Kubiya LogoKubiya Developer Docs
Concepts

Secrets Management

Securely store and manage sensitive information like API keys and tokens for your agents and tools.

Secrets Management

Kubiya provides a secure vault for storing sensitive information required by your agents and tools, such as API keys, authentication tokens, certificates, passwords, or other credentials. Managing secrets centrally ensures that sensitive data is not hardcoded into tool scripts or agent configurations.

Why Use Secrets Management?

  • Security: Avoid exposing sensitive credentials directly in code or configurations.
  • Centralization: Manage all sensitive data from a single, secure location.
  • Rotation: Easily update credentials without modifying tool code.
  • Access Control: (Future capability) Granularly control which agents/tools can access specific secrets.

How Secrets Work with Tools and Agents

When an agent executes a tool that requires a secret:

  1. The agent definition or tool configuration specifies which secret(s) are needed.
  2. Kubiya securely retrieves the requested secret value from the vault.
  3. The secret value is injected into the tool's execution environment, typically as an environment variable.

For example, if you have a tool that interacts with the GitHub API, you would:

  1. Store your GitHub Personal Access Token (PAT) as a secret named GITHUB_PAT in Kubiya.
  2. Configure your tool to require the GITHUB_PAT secret.
  3. When the tool runs, Kubiya will make the token available as an environment variable GITHUB_PAT inside the tool's container. Your tool script can then read this variable.
# Example Python tool script accessing a secret
import os
import requests
 
github_token = os.environ.get('GITHUB_PAT')
 
if not github_token:
  print("Error: GITHUB_PAT secret not found in environment.")
  # Handle error appropriately
else:
  headers = {'Authorization': f'token {github_token}'}
  response = requests.get('https://api.github.com/user', headers=headers)
  # ... process response ...

Always ensure your tools handle the case where a required secret might not be available in the environment.

Managing Secrets (UI Overview)

You can manage secrets through the Kubiya Web UI under the "Secrets" section.

  • Secret List: Displays stored secrets with names and descriptions.
  • Search: Quickly find secrets by name.
  • Create Secret: Add new secrets, providing a name, description, and the sensitive value.
  • Edit/View: Modify secret details (Note: viewing the value might be restricted based on permissions).
  • Delete: Securely remove secrets.

(Image placeholder - adapt the image from the old docs if available and relevant)

Best Practices

  • Use descriptive names for secrets.
  • Add clear descriptions explaining the purpose of each secret.
  • Regularly rotate sensitive credentials like API keys and update the corresponding secrets in Kubiya.
  • Grant access to secrets on a least-privilege basis (when granular controls become available).

On this page