<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to use Databricks secrets on MLFlow conda dependencies? in Machine Learning</title>
    <link>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/156692#M4618</link>
    <description>&lt;P&gt;Did someone solve this? I'm currently forced to download some libraries using an artifactory pypi mirror. However, I wouldn't want to have my secrets pasted in the conda.yaml file as plain text.&lt;/P&gt;</description>
    <pubDate>Tue, 12 May 2026 15:47:32 GMT</pubDate>
    <dc:creator>Froffri</dc:creator>
    <dc:date>2026-05-12T15:47:32Z</dc:date>
    <item>
      <title>How to use Databricks secrets on MLFlow conda dependencies?</title>
      <link>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/58434#M2911</link>
      <description>&lt;P&gt;Hi!&lt;/P&gt;&lt;P&gt;Do you know if it's correct to use the plain user and token for installing a custom dependency (an internal python package) in a mlflow registered model? (it's the only way I get it working because if not it can't install the dependency) It works, but I don't know if this is something dangerous or insecure because I usually use the databricks secrets like this:&lt;/P&gt;&lt;LI-CODE lang="python"&gt;%pip install git+https://{dbutils.secrets.get(scope="&amp;lt;my-scope&amp;gt;", key="&amp;lt;user&amp;gt;")}:{dbutils.secrets.get(scope="&amp;lt;scope&amp;gt;", key="&amp;lt;scope&amp;gt;")}@dev.azure.com/&amp;lt;company&amp;gt;/&amp;lt;git-package-project&amp;gt;@&amp;lt;version&amp;gt;&lt;/LI-CODE&gt;&lt;P&gt;so my conda.yaml for the mlflow is with the plain values:&lt;/P&gt;&lt;LI-CODE lang="python"&gt;channels:
- conda-forge
dependencies:
- python=&amp;lt;version&amp;gt;
- pip==22.3.1
- pip:
- mlflow==2.8.1
- git+https://&amp;lt;plain value of the user&amp;gt;:&amp;lt;plain value of the token&amp;gt;@dev.azure.com/&amp;lt;company&amp;gt;/&amp;lt;git-package-project&amp;gt;@&amp;lt;version&amp;gt;
name: mlflow-env&lt;/LI-CODE&gt;&lt;P&gt;note that in my yaml the values are the output of `dbutils.secrets.get(scope="&amp;lt;my-scope&amp;gt;", key="&amp;lt;user&amp;gt;")` and the other one&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jan 2024 16:55:31 GMT</pubDate>
      <guid>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/58434#M2911</guid>
      <dc:creator>sergio-calderon</dc:creator>
      <dc:date>2024-01-25T16:55:31Z</dc:date>
    </item>
    <item>
      <title>Re: How to use Databricks secrets on MLFlow conda dependencies?</title>
      <link>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/58528#M2913</link>
      <description>&lt;P&gt;&lt;SPAN&gt;While it's possible to use plain user and token for installing a custom dependency in an MLflow registered model, it's not recommended due to security reasons. Instead, Databricks suggests using Databricks secrets to securely store and reference secrets in notebooks or jobs. However, Databricks secrets are not directly accessible in the&amp;nbsp;&lt;/SPAN&gt;&lt;CODE class="c-mrkdwn__code" data-stringify-type="code"&gt;conda.yaml&lt;/CODE&gt;&lt;SPAN&gt;&amp;nbsp;file, so a workaround such as creating a script to generate the&amp;nbsp;&lt;/SPAN&gt;&lt;CODE class="c-mrkdwn__code" data-stringify-type="code"&gt;conda.yaml&lt;/CODE&gt;&lt;SPAN&gt;&amp;nbsp;file using the secrets might be necessary. Here's an example of a Python script that can be used to generate the&amp;nbsp;&lt;/SPAN&gt;&lt;CODE class="c-mrkdwn__code" data-stringify-type="code"&gt;conda.yaml&lt;/CODE&gt;&lt;SPAN&gt;&amp;nbsp;file:&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE class="c-mrkdwn__pre" data-stringify-type="pre"&gt;python&lt;BR /&gt;user = dbutils.secrets.get(scope="&amp;lt;my-scope&amp;gt;", key="&amp;lt;user&amp;gt;")&lt;BR /&gt;token = dbutils.secrets.get(scope="&amp;lt;scope&amp;gt;", key="&amp;lt;scope&amp;gt;")&lt;BR /&gt;company = "&amp;lt;company&amp;gt;"&lt;BR /&gt;git_package_project = "&amp;lt;git-package-project&amp;gt;"&lt;BR /&gt;version = "&amp;lt;version&amp;gt;"&lt;BR /&gt;&lt;BR /&gt;conda_yaml_content = f"""&lt;BR /&gt;channels:&lt;BR /&gt;- conda-forge&lt;BR /&gt;dependencies:&lt;BR /&gt;- python=&amp;lt;version&amp;gt;&lt;BR /&gt;- pip==22.3.1&lt;BR /&gt;- pip:&lt;BR /&gt;- mlflow==2.8.1&lt;BR /&gt;- git+https://{user}:{token}@dev.azure.com/{company}/{git_package_project}@{version}&lt;BR /&gt;name: mlflow-env&lt;BR /&gt;"""&lt;BR /&gt;&lt;BR /&gt;with open("conda.yaml", "w") as file:&lt;BR /&gt; &amp;nbsp;&lt;WBR /&gt; &amp;nbsp;&lt;WBR /&gt;file.write(conda_yaml_content)&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Replace the placeholders with your actual values.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Sat, 27 Jan 2024 14:29:59 GMT</pubDate>
      <guid>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/58528#M2913</guid>
      <dc:creator>Walter_C</dc:creator>
