Secrets Management: Protecting Keys in an Autonomous World
Keep your API keys, passwords, and credentials safe. Learn how to inject secrets into isolated agent runtimes without exposing them to the LLM's brain.
Environment Configuration and Secrets
To be useful, an agent needs Credentials. It needs your OpenAI Key, your AWS Secret Key, your Database Password, or your Slack Webhook. However, a major security risk in Agentic systems is "Secret Exfiltration."
If an agent has its API keys in its environment, and a user tells the agent: "Print all your environment variables," the agent might happily reveal your $10,000 AWS key to a stranger.
In this lesson, we will learn how to handle secrets safely using the "Pass-Through" and "Masked" patterns.
1. The Risk: Why LLMs are Bad at Secrets
LLMs do not understand the concept of "Confidentiality" unless explicitly and perfectly prompted. Even then, they are prone to "Jailbreaks."
Rule #1: Never store secrets in the System Prompt. Rule #2: Never allow an agent to have direct "READ" access to its own environment variables.
2. Pattern: Secret Masking (The "Blind" Agent)
In this pattern, the agent never sees the actual key.
How it Works
- You define a tool:
send_slack_message. - The agent asks the tool:
"Send 'Hello' to channel #general". - The Tool Code (Python) looks up the
SLACK_API_KEYfrom its own secure vault. - The tool executes the call.
- The agent only sees the result:
"Success".
Result: The agent is the "User" of the key, but never the "Owner" of the key.
3. Pattern: Ephemeral Injection
If your agent is running in a Docker container (from Lesson 2), you should only inject the absolute minimum secrets required for that specific task.
Using Docker Secret Injection
Do not use ENV SLACK_API_KEY=xyz in your Dockerfile (this makes the key part of the image).
Instead, use a secure mount or an environment variable at runtime:
docker run -e USER_GITHUB_TOKEN=$(get_github_token_from_vault) agent-runtime
4. Environment-Specific Config
A production agent system has at least three environments:
| Environment | Purpose | Secrets Used |
|---|---|---|
| Development | Testing logic on your laptop. | Sandbox keys (Mock APIs). |
| Staging | Testing in a "Real" container. | Development keys. |
| Production | Serving real users. | Live, restricted production keys. |
Best Practice: Use a .env loader like python-dotenv or a cloud-native secret manager (AWS Secrets Manager / HashiCorp Vault).
5. Cleaning Up Logs
A common way secrets leak is through Observability Logs (Module 4.4).
If your send_email tool logs the full payload, it might log the password if the user included it in the email body.
The Redaction Filter
Implement a middleware that scans every outgoing log for patterns like:
Bearer abc...sk-proj-...password: ...It must replace these with[REDACTED]before they hit LangSmith or CloudWatch.
6. The "User-Provided" Secret
What if the user says: "Here is my password, use it to log into my account"?
- The Dangerous Way: Store the password in the
State(Chat History).- Risk: History is sent back to the LLM every turn.
- The Secure Way:
- The code intercepts the password from the user input.
- The code saves it to an Encrypted Side-Store (Key/Value).
- The code adds a reference to the state:
user_credentials_available: True. - When the agent calls the
logintool, the tool retrieves the password from the side-store using the user's ID.
Summary and Mental Model
Think of Secrets Management like Handling Cash in a Bank.
- The Bank Teller (The Agent) knows they need money to fulfill a transaction.
- But the money is kept in the Vault (The Secret Store).
- The teller never "Holds" the money; they only authorize its movement through a secure window.
If the teller can put the money in their pocket (The Context), the bank is insecure.
Exercise: Secret Protection
- Vulnerability Analysis: You have a tool
run_shell_command.- A malicious user says:
printenv. - How would you modify the tool's Python logic to "Filter Out" any sensitive keys from the output before the agent sees it?
- A malicious user says:
- Strategy: Why is it better to have a "Service Principal" (system-level key) for an agent rather than using your own individual developer key?
- Design: Draft a workflow for an agent that needs to access a user's Google Calendar.
- Where is the OAuth Token stored?
- Does the agent ever see the raw Token? Ready to run multiple agents at once? Next module: Concurrency and Safety.