Skip to content

Credential Injection

Credential injection lets a runtime call an approved HTTP service without storing the credential inside the VM. Store the secret once for each tenant, and then attach a runtime-scoped rule that injects it only for matching outbound requests.

Create or reuse a runtime:

Terminal window
runta run --name <runtime_display_name> --cpus 2 --memory 2048

Store a credential. Use --value-env, --value-stdin, or --prompt so the secret does not appear in shell history:

Terminal window
export OPENAI_API_KEY=sk-example
runta secret add openai-api-key --value-env OPENAI_API_KEY

Add a rule that injects the stored credential as an HTTP header when the runtime calls api.openai.com:

Terminal window
runta secret rule add \
<runtime_display_name> \
--host api.openai.com \
--path '/v1/*' \
--credential openai-api-key \
--inject-header Authorization \
--inject-value 'Bearer ${credential}'

The literal ${credential} placeholder is replaced by the stored secret value at request time.