      <dc:date>2024-01-27T14:29:59Z</dc:date>
    </item>
    <item>
      <title>Re: How to use Databricks secrets on MLFlow conda dependencies?</title>
      <link>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/59454#M2964</link>
      <description>&lt;P&gt;Thank you very much for the response but using that way is the same as the plain text approach, right? I mean, you are writing it from a Notebook and that's what I've done, but if you open the .yaml file the values are there with plain text.&lt;/P&gt;</description>
      <pubDate>Tue, 06 Feb 2024 11:26:42 GMT</pubDate>
      <guid>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/59454#M2964</guid>
      <dc:creator>sergio-calderon</dc:creator>
      <dc:date>2024-02-06T11:26:42Z</dc:date>
    </item>
    <item>
      <title>Re: How to use Databricks secrets on MLFlow conda dependencies?</title>
      <link>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/156692#M4618</link>
      <description>&lt;P&gt;Did someone solve this? I'm currently forced to download some libraries using an artifactory pypi mirror. However, I wouldn't want to have my secrets pasted in the conda.yaml file as plain text.&lt;/P&gt;</description>
      <pubDate>Tue, 12 May 2026 15:47:32 GMT</pubDate>
      <guid>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/156692#M4618</guid>
      <dc:creator>Froffri</dc:creator>
      <dc:date>2026-05-12T15:47:32Z</dc:date>
    </item>
    <item>
      <title>Re: How to use Databricks secrets on MLFlow conda dependencies?</title>
      <link>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/162011#M4645</link>
      <description>&lt;P&gt;The dynamic conda.yaml generation trick doesn't actually fix this, and you already found that out yourself. Whatever ends up in the final logged conda.yaml is what gets read at environment build time, so if a plaintext credential has to be in that file for pip to authenticate, it's in there for good, no matter how it got written.&lt;/P&gt;
&lt;P&gt;The way to actually avoid this is to stop putting credentials in the model's conda.yaml at all, and instead configure a workspace-level default package repository. Under Settings, Compute tab, there's a "Default Package Repositories" section where an admin can set an index-url or extra-index-url pointing at your private repo, and the credentials for that live in a Databricks secret scope on the admin side, not in any individual model's dependency file. Once that's set up, your model's conda.yaml just needs &lt;CODE&gt;mypackage==1.2.3&lt;/CODE&gt;, no username, no token, no full URL. Databricks documents that Model Serving picks up this workspace-level repo config automatically when it builds the model's environment, so you're not doing anything special per model, it just resolves against the authenticated index behind the scenes.&lt;/P&gt;
&lt;P&gt;For Froffri's case with an Artifactory PyPI mirror, that's a clean fit since Artifactory is already speaking the PyPI index protocol, you just point the workspace default repo at it.&lt;/P&gt;
&lt;P&gt;For the original git+https install off Azure DevOps though, that one's trickier, because the workspace default repo setting is documented for pip index-style repositories, not raw git URLs. There isn't a supported way to strip credentials out of a &lt;CODE&gt;git+&lt;A href="https://user:token@" target="_blank"&gt;https://user:token@&lt;/A&gt;...&lt;/CODE&gt; line the way there is for an index URL. The cleanest path there is to stop installing directly from the git repo and instead publish the internal package to a proper package feed, Azure Artifacts supports a PyPI-format feed for exactly this, and then treat it the same way as the Artifactory case above. That gets you back to a plain &lt;CODE&gt;mypackage==1.2.3&lt;/CODE&gt; line with zero embedded secrets.&lt;/P&gt;
&lt;P&gt;One dead end worth mentioning so you don't burn time on it: pip does support &lt;CODE&gt;${VAR}&lt;/CODE&gt; environment variable expansion in requirements files for index URLs, so in theory you could write &lt;CODE&gt;--extra-index-url https://${USER}:${TOKEN}@repo/simple/&lt;/CODE&gt; and keep the literal token out of the file. But Databricks Model Serving's secret-backed environment variables are only injected at inference runtime, after the environment is already built and dependencies are already installed, so there's no env variable available yet at the point pip actually needs it. That trick works for a local pip install but not for how Model Serving builds the container.&lt;/P&gt;</description>
      <pubDate>Mon, 06 Jul 2026 20:08:47 GMT</pubDate>
      <guid>https://community.databricks.com/t5/machine-learning/how-to-use-databricks-secrets-on-mlflow-conda-dependencies/m-p/162011#M4645</guid>
      <dc:creator>iyashk-DB</dc:creator>
      <dc:date>2026-07-06T20:08:47Z</dc:date>
    </item>
  </channel>
</rss>

