Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:BerriAI Litellm HashiCorp Secret Manager

From Leeroopedia
Revision as of 12:09, 16 February 2026 by Admin (talk | contribs) (Auto-imported from implementations/BerriAI_Litellm_HashiCorp_Secret_Manager.md)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Attribute Value
Sources litellm/secret_managers/hashicorp_secret_manager.py
Domains Secret Management, HashiCorp Vault, KV V2, Enterprise
last_updated 2026-02-15 16:00 GMT

Overview

The HashiCorp Secret Manager module integrates HashiCorp Vault's KV v2 secrets engine as a secret management backend for LiteLLM, supporting token, AppRole, and TLS certificate authentication methods.

Description

This module provides the HashicorpSecretManager class, which extends BaseSecretManager to implement full CRUD operations against a HashiCorp Vault KV v2 secrets engine. The class supports three authentication methods in priority order: (1) AppRole authentication via HCP_VAULT_APPROLE_ROLE_ID and HCP_VAULT_APPROLE_SECRET_ID, (2) TLS certificate authentication via HCP_VAULT_CLIENT_CERT and HCP_VAULT_CLIENT_KEY, and (3) direct token authentication via HCP_VAULT_TOKEN. URLs are constructed following KV v2 conventions: {VAULT_ADDR}/v1/{namespace}/{mount}/data/{path_prefix}/{secret_name}. The class includes configurable namespace, mount name, and path prefix support. Secrets are stored under the "key" data field by default (configurable via optional_params). Results are cached in an InMemoryCache with a configurable refresh interval. The async_rotate_secret method performs verified rotation: it checks the old secret exists, writes the new secret, verifies the written value matches, then optionally deletes the old secret. This is a premium/enterprise feature.

Usage

Import and instantiate HashicorpSecretManager when configuring the LiteLLM proxy with key_management_system: hashicorp_vault. Requires environment variables for Vault connection settings.

Code Reference

Source Location

litellm/secret_managers/hashicorp_secret_manager.py

Class: HashicorpSecretManager

class HashicorpSecretManager(BaseSecretManager):
    def __init__(self):

Key Methods

Method Signature Description
_verify_required_credentials_exist def _verify_required_credentials_exist(self) -> None Validates at least one authentication method is configured
_auth_via_approle def _auth_via_approle(self) -> str Authenticates via AppRole and returns a Vault token; caches by lease duration
_auth_via_tls_cert def _auth_via_tls_cert(self) -> str Authenticates via TLS certificate and returns a Vault token; caches by lease duration
get_url def get_url(self, secret_name, namespace=None, mount_name=None, path_prefix=None) -> str Constructs the Vault KV v2 URL with optional namespace, mount, and path prefix
_get_request_headers def _get_request_headers(self) -> dict Returns headers with X-Vault-Token using the appropriate auth method
async_read_secret async def async_read_secret(self, secret_name, optional_params=None, timeout=None) -> Optional[str] Reads a secret from Vault KV v2 asynchronously with caching
sync_read_secret def sync_read_secret(self, secret_name, optional_params=None, timeout=None) -> Optional[str] Reads a secret from Vault KV v2 synchronously with caching
async_write_secret async def async_write_secret(self, secret_name, secret_value, description=None, optional_params=None, timeout=None, tags=None) -> Dict[str, Any] Writes a secret to Vault KV v2 under the configured data key
async_rotate_secret async def async_rotate_secret(self, current_secret_name, new_secret_name, new_secret_value, optional_params=None, timeout=None) -> Dict Verified rotation: write new, verify, optionally delete old
async_delete_secret async def async_delete_secret(self, secret_name, recovery_window_in_days=7, optional_params=None, timeout=None) -> dict Marks the latest version as deleted in KV v2

Import

from litellm.secret_managers.hashicorp_secret_manager import HashicorpSecretManager

Environment Variables

Variable Description Default
HCP_VAULT_ADDR Vault server address http://127.0.0.1:8200
HCP_VAULT_TOKEN Direct Vault token (priority 3) (empty)
HCP_VAULT_NAMESPACE Vault namespace (none)
HCP_VAULT_MOUNT_NAME KV engine mount name secret
HCP_VAULT_PATH_PREFIX Path prefix for secrets (none)
HCP_VAULT_APPROLE_ROLE_ID AppRole role ID (priority 1) (empty)
HCP_VAULT_APPROLE_SECRET_ID AppRole secret ID (priority 1) (empty)
HCP_VAULT_APPROLE_MOUNT_PATH AppRole auth mount path approle
HCP_VAULT_CLIENT_CERT TLS client certificate path (priority 2) (empty)
HCP_VAULT_CLIENT_KEY TLS client key path (priority 2) (empty)
HCP_VAULT_CERT_ROLE TLS cert role name (none)
HCP_VAULT_REFRESH_INTERVAL Cache refresh interval in seconds SECRET_MANAGER_REFRESH_INTERVAL

I/O Contract

Inputs (async_read_secret)

Parameter Type Description
secret_name str Path inside the KV mount (e.g., "myapp/config")
optional_params Optional[dict] Can contain namespace, mount, path_prefix, data overrides
timeout Optional[Union[float, httpx.Timeout]] Request timeout

Outputs (async_read_secret)

Return Type Description
Optional[str] The secret value from data.data.key in the Vault response, or None on error

Usage Examples

import os
os.environ["HCP_VAULT_ADDR"] = "https://vault.example.com:8200"
os.environ["HCP_VAULT_TOKEN"] = "hvs.CAESI..."

from litellm.secret_managers.hashicorp_secret_manager import HashicorpSecretManager

manager = HashicorpSecretManager()

# Read a secret
value = await manager.async_read_secret("myapp/openai-key")
# Reads from: https://vault.example.com:8200/v1/secret/data/myapp/openai-key
# Returns data.data.key from the JSON response

# Write a secret
result = await manager.async_write_secret(
    secret_name="myapp/new-key",
    secret_value="sk-abc123",
    description="New OpenAI API key",
)

# Rotate a secret with a different name
result = await manager.async_rotate_secret(
    current_secret_name="myapp/old-key",
    new_secret_name="myapp/new-key",
    new_secret_value="sk-new-value",
)

# Read with custom namespace and mount
value = await manager.async_read_secret(
    "mykey",
    optional_params={
        "secret_manager_settings": {
            "namespace": "team-a",
            "mount": "kv",
            "path_prefix": "production",
        }
    },
)

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment