Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:BerriAI Litellm CyberArk Secret Manager

From Leeroopedia
Attribute Value
Sources litellm/secret_managers/cyberark_secret_manager.py
Domains Secret Management, CyberArk, Conjur, Enterprise
last_updated 2026-02-15 16:00 GMT

Overview

The CyberArk Secret Manager module integrates CyberArk Conjur as a secret management backend for LiteLLM, supporting both API key and TLS certificate authentication with automatic token caching.

Description

This module provides the CyberArkSecretManager class, which extends BaseSecretManager to implement secret operations against a CyberArk Conjur instance. The class supports two authentication methods: API key authentication (via CYBERARK_API_KEY) and mutual TLS certificate authentication (via CYBERARK_CLIENT_CERT and CYBERARK_CLIENT_KEY). Authentication tokens are base64-encoded and cached in an InMemoryCache with a configurable refresh interval (default 5 minutes, matching Conjur's ~8-minute token lifetime). Secret values are read/written via Conjur's REST API with URL-encoded variable names. Note that CyberArk Conjur does not support direct secret deletion via API -- secrets can only be removed through policy updates. This is a premium/enterprise feature requiring a valid LiteLLM license. SSL verification can be disabled for development environments with self-signed certificates.

Usage

Import and instantiate CyberArkSecretManager when configuring the LiteLLM proxy with key_management_system: cyberark. Requires environment variables for CyberArk connection settings.

Code Reference

Source Location

litellm/secret_managers/cyberark_secret_manager.py

Class: CyberArkSecretManager

class CyberArkSecretManager(BaseSecretManager):
    def __init__(self):

Key Methods

Method Signature Description
_authenticate def _authenticate(self) -> str Authenticates with Conjur and returns a base64-encoded session token; caches the token
_get_request_headers def _get_request_headers(self) -> dict Returns headers with the Token authorization for Conjur API requests
_ensure_variable_exists def _ensure_variable_exists(self, secret_name: str) -> None Creates a Conjur policy entry for the variable (idempotent)
get_url def get_url(self, secret