Custom Secret Manager
Integrate your custom secret management system with LiteLLM.
Quick Startโ
1. Create Your Secret Manager Classโ
Create a new file my_secret_manager.py with an in-memory secret store:
my_secret_manager.py
from typing import Optional, Union
import httpx
from litellm.integrations.custom_secret_manager import CustomSecretManager
class InMemorySecretManager(CustomSecretManager):
def __init__(self):
super().__init__(secret_manager_name="in_memory_secrets")
# Store your secrets in memory
self.secrets = {
"OPENAI_API_KEY": "sk-...",
"ANTHROPIC_API_KEY": "sk-ant-...",
}
async def async_read_secret(
self,
secret_name: str,
optional_params: Optional[dict] = None,
timeout: Optional[Union[float, httpx.Timeout]] = None,
) -> Optional[str]:
"""Read secret asynchronously"""
return self.secrets.get(secret_name)
def sync_read_secret(
self,
secret_name: str,
optional_params: Optional[dict] = None,
timeout: Optional[Union[float, httpx.Timeout]] = None,
) -> Optional[str]:
"""Read secret synchronously"""
return self.secrets.get(secret_name)
2. Configure Proxyโ
Reference your custom secret manager in config.yaml:
config.yaml
general_settings:
master_key: os.environ/LITELLM_MASTER_KEY
key_management_system: custom # ๐ KEY CHANGE
key_management_settings:
custom_secret_manager: my_secret_manager.InMemorySecretManager # ๐ KEY CHANGE
model_list:
- model_name: gpt-4
litellm_params:
model: openai/gpt-4
api_key: os.environ/OPENAI_API_KEY # Read from custom secret manager
3. Start LiteLLM Proxyโ
- Docker
- Python Package
Mount your custom secret manager file on the container:
docker run -d \
-p 4000:4000 \
-e LITELLM_MASTER_KEY=$LITELLM_MASTER_KEY \
--name litellm-proxy \
-v $(pwd)/config.yaml:/app/config.yaml \
-v $(pwd)/my_secret_manager.py:/app/my_secret_manager.py \
ghcr.io/berriai/litellm:main-latest \
--config /app/config.yaml \
--port 4000 \
--detailed_debug
litellm --config config.yaml --detailed_debug
Configuration Optionsโ
Customize secret manager behavior in your config.yaml:
- Read Keys Only
- Store Virtual Keys
- Read + Write
config.yaml
general_settings:
key_management_system: custom
key_management_settings:
custom_secret_manager: my_secret_manager.InMemorySecretManager
hosted_keys: ["OPENAI_API_KEY", "ANTHROPIC_API_KEY"] # Only check these keys
Store LiteLLM proxy virtual keys in your secret manager:
config.yaml
general_settings:
key_management_system: custom
key_management_settings:
custom_secret_manager: my_secret_manager.InMemorySecretManager
access_mode: "write_only"
store_virtual_keys: true
prefix_for_stored_virtual_keys: "litellm/"
description: "LiteLLM virtual key"
tags:
Environment: "Production"
Team: "AI"
config.yaml
general_settings:
key_management_system: custom
key_management_settings:
custom_secret_manager: my_secret_manager.InMemorySecretManager
access_mode: "read_and_write"
hosted_keys: ["OPENAI_API_KEY"]
store_virtual_keys: true
prefix_for_stored_virtual_keys: "litellm/"
Available Settingsโ
| Setting | Description | Default |
|---|---|---|
custom_secret_manager | Path to your custom secret manager class | Required |
access_mode | "read_only", "write_only", or "read_and_write" | "read_only" |
hosted_keys | List of specific keys to check in secret manager | All keys |
store_virtual_keys | Store LiteLLM virtual keys in secret manager | false |
prefix_for_stored_virtual_keys | Prefix for stored virtual keys | "litellm/" |
description | Description for stored secrets | None |
tags | Tags to apply to stored secrets | None |
Required Methodsโ
Your custom secret manager must implement these two methods:
async_read_secret()โ
async def async_read_secret(
self,
secret_name: str,
optional_params: Optional[dict] = None,
timeout: Optional[Union[float, httpx.Timeout]] = None,
) -> Optional[str]:
"""
Read a secret asynchronously.
Returns:
Secret value if found, None otherwise
"""
pass
sync_read_secret()โ
def sync_read_secret(
self,
secret_name: str,
optional_params: Optional[dict] = None,
timeout: Optional[Union[float, httpx.Timeout]] = None,
) -> Optional[str]:
"""
Read a secret synchronously.
Returns:
Secret value if found, None otherwise
"""
pass
Optional Methodsโ
Implement these for additional functionality:
async_write_secret()โ
async def async_write_secret(
self,
secret_name: str,
secret_value: str,
description: Optional[str] = None,
optional_params: Optional[dict] = None,
timeout: Optional[Union[float, httpx.Timeout]] = None,
tags: Optional[Union[dict, list]] = None,
) -> dict:
"""Write a secret to your secret manager"""
pass
async_delete_secret()โ
async def async_delete_secret(
self,
secret_name: str,
recovery_window_in_days: Optional[int] = 7,
optional_params: Optional[dict] = None,
timeout: Optional[Union[float, httpx.Timeout]] = None,
) -> dict:
"""Delete a secret from your secret manager"""
pass
Use Casesโ
โ
Proprietary vault systems
โ
Custom authentication (mTLS, OAuth)
โ
Organization-specific security policies
โ
Legacy secret storage systems
โ
Multi-region secret replication
โ
Secret versioning and rotation
โ
Compliance requirements (HIPAA, SOC2)
Exampleโ
See cookbook/litellm_proxy_server/secret_manager/my_secret_manager.py for a complete working example with:
- In-memory secret manager implementation
- Integration with LiteLLM Proxy
- Read, write, and delete operations