AWS Secrets Manager
Enterprise Feature
This feature is available exclusively in the Enterprise edition of the Radicalbit AI Gateway. Contact sales for licensing information.
This plugin enables the gateway to resolve !secret references from AWS Secrets Manager instead of a static secrets.yaml file.
All gateway secrets are stored in one AWS Secrets Manager secret as a JSON object of key-value pairs. Each !secret KEY reference fetches the corresponding key from that single secret.
aws secretsmanager create-secret \
--name gateway/secrets \
--secret-string '{
"OPENAI_API_KEY": "sk-proj-...",
"GOOGLE_API_KEY": "AIzaSy...",
"CACHE_REDIS_HOST": "redis-host",
"CACHE_REDIS_PORT": "6379"
}'
Then in config.yaml:
credentials:
api_key: !secret OPENAI_API_KEY
Enabling the Plugin
export ENABLED_PLUGINS="aws_secrets_manager"
No secrets.yaml is needed when this plugin is active.
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
AWS_SECRET_NAME | Yes | — | Name or ARN of the secret |
AWS_REGION | Yes | — | AWS region (e.g. eu-west-1) |
AWS_ACCESS_KEY_ID | No | — | Explicit AWS access key (falls back to default credential chain) |
AWS_SECRET_ACCESS_KEY | No | — | Explicit AWS secret key |
AWS_SESSION_TOKEN | No | — | Session token for temporary credentials |
Authentication Methods
IAM Role (recommended for EC2/ECS/EKS) — no explicit credentials needed:
export AWS_SECRET_NAME=gateway/secrets
export AWS_REGION=eu-west-1
Explicit credentials (on-prem or environments without IAM roles):
export AWS_SECRET_NAME=gateway/secrets
export AWS_REGION=eu-west-1
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=wJalrXU...
Dependencies
boto3>=1.26.0— installed automatically fromrequirements.txtwhen the plugin is enabled