Read MLFLow creds securely

georgian-io-archive · Feb 8, 2021 · 0ba679b · 0ba679b
1 parent a16fb79
commit 0ba679b
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 2 deletions.
diff --git a/hydra/docker/Dockerfile b/hydra/docker/Dockerfile
@@ -1,4 +1,5 @@
 FROM continuumio/miniconda3
 WORKDIR /home
 COPY entry.py .
+RUN pip install hydra-ml==0.3.8
 ENTRYPOINT ["python", "entry.py"]
diff --git a/hydra/docker/entry.py b/hydra/docker/entry.py
@@ -3,6 +3,8 @@
 import argparse
 import subprocess
 
+from hydra.utils.secrets import get_creds_for_gcp_mlflow
+
 CONDA_ENV_NAME = "hydra"
 
 args_parser = argparse.ArgumentParser()
@@ -30,13 +32,24 @@
     shutil.copytree("/home/data", "/home/project/data")
 
 subprocess.run(["conda", "env", "create", "-n", CONDA_ENV_NAME, "-f", "environment.yml"])
-subprocess.run(["conda", "run", "-n", "hydra", "pip", "install", "hydra-ml"])
+subprocess.run(["conda", "run", "-n", "hydra", "pip", "install", "hydra-ml==0.3.8"])
 
 if args.options is not None:
     for arg in args.options.split():
         [key, val] = arg.split('=')
         os.putenv(key, val)
 
+mlflow_tracking_url, mlflow_username,\
+    mlflow_pswd = "", "", ""
+
+if os.environ.get('HYDRA_PLATFORM') == 'gcp':
+    mlflow_tracking_uri, mlflow_username,\
+    mlflow_pswd = get_creds_for_gcp_mlflow()
+
+os.putenv('MLFLOW_TRACKING_URI', mlflow_tracking_url)
+os.putenv('MLFLOW_USERNAME', mlflow_username)
+os.putenv('MLFLOW_PASSWORD', mlflow_pswd)
+
 os.putenv('HYDRA_PLATFORM', args.platform)
 os.putenv('HYDRA_GIT_URL', args.git_url)
 os.putenv('HYDRA_COMMIT_SHA', args.commit_sha)

diff --git a/hydra/utils/secrets.py b/hydra/utils/secrets.py
@@ -0,0 +1,25 @@
+import os
+
+from google.cloud import secretmanager
+
+def access_secret_version(project_id, secret_id, version_id="latest"):
+    # Create the Secret Manager client.
+    client = secretmanager.SecretManagerServiceClient()
+
+    # Build the resource name of the secret version.
+    name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
+
+    # Access the secret version.
+    response = client.access_secret_version(name=name)
+
+    # Return the decoded payload.
+    return response.payload.data.decode('UTF-8')
+
+
+def get_creds_for_gcp_mlflow():
+    project_id = os.environ["GCP_PROJECT"]
+
+    tracking_uri = access_secret_version(project_id, 'MLFLOW_TRACKING_URI')
+    username = access_secret_version(project_id, 'MLFLOW_TRACKING_USERNAME')
+    pswd = access_secret_version(project_id, 'MLFLOW_TRACKING_PASSWORD')
+    return tracking_uri, username, pswd
diff --git a/requirements.txt b/requirements.txt
@@ -6,4 +6,5 @@ GitPython==3.1.9
 google-cloud-storage==1.32.0
 docker==4.3.1
 pyyaml
-boto3==1.16.28
+boto3==1.16.28
+google-cloud-secret-manager==2.2.0