Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
ibm
GitHub Repository: ibm/watson-machine-learning-samples
 Path: blob/master/cpd5.1/notebooks/python_sdk/deployments/python_function/Use Vault and Secret REST API to store secret in vault to utilize it inside Python function.ipynb
6405 views
Kernel: test-throwaway

Use Vault and Secret REST API to store secret in vault and utilize it inside Python function with ibm-watsonx-ai

This notebook demonstrates an example for using Vault and Secret REST API services to store secrets in order to utilize it inside Python function. It contains steps and code to work with ibm-watsonx-ai library available in PyPI repository.

Learning goals

The learning goals of this notebook are:

  • Store secret in Vault using Secret REST API.

  • Utilize secret inside Python function.

Contents

This notebook contains the following parts:

  1. Setup

  2. Secret definition

  3. Python function definition

  4. Testing Python function locally

  5. Deployment of Python function

  6. Testing deployed function

  7. Clean up

  8. Summary and next steps

Set up the environment

Before you use the sample code in this notebook, you must perform the following setup tasks:

  • Contact with your Cloud Pak for Data administrator and ask them for your account credentials

Install ibm-watsonx-ai

Note: ibm-watsonx-ai documentation can be found here.

%pip install -U "ibm-watsonx-ai" | tail -n 1
Successfully installed ibm_watsonx_ai-1.3.3

Define credentials

Authenticate the watsonx.ai Runtime on IBM Cloud Pak for Data. You need to provide the admin's username and the platform url.

import getpass

url = "PASTE THE PLATFORM URL HERE"
username = "PASTE YOUR USERNAME HERE"
password = getpass.getpass("Enter your watsonx.ai password and hit enter: ")

Use the admin's password to authenticate watsonx.ai Runtime:

from ibm_watsonx_ai import Credentials

credentials = Credentials(
    username=username,
    password=password,
    url=url,
    instance_id="openshift",
    version="5.1"
)

Create APIClient instance

from ibm_watsonx_ai import APIClient

client = APIClient(credentials)

Working with spaces

First of all, you need to create a space that will be used for your work. If you do not have space already created, you can use {PLATFORM_URL}/ml-runtime/spaces?context=icp4data to create one.

  • Click New Deployment Space

  • Create an empty space

  • Go to space Settings tab

  • Copy space_id and paste it below

Tip: You can also use SDK to prepare the space for your work. More information can be found here.

Action: Assign space ID below

space_id = "PASTE YOUR SPACE ID HERE"

You can use list method to print all existing spaces.

client.spaces.list(limit=10)

To be able to interact with all resources available in watsonx.ai Runtime, you need to set space which you will be using.

client.set.default_space(space_id)
'SUCCESS'

Define the secret

Create a secret utilizing the credentials defined above.

Note: Vault and Secret REST API documentation is available here.

Fetch Vault URN

In order to use the Secret REST API, you need to retrieve the Vault URN, which points to the vault where your secret will be stored.

Define the Cloud Pak for Data host

import os

try:
    host = os.environ.get("RUNTIME_ENV_APSX_URL")
except KeyError:
    host = input("Please enter your Cloud Pak for Data URL (hit enter): ")

Define request parameters

provider_name = "internal"

url = f"{host}/zen-data/v2/vaults"
headers = client._get_headers(zen=True)
params = {"provider_name": provider_name}

List available vaults

import json
import requests

response = requests.get(url, headers=headers, params=params)
vault_list = response.json()["vaults"]

print(json.dumps(vault_list, indent=2))

Specify Vault URN

vault_urn = vault_list[0]["vault_urn"]

vault_urn
'0000000000:internal'

Store secret in Vault

In order to utilize your secret inside the Python function, it needs to be stored in the Vault.

Define request parameters

secret_name = "PASTE YOUR SECRET NAME HERE"

url = f"{host}/zen-data/v2/secrets"
headers = client._get_headers(zen=True)
payload = {
    "secret_name": secret_name,
    "description": "This secret was created for a demonstration of Vault and Secret REST API",
    "secret": {
        "credentials": {
            "username": username,
            "password": password
        }
    },
    "type": "credentials",
    "vault_urn": vault_urn
}

Store the secret

response = requests.post(url, headers=headers, json=payload)

print(json.dumps(response.json(), indent=2))
{ "secret_urn": "1000331001:my-secret-name" }

Define the Python function

Create a Python function which utilizes the secret defined above.

