By Draco Stone
Developer
I am looking to deploy my Streamlit app to Digital Ocean but there’s a problem.
My app uses st.login() which gets my login credentials from secrets I stored in the secrets.toml file. However, there’s no place for me to upload my secrets file securely within Digital Ocean.
I can’t assign the credentials to environmental variables because Streamlit’s st.login() looks specifically for a secrets.toml file.
I don’t want to hard code my secrets in a secrets.toml file when I deploy my app, so what should I do?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi Draco,
One simple workaround on DigitalOcean (especially if you’re using a Droplet) is to upload your secrets.toml
file after deployment via SSH. You can place it in ~/.streamlit/secrets.toml
on the server and make sure that file is not tracked in your Git repo.
Basically:
SSH into your Droplet.
Create the folder: mkdir -p ~/.streamlit
Upload your secrets.toml
securely, eg: scp secrets.toml root@your_droplet_ip:~/.streamlit/secrets.toml
This keeps your secrets file out of your repo and allows Streamlit to find it where it expects it.
Alternatively, if you’re using App Platform, you might want to refactor your code to pull secrets from environment variables instead, since App Platform lets you manage those securely.
Hope that this helps!
- Bobby
Heya,
Since st.secrets
(not st.login()
— I assume you meant st.secrets["key"]
) specifically loads from a secrets.toml
file and not environment variables, here’s how you can securely manage this for deployment:
Solution: Use a secure secrets.toml
during deployment via environment-aware scripting
Here’s a practical and secure approach:
secrets.toml
out of version control.gitignore
:.streamlit/secrets.toml
secrets.toml
during deployment from environment variablesInstead of uploading the file, create it during the deployment process using a script (e.g., in your Dockerfile
, cloud-init
, or startup script). Here’s how:
Example deployment shell script:
#!/bin/bash
# Create the .streamlit directory if it doesn't exist
mkdir -p /app/.streamlit
# Write secrets.toml from environment variables
cat <<EOF > /app/.streamlit/secrets.toml
[general]
username = "${STREAMLIT_USERNAME}"
password = "${STREAMLIT_PASSWORD}"
EOF
Set the STREAMLIT_USERNAME
and STREAMLIT_PASSWORD
as environment variables in DigitalOcean (via the App Platform UI if using that, or in your shell if you’re using a droplet).
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.