Secrets Management
Securely manage API keys, tokens, and sensitive configuration
Secrets Management
Securely store and manage sensitive data like API keys, tokens, and credentials.
Environment Variables
Set Environment Variables
# Set via CLI
swiftclaw env set my-agent OPENAI_API_KEY=sk-...
# Set multiple variables
swiftclaw env set my-agent \
OPENAI_API_KEY=sk-... \
DATABASE_URL=postgresql://... \
STRIPE_SECRET_KEY=sk_test_...Use Environment Variables
import os
agent = Agent(
name="my-agent",
model_api_key=os.getenv("OPENAI_API_KEY")
)
@agent.tool
async def query_database():
db_url = os.getenv("DATABASE_URL")
return await connect_and_query(db_url)Secret Store
Store Secrets
# Store secret
swiftclaw secrets set my-agent api-key \
--value sk-abc123... \
--description "OpenAI API Key"
# Store from file
swiftclaw secrets set my-agent db-cert \
--file ./database.crt
# Store with expiration
swiftclaw secrets set my-agent temp-token \
--value token123 \
--ttl 24hRetrieve Secrets
from swiftclaw import Agent
agent = Agent(name="my-agent")
# Get secret
api_key = await agent.secrets.get("api-key")
# Use secret
client = OpenAI(api_key=api_key)List Secrets
# List all secrets
swiftclaw secrets list my-agent
# Output:
# NAME CREATED EXPIRES
# api-key 2024-03-01 10:00 Never
# db-cert 2024-03-05 14:30 Never
# temp-token 2024-03-08 09:00 2024-03-09 09:00Secret Rotation
Automatic Rotation
# Enable automatic rotation
swiftclaw secrets rotate my-agent api-key \
--interval 90d \
--auto
# Configure rotation webhook
swiftclaw secrets rotate my-agent api-key \
--webhook https://yourapp.com/rotateManual Rotation
# Rotate secret
swiftclaw secrets rotate my-agent api-key \
--new-value sk-new123...
# Rotate with grace period
swiftclaw secrets rotate my-agent api-key \
--new-value sk-new123... \
--grace-period 24hSecret Versioning
Version History
# View secret versions
swiftclaw secrets versions my-agent api-key
# Output:
# VERSION CREATED STATUS
# v3 2024-03-08 10:00 active
# v2 2024-01-15 14:30 deprecated
# v1 2023-12-01 09:00 deletedRollback Secret
# Rollback to previous version
swiftclaw secrets rollback my-agent api-key --version v2Access Control
Grant Access
# Grant user access to secret
swiftclaw secrets grant my-agent api-key \
--user user@example.com \
--permission read
# Grant service account access
swiftclaw secrets grant my-agent api-key \
--service my-service \
--permission read,writeRevoke Access
# Revoke user access
swiftclaw secrets revoke my-agent api-key \
--user user@example.comSecret Encryption
All secrets are encrypted at rest and in transit:
- Encryption at Rest: AES-256-GCM
- Encryption in Transit: TLS 1.3
- Key Management: Hardware Security Modules (HSM)
Zero-Knowledge: SwiftClaw cannot decrypt your secrets without your encryption key.
Integration with Secret Managers
AWS Secrets Manager
{
"secrets": {
"provider": "aws-secrets-manager",
"region": "us-east-1",
"secretArn": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret"
}
}HashiCorp Vault
{
"secrets": {
"provider": "vault",
"address": "https://vault.example.com",
"token": "s.abc123...",
"path": "secret/data/my-agent"
}
}Azure Key Vault
{
"secrets": {
"provider": "azure-keyvault",
"vaultUrl": "https://my-vault.vault.azure.net",
"tenantId": "tenant-id",
"clientId": "client-id",
"clientSecret": "client-secret"
}
}Secret Injection
Runtime Injection
# Secrets automatically injected at runtime
@agent.on_message
async def handle_message(message):
# API key available via environment
api_key = os.getenv("OPENAI_API_KEY")
# Or via secrets API
api_key = await agent.secrets.get("api-key")Build-Time Injection
# Inject secrets during deployment
swiftclaw deploy my-agent \
--secret OPENAI_API_KEY=secret:api-key \
--secret DATABASE_URL=secret:db-urlSecret Scanning
Prevent Secret Leaks
# Enable secret scanning
swiftclaw security scan my-agent --enable
# Scan for exposed secrets
swiftclaw security scan my-agent --checkPre-Commit Hooks
# Install pre-commit hook
swiftclaw security install-hook
# Hook prevents committing secrets
git commit -m "Add config"
# Error: Potential secret detected in config.jsonAudit Logging
Track secret access:
# View secret access logs
swiftclaw audit secrets my-agent
# Output:
# TIME USER ACTION SECRET
# 2024-03-08 10:30 user@example.com read api-key
# 2024-03-08 09:15 my-service read db-url
# 2024-03-07 14:20 admin@example.com update api-keyBest Practices
1. Never Hardcode Secrets
# Bad: Hardcoded secret
api_key = "sk-abc123..."
# Good: Use environment variables
api_key = os.getenv("OPENAI_API_KEY")
# Better: Use secret store
api_key = await agent.secrets.get("api-key")2. Use Least Privilege
# Grant minimal permissions
swiftclaw secrets grant my-agent api-key \
--user user@example.com \
--permission read3. Rotate Regularly
# Set rotation policy
swiftclaw secrets rotate my-agent api-key \
--interval 90d \
--auto4. Monitor Access
# Set up alerts
swiftclaw alerts create \
--agent my-agent \
--metric secret-access \
--threshold 100 \
--window 1h5. Use Separate Secrets per Environment
# Development
swiftclaw secrets set my-agent api-key-dev --value sk-dev...
# Production
swiftclaw secrets set my-agent api-key-prod --value sk-prod...Secret Templates
Create reusable secret templates:
# secrets-template.yaml
secrets:
- name: openai-api-key
description: OpenAI API Key
required: true
rotation: 90d
- name: database-url
description: Database Connection String
required: true
rotation: never
- name: stripe-secret-key
description: Stripe Secret Key
required: false
rotation: 180d# Apply template
swiftclaw secrets apply my-agent --template secrets-template.yamlSecurity First: Always use secret management for sensitive data. Never commit secrets to version control.
Next Steps
How is this guide ?
Last updated on