Credential Injection
Credential injection lets a runtime call an approved HTTP service without storing the credential inside the VM. Store the secret once for each tenant, and then attach a runtime-scoped rule that injects it only for matching outbound requests.
Create or reuse a runtime:
runta run --name <runtime_display_name> --cpus 2 --memory 2048from runta import Runta
runta = Runta()runtime = runta.runtimes.create("<runtime_display_name>", vcpus=2, memory_mib=2048)import { Runta } from "@runta/runta-sdk";
const runta = new Runta();const runtime = await runta.runtimes.create("<runtime_display_name>", { vcpus: 2, memoryMiB: 2048,});Store a credential. Use --value-env, --value-stdin, or --prompt so the
secret does not appear in shell history:
export OPENAI_API_KEY=sk-examplerunta secret add openai-api-key --value-env OPENAI_API_KEYimport os
secret = runta.secrets.create("openai-api-key", os.environ["OPENAI_API_KEY"])const secret = await runta.secrets.create( "openai-api-key", process.env.OPENAI_API_KEY!,);Add a rule that injects the stored credential as an HTTP header when the runtime
calls api.openai.com:
runta secret rule add \ <runtime_display_name> \ --host api.openai.com \ --path '/v1/*' \ --credential openai-api-key \ --inject-header Authorization \ --inject-value 'Bearer ${credential}'from runta import Injection
rule = runtime.secrets.create_rule( "https://api.openai.com", path="/v1/*", injection=Injection( credential="openai-api-key", header="Authorization", value="Bearer ${credential}", ),)The literal ${credential} placeholder is replaced by the stored secret value
at request time.