.
Your own code is only a fraction of all the code executed by your application. You are importing other modules, aren’t you? There is a lot of code in those modules.
In case you are interested, the traceback should telll you which code is looking for the environment variable.
What I meant to say is that in the code I wrote, there was no code to retrieve the stored API, whether through st.secrets or os.environ. There was no such code included at all. Despite the fact that there was no code to fetch the API key stored in the secret, as stated in the documentation, the API still worked properly, and when I deleted the API key from the secret, it stopped working. This means that even though it was supposed to be retrieved via st.secrets, it worked anyway. The API I’m using is a service called Comet Opik, which I confirmed requires an API key during local testing. Locally, I create a config file and store the API key there. However, I understand that on Streamlit Community Cloud, the key needs to be stored in a TOML file in the secret and retrieved using st.secrets. What’s strange is that, even though I didn’t follow this process, the API still worked.
Yes, there is such code, but it wasn’t written by you. It must be in one of the modules you are importing.
No, there is no such code. I am only importing Comet Opik(API I am using now). I even asked the developer of the API if there is such code in the module. I received the answer saying that there is no such code and that I must write a code to retrieve API key from secret or environment variable. That’s why I thought it has something to do with Streamlit community cloud.
There seems to be several related packages in pypi, unfortunately I don’t know which one you are using and how you are using it, so I don’t see how else I can help.
Regardless of whether it has to do with streamlit cloud or not, the answer contradicts your own experience and it doesn’t make sense to me. I am afraid there has been some miscommunication.
Well, this is the code. You and developer of Opik claims that there must be a code to retreive API key from streamlit secrets, but as you can see in the link I provided, I did not write such code. But Opik API still works without retrieving API key from secret. I guess there is miscommunication due to my English if you can’t still understand this situation. Anyways, thanks for the comments.
I cannot find where in that code you are calling the opik API.
Sorry. Wrong Code. Check these two.
chatbot.py
utils.py
The docstring for the class OpikConfig states that configuration (and this includes the API key) will be read from environment variables when not provided by other means.
class OpikConfig(pydantic_settings.BaseSettings):
"""
Initializes every configuration variable with the first
found value. The order of sources used:
1. User passed values
2. Session config dict (can be populated by calling `update_session_config(...)`)
3. Environment variables (they must start with "OPIK_" prefix)
4. Load from file
5. Default values
"""
Finding the actual code that queries the environment variables is hard (for me, anyway) because it is pydantic’ s black magic doing it. But I am pretty sure a pydantic sorcerer would be able to find it for you.
Thank you Goyo for replying to every messages. I understand that the settings required to use Opik (API Key, project_name, workspace) can be configured as environment variables instead of parameters. That’s why I’ve stored the API Key in Streamlit’s secrets on its website to use it as an environment variable. I also understand that, as you mentioned, the usual process would be to retrieve this API Key from secrets in the code and save it as an environment variable for use. However, since there’s no such code, I assumed that storing it in Streamlit secrets directly makes it available as an environment variable.
I believe this is where the environment variables are grabbed in pydantic.
When a key-value pair is saved in secrets.toml you can grab it in one of two ways: with st.secrets or os.environ.
In the example here, the following is true because it compares two ways to retrieve the same secret:
os.environ["db_username"] == st.secrets["db_username"]
Yes, it does. That is stated in the docs, as I quoted:
Access your secrets by querying the
st.secretsdict, or as environment variables.
And demostrated in the example inmediately below.
1 Like
Yes. But I did not write code containing os.environ nor st.secrets to grab API Key stored in secret. So I thought just saving API Key in secret will become environment variable, and Opik API automatically grab this key stored in secret.
I thought I always had to grab the value stored in the secret using st.secrets or os.environ in the code. However, you said that Opik will read the configuration from environment variables when not provided by other means. Since the secret saved in Streamlit is already stored as an environment variable, I understand that Opik will recognize it automatically without needing me to grab it separately in the code. That’s why I don’t have to use st.secrets or os.environ in code.