[Blog post] - How Hugging Face Scaled Secrets Management for AI Infrastructure #2657
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
julien-c
reviewed
Feb 7, 2025
pcuenca
reviewed
Feb 9, 2025
Co-authored-by: Pedro Cuenca <[email protected]>
Co-authored-by: Pedro Cuenca <[email protected]>
julien-c
reviewed
Feb 10, 2025
julien-c
reviewed
Feb 10, 2025
thomas-infisical
force-pushed
the
main
branch
from
7724738 to
06905ff
Compare
thomas-infisical
force-pushed
the
main
branch
from
5430448 to
0bbcdc0
Compare
|
Hello @julien-c , |
rtrompier
reviewed
Mar 4, 2025
rtrompier
reviewed
Mar 4, 2025
|
HI @julien-c! Let us know if we can merge this perhaps? |
julien-c
reviewed
Mar 10, 2025
julien-c
reviewed
Mar 11, 2025
julien-c
reviewed
Mar 11, 2025
julien-c
reviewed
Mar 11, 2025
julien-c
reviewed
Mar 11, 2025
julien-c
reviewed
Mar 11, 2025
julien-c
approved these changes
Mar 11, 2025
|
Hello @pcuenca , could you review this please? |
|
@pcuenca ? |
|
@thomas-infisical taking a look tonight |
pcuenca
approved these changes
Mar 18, 2025
_blog.yml
Outdated
| author: segudev | ||
| guest: true | ||
| date: Mar 13, 2025 |
| @@ -5638,7 +5638,6 @@ | |||
| - multimodal | |||
| - vision | |||
| - vlm | |||
|
|
|||
There was a problem hiding this comment.
Can you please restore this line?
|
|
||
| # How Hugging Face Scaled Secrets Management for AI Infrastructure | ||
|
|
||
| Hugging Face has become synonymous with advancing AI at scale. With over 4 million builders deploying models on the Hub, the rapid growth of the platform necessitated a rethinking of how sensitive configuration data—secrets—are managed. |
There was a problem hiding this comment.
Suggested change
| Hugging Face has become synonymous with advancing AI at scale. With over 4 million builders deploying models on the Hub, the rapid growth of the platform necessitated a rethinking of how sensitive configuration data—secrets—are managed. | |
| Hugging Face has become synonymous with advancing AI at scale. With over 4 million builders deploying models on the Hub, the rapid growth of the platform necessitated a rethinking of how sensitive configuration data —secrets— are managed. |
|
|
||
| ## Background | ||
|
|
||
| As Hugging Face's infrastructure evolved from an AWS-only setup to a multi-cloud environment that includes Azure and GCP, the engineering team needed a more agile, secure, and centralized way to manage secrets. Instead of reworking legacy systems or paying for heavyweight solutions like HashiCorp Vault, they turned to Infisical due to its developer-friendly workflows, multi-cloud abstraction, and robust security capabilities. |
There was a problem hiding this comment.
Suggested change
| As Hugging Face's infrastructure evolved from an AWS-only setup to a multi-cloud environment that includes Azure and GCP, the engineering team needed a more agile, secure, and centralized way to manage secrets. Instead of reworking legacy systems or paying for heavyweight solutions like HashiCorp Vault, they turned to Infisical due to its developer-friendly workflows, multi-cloud abstraction, and robust security capabilities. | |
| As Hugging Face's infrastructure evolved from an AWS-only setup to a multi-cloud environment that includes Azure and GCP, the engineering team needed a more agile, secure, and centralized way to manage secrets. Instead of reworking legacy systems or adopting heavyweight solutions like HashiCorp Vault, they turned to Infisical due to its developer-friendly workflows, multi-cloud abstraction, and robust security capabilities. |
| - An increased risk of “[secret sprawl](https://infisical.com/blog/what-is-secret-sprawl)” due to inconsistent management across environments. | ||
| - Complex permission management as the team scaled, requiring tight, role-based access controls (RBAC) integrated with the organization’s SSO (Okta). | ||
| - Difficulties with local development where traditional [.env files](https://infisical.com/blog/stop-using-env-files) compromised both security and developer productivity. | ||
| - The burden of manual secret rotation, which became painfully evident after a security incident involving exposed credentials. |
There was a problem hiding this comment.
Suggested change
| - The burden of manual secret rotation, which became painfully evident after a security incident involving exposed credentials. | |
| - The burden of manual secret rotation, which became painfully evident after a security incident that involved exposed credentials. |
Comment on lines
+57
to
+63
| ```mermaid | ||
| graph TD | ||
| A[Infisical Platform] -->|Push Update| B[Infisical Operator] | ||
| B -->|Sync Secret| C[Kubernetes Secret (my-app-k8s-secret)] | ||
| C -->|Mounted in| D[Application Pod] | ||
| D -->|Reads| E[Environment Variables / Volumes] | ||
| ``` |
There was a problem hiding this comment.
I don't think this will be rendered, perhaps we need a link instead.
| C -->|Mounted in| D[Application Pod] | ||
| D -->|Reads| E[Environment Variables / Volumes] | ||
| ``` | ||
| Better yet, since the application's Deployment references `my-app-k8s-secret` as an environment variable source or mounted volume, the operator can automatically trigger a container reload when the the secret changes. |
There was a problem hiding this comment.
Suggested change
| Better yet, since the application's Deployment references `my-app-k8s-secret` as an environment variable source or mounted volume, the operator can automatically trigger a container reload when the the secret changes. | |
| Better yet, since the application's Deployment references `my-app-k8s-secret` as an environment variable source or mounted volume, the Operator can automatically trigger a container reload when the secret changes. |
| ``` | ||
| Better yet, since the application's Deployment references `my-app-k8s-secret` as an environment variable source or mounted volume, the operator can automatically trigger a container reload when the the secret changes. | ||
|
|
||
| In practice, Hugging Face engineers favor waiting for manual redeployments despite the operator’s ability to trigger container restarts automatically. This decision was driven by the need for precise control over deployments, particularly when high traffic (over 10 million requests per minute) and numerous replicas are involved. |
There was a problem hiding this comment.
Suggested change
| In practice, Hugging Face engineers favor waiting for manual redeployments despite the operator’s ability to trigger container restarts automatically. This decision was driven by the need for precise control over deployments, particularly when high traffic (over 10 million requests per minute) and numerous replicas are involved. | |
| In practice, Hugging Face engineers favor waiting for manual redeployments despite the Operator’s ability to automatically trigger container restarts. This decision was driven by the need for precise control over deployments, particularly when high traffic (over 10 million requests per minute) and numerous replicas are involved. |
|
|
||
| ## Conclusion | ||
|
|
||
| Hugging Face's migration to Infisical demonstrates how a technically driven, engineering-centric approach to managing secrets across multiple cloud platforms delivers significants benefits. For tackling similar challenges, using Infisical is a practical way to work more efficiently while keeping security strong. |
There was a problem hiding this comment.
Suggested change
| Hugging Face's migration to Infisical demonstrates how a technically driven, engineering-centric approach to managing secrets across multiple cloud platforms delivers significants benefits. For tackling similar challenges, using Infisical is a practical way to work more efficiently while keeping security strong. | |
| Hugging Face's migration to Infisical demonstrates how a technically driven, engineering-centric approach to managing secrets across multiple cloud platforms delivers significant benefits. For tackling similar challenges, using Infisical is a practical way to work more efficiently while keeping security strong. |
|
|
||
| Hugging Face's migration to Infisical demonstrates how a technically driven, engineering-centric approach to managing secrets across multiple cloud platforms delivers significants benefits. For tackling similar challenges, using Infisical is a practical way to work more efficiently while keeping security strong. | ||
|
|
||
| When the secure path is made the easiest path, teams can focus on building innovative products instead of of worrying about managing secrets. |
There was a problem hiding this comment.
Suggested change
| When the secure path is made the easiest path, teams can focus on building innovative products instead of of worrying about managing secrets. | |
| When the secure path is made the easiest path, teams can focus on building innovative products instead of worrying about managing secrets. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Congratulations! You've made it this far! Once merged, the article will appear at https://huggingface.co/blog. Official articles
require additional reviews. Alternatively, you can write a community article following the process here.
Preparing the Article
You're not quite done yet, though. Please make sure to follow this process (as documented here):
mdfile. You can also specifyguestororgfor the authors.Here is an example of a complete PR: #2382
Getting a Review
Please make sure to get a review from someone on your team or a co-author.
Once this is done and once all the steps above are completed, you should be able to merge.
There is no need for additional reviews if you and your co-authors are happy and meet all of the above.
Feel free to add @pcuenca as a reviewer if you want a final check. Keep in mind he'll be biased toward light reviews
(e.g., check for proper metadata) rather than content reviews unless explicitly asked.