(runtime-env-auth)=

Authenticating Remote URIs in runtime_env

This section helps you:

• Avoid leaking remote URI credentials in your runtime_env
• Provide credentials safely in KubeRay
• Understand best practices for authenticating your remote URI

Authenticating Remote URIs

You can add dependencies to your runtime_env with remote URIs. This is straightforward for files hosted publicly, because you simply paste the public URI into your runtime_env:

runtime_env = {"working_dir": (
        "https://github.com/"
        "username/repo/archive/refs/heads/master.zip"
    )
}

However, dependencies hosted privately, in a private GitHub repo for example, require authentication. One common way to authenticate is to insert credentials into the URI itself:

runtime_env = {"working_dir": (
        "https://username:[email protected]/"
        "username/repo/archive/refs/heads/master.zip"
    )
}

In this example, personal_access_token is a secret credential that authenticates this URI. While Ray can successfully access your dependencies using authenticated URIs, you should not include secret credentials in your URIs for two reasons:

1. Ray may log the URIs used in your runtime_env, which means the Ray logs could contain your credentials.
2. Ray stores your remote dependency package in a local directory, and it uses a parsed version of the remote URI–including your credential–as the directory's name.

In short, your remote URI is not treated as a secret, so it should not contain secret info. Instead, use a netrc file.

Running on VMs: the netrc File

The netrc file contains credentials that Ray uses to automatically log into remote servers. Set your credentials in this file instead of in the remote URI:

# "$HOME/.netrc"

machine github.com
login username
password personal_access_token

In this example, the machine github.com line specifies that any access to github.com should be authenticated using the provided login and password.

:::{note} On Unix, name the netrc file as .netrc. On Windows, name the file as _netrc. :::

The netrc file requires owner read/write access, so make sure to run the chmod command after creating the file:

chmod 600 "$HOME/.netrc"

Add the netrc file to your VM container's home directory, so Ray can access the runtime_env's private remote URIs, even when they don't contain credentials.

Running on KubeRay: Secrets with netrc

KubeRay can also obtain credentials from a netrc file for remote URIs. Supply your netrc file using a Kubernetes secret and a Kubernetes volume with these steps:

1. Launch your Kubernetes cluster.

2. Create the netrc file locally in your home directory.

3. Store the netrc file's contents as a Kubernetes secret on your cluster:

kubectl create secret generic netrc-secret --from-file=.netrc="$HOME/.netrc"

4. Expose the secret to your KubeRay application using a mounted volume, and update the NETRC environment variable to point to the netrc file. Include the following YAML in your KubeRay config.

headGroupSpec:
    ...
    containers:
        - name: ...
          image: rayproject/ray:latest
          ...
          volumeMounts:
            - mountPath: "/home/ray/netrcvolume/"
              name: netrc-kuberay
              readOnly: true
          env:
            - name: NETRC
              value: "/home/ray/netrcvolume/.netrc"
    volumes:
        - name: netrc-kuberay
          secret:
            secretName: netrc-secret

workerGroupSpecs:
    ...
    containers:
        - name: ...
          image: rayproject/ray:latest
          ...
          volumeMounts:
            - mountPath: "/home/ray/netrcvolume/"
              name: netrc-kuberay
              readOnly: true
          env:
            - name: NETRC
              value: "/home/ray/netrcvolume/.netrc"
    volumes:
        - name: netrc-kuberay
          secret:
            secretName: netrc-secret

5. Apply your KubeRay config.

Your KubeRay application can use the netrc file to access private remote URIs, even when they don't contain credentials.

Using Bearer Tokens for HTTPS Authentication

As an alternative to using a netrc file, you can authenticate HTTPS remote URIs using bearer tokens. This is particularly useful when working with APIs that require OAuth2 or similar token-based authentication.

Set the RAY_RUNTIME_ENV_BEARER_TOKEN environment variable with your bearer token:

export RAY_RUNTIME_ENV_BEARER_TOKEN="your_bearer_token_here"

Ray will automatically include this token in the Authorization header when downloading HTTPS URIs in your runtime_env:

runtime_env = {"working_dir": "https://example.com/private/repo.zip"}

The bearer token will be sent as an Authorization: Bearer your_bearer_token_here header with the HTTPS request.

Running on KubeRay: Bearer Tokens with Secrets

For KubeRay deployments, you can securely provide the bearer token using Kubernetes secrets:

1. Create a Kubernetes secret containing your bearer token:

kubectl create secret generic bearer-token-secret \
  --from-literal=RAY_RUNTIME_ENV_BEARER_TOKEN="your_bearer_token_here"

2. Expose the secret to your KubeRay application using environment variables. Include the following YAML in your KubeRay config:

headGroupSpec:
    ...
    containers:
        - name: ...
          image: rayproject/ray:latest
          ...
          env:
            - name: RAY_RUNTIME_ENV_BEARER_TOKEN
              valueFrom:
                secretKeyRef:
                  name: bearer-token-secret
                  key: RAY_RUNTIME_ENV_BEARER_TOKEN

workerGroupSpecs:
    ...
    containers:
        - name: ...
          image: rayproject/ray:latest
          ...
          env:
            - name: RAY_RUNTIME_ENV_BEARER_TOKEN
              valueFrom:
                secretKeyRef:
                  name: bearer-token-secret
                  key: RAY_RUNTIME_ENV_BEARER_TOKEN

3. Apply your KubeRay config.

Your KubeRay application will use the bearer token to authenticate HTTPS requests when downloading remote URIs in the runtime_env.