Overview
This issue tracks future enhancements to improve how sensitive credentials (e.g., api_key, AWS secret_access_key) are managed in provider configurations.
Background
Currently, the Admin API intentionally stores and returns raw credential values for provider configs (e.g., api_key for OpenAI-compatible providers and secret_access_key for Bedrock). This issue tracks improvements to support more secure credential management patterns.
Proposed Enhancements
1. Secret References
Support environment variable and secret manager reference syntax so credentials can be stored as references and resolved at runtime, e.g.:
$env://MY_API_KEY — resolved from environment variables$secret://my-vault/api-key — resolved from a secret manager (e.g., HashiCorp Vault, AWS Secrets Manager)
2. Secret Provider Integrations
Integrate with external secret management systems to allow credentials to be fetched securely at runtime rather than stored directly in the config store.
References
Requested by @bzp2010
Overview
This issue tracks future enhancements to improve how sensitive credentials (e.g.,
api_key, AWSsecret_access_key) are managed in provider configurations.Background
Currently, the Admin API intentionally stores and returns raw credential values for provider configs (e.g.,
api_keyfor OpenAI-compatible providers andsecret_access_keyfor Bedrock). This issue tracks improvements to support more secure credential management patterns.Proposed Enhancements
1. Secret References
Support environment variable and secret manager reference syntax so credentials can be stored as references and resolved at runtime, e.g.:
$env://MY_API_KEY— resolved from environment variables$secret://my-vault/api-key— resolved from a secret manager (e.g., HashiCorp Vault, AWS Secrets Manager)2. Secret Provider Integrations
Integrate with external secret management systems to allow credentials to be fetched securely at runtime rather than stored directly in the config store.
References
Requested by @bzp2010