def deployable_function_with_secret(space_id=space_id, secret_name=secret_name):
    import os
    import requests

    from ibm_watsonx_ai import APIClient, Credentials


    host = os.environ.get("RUNTIME_ENV_APSX_URL")
    credentials = Credentials(
        instance_id="openshift",
        url=host,
        version="5.1",
    )
    client = APIClient(credentials)


    def get_secret_urn(host, secret_name):
        url = f"{host}/zen-data/v2/secrets"
        headers = client._get_headers(zen=True)
        params = {"secret_name": secret_name}

        response = requests.get(url, headers=headers, params=params)
        secret_list = response.json()["secrets"]

        return secret_list[0]["secret_urn"]


    def get_secret_details(host, secret_urn):
        url = f"{host}/zen-data/v2/secrets/{secret_urn}"
        headers = client._get_headers(zen=True)

        response = requests.get(url, headers=headers, verify=False)
        secret_details = response.json()

        return secret_details["data"]["secret"]["credentials"]


    secret_urn = get_secret_urn(host, secret_name)
    client_credentials = get_secret_details(host, secret_urn)

    vault_username = client_credentials["username"]
    vault_password = client_credentials["password"]

    vault_credentials = Credentials(
        url=os.environ.get("RUNTIME_ENV_APSX_URL"),
        username=vault_username,
        password=vault_password,
        instance_id="openshift",
        version="5.1"
    )

    client_from_vault = APIClient(credentials=vault_credentials, space_id=space_id)

    def score(payload):
        stored_models = client_from_vault.repository.list()
        use_score_token_values = stored_models["ID"].tolist()

        score_response = {
            "predictions": [
                {
                    "fields": [
                        "use_score_token"
                    ],
                    "values": [
                        use_score_token_values
                    ]
                }
            ]
        }

        return score_response

    return score

score = deployable_function_with_secret()

Testing function locally

You can test your Python function locally before deploying it to the space.

local_function = deployable_function_with_secret(space_id, secret_name)

payload = {"input_data": [{"values": [1]}]}
result = local_function(payload)

print(json.dumps(result, indent=2))
{ "predictions": [ { "fields": [ "use_score_token" ], "values": [ [ "35acbc20-88d1-4bf0-97a2-9b8da067cc39", "aae57eb5-642a-4bd0-952a-8b8fd8af0328" ] ] } ] }

Store and deploy the function

Before you can deploy the function, you must store it in your watsonx.ai Runtime.

Store the function

In order to deploy the function, you need to specify your software specification.

Get software specification ID

software_spec_id = client.software_specifications.get_id_by_name("runtime-24.1-py3.11")

Store the function in watsonx.ai Runtime

store_function_meta_props = {
    client.repository.FunctionMetaNames.NAME: "Deployable function with secret from Vault",
    client.repository.FunctionMetaNames.SOFTWARE_SPEC_ID: software_spec_id,
}

function_artifact = client.repository.store_function(
    function=deployable_function_with_secret, meta_props=store_function_meta_props,
)

Get ID of deployed function

function_id = client.repository.get_function_id(function_artifact)

function_id
'c406da49-a6b6-4736-ba9a-5a2106d68c35'

Deploy the function

After storing the function in your watsonx.ai Runtime, you can deploy it to your deployment space.

deployment_meta_props = {
    client.deployments.ConfigurationMetaNames.NAME: "Deployed function with secret from Vault",
    client.deployments.ConfigurationMetaNames.ONLINE: {},
}

deployment_details = client.deployments.create(
    artifact_id=function_id, meta_props=deployment_meta_props,
)
###################################################################################### Synchronous deployment creation for id: 'c406da49-a6b6-4736-ba9a-5a2106d68c35' started ###################################################################################### initializing ....... ready ----------------------------------------------------------------------------------------------- Successfully finished deployment creation, deployment_id='e52c9f2b-52e2-42a4-a5b6-0b1bba4a3041' -----------------------------------------------------------------------------------------------

Test the deployed function

You can use ibm-watsonx-ai Python SDK or REST API to send data to your function deployment for processing in exactly the same way you send data to model deployments for processing.

Test using ibm-watsonx-ai Python SDK

payload = {"input_data": [{"values": [1]}]}

deployment_id = client.deployments.get_id(deployment_details)
result = client.deployments.score(deployment_id, payload)

if "error" in result:
    print(result["error"])
else:
    print(json.dumps(result, indent=2))
{'predictions': [{'fields': ['use_score_token'], 'values': [['c406da49-a6b6-4736-ba9a-5a2106d68c35', '35acbc20-88d1-4bf0-97a2-9b8da067cc39', 'aae57eb5-642a-4bd0-952a-8b8fd8af0328']]}]}

Get deployment endpoint URL for REST API testing

deployment_endpoint_url = client.deployments.get_scoring_href(deployment_details)

deployment_endpoint_url

Cleanup

If you want to clean up all created assets:

  • experiments

  • trainings

  • pipelines

  • model definitions

  • models

  • functions

  • deployments

please follow up this sample notebook.

Summary and next steps

In this notebook, you created a Python function that receives HTML canvas image data and then processes and sends that data to a model trained to recognize handwritten digits.

Check out our Online Documentation for more samples, tutorials, documentation, how-tos, and blog posts.

Authors

Rafał Chrzanowski, Software Engineer Intern at watsonx.ai.

Copyright © 2025 IBM. This notebook and its source code are released under the terms of the MIT License.