Nextflow Secrets produces empty string due to wrong path

pwolk · January 29, 2025, 2:03pm

Hi guys, I have a problem with Nextflow secrets.
My process looks like this:

process FOO {

    time '24h'
    secret 'USERNAME'
    secret 'PASSWORD'

    input:
    [...]


    output:
    [...]

    script:
    """
    #!/usr/bin/env bash
    ## dummy echo for testing
    echo \$USERNAME
    echo \$PASSWORD
       [...]
    """
}

USERNAME and PASSWORD exist in nextflow secrets. When I run the process, both echo commands print empty strings. If I change the name of the secrets variable, it fails, so Nextflow recognizes that USERNAME and PASSWORD exists. But of course this doesn’t help me. When I look into the .command.log, I see the following telling text:

grep: ./secrets/.nf-ec9a753b-9de3-466f-b0ec-c5e6b1a407d6.secrets: No such file or directory

So, Nextflow wants to look into the secrets directory in the current work dir, but the secrets directory is in my project root!
Looking into the .command.run, my suspicion is confirmed, Nextflow changes into the workdir before trying to read from the secrets file in root dir:

    [[ "${NXF_CHDIR:-}" ]] && cd "$NXF_CHDIR"
    NXF_SCRATCH=''
    [[ $NXF_DEBUG > 0 ]] && nxf_env
    touch [workdir.... ]/.command.begin
    set +u
    # conda environment
    source $(conda info --json | awk '/conda_prefix/ { gsub(/"|,/, "", $2); print $2 }')/bin/activate foo
    set -u
    export PATH="$PATH:/foo/bar"
    source /dev/stdin <<<"$(cat <(grep -w -e 'USERNAME=.*' -e 'PASSWORD=.*' ./secrets/.nf-ec9a753b-9de3-466f-b0ec-c5e6b1a407d6.secrets))"

Am I using secrets wrong? Do I have to give the secrets dir as input? Because linking it into the workdir would work, but would contradict the use of secrets imo. Or is it a bug?

mribeirodantas · January 29, 2025, 2:12pm

Hi @pwolk ! Welcome to Seqera Community Forum

How did you create the secrets? I tried to reproduce your situation the following way and it worked:

secrets.nf

process FOO {                                                                      
    debug true                                                                     
                                                                                   
    time '24h'                                                                     
    secret 'USERNAME'                                                              
    secret 'PASSWORD'                                                              
                                                                                   
    script:                                                                        
    """                                                                            
    #!/usr/bin/env bash                                                            
    ## dummy echo for testing                                                      
    echo \$USERNAME                                                                
    echo \$PASSWORD                                                                
    """                                                                                                                                                      
}                                                                                  
                                                                                   
workflow {                                                                         
  FOO()                                                                            
}

# Creating secrets
nextflow secrets set USERNAME Marcel
nextflow secrets set PASSWORD Marcelpass
nextflow run secrets.nf

I don’t see in my .command.log or .command.run the same thing you’re seeing.

...
source /dev/stdin <<<"$(cat <(grep -w -e 'USERNAME=.*' -e 'PASSWORD=.*' /Users/mribeirodantas/.nextflow/secrets/.nf-ef20b430-8476-43f7-a171-3b82e5e61    ae1.secrets))"
...

pwolk · January 29, 2025, 2:21pm

Thank you for trying it out!

I just did it like you!
nextflow secrets set USERNAME paul

pwolk · January 29, 2025, 2:26pm

Okay, sorry for wasting your time. I just found out the reason:
The bash script that starts the pipeline runs a command that sets the NXF_HOME variable, but the command to determine what to use as home produces just “.”, so this is used also to determine the secrets directory and results in this ./secrets… . ahhh using realpath in front of that command solves it.

mribeirodantas · January 29, 2025, 5:44pm

Thanks for coming back to share the explanation of what led to the reported scenario, @pwolk ! Great to hear you’ve solved it

system · February 5, 2025, 5:44pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Changing nextflow work directory Ask for help nextflow	2	335	April 22, 2024
Configure secrets without the command line interface Ask for help	3	33	June 26, 2025
Automatically Set Report to be Within the Working Directory Ask for help platform	1	334	October 23, 2023
Getting Unexpected input: '{' Error, but neither I or github copilot can find any syntax error Ask for help	12	364	July 1, 2024
Issue running bash with Jellyfish container Ask for help nextflow	6	49	January 9, 2025

Nextflow Secrets produces empty string due to wrong path

Related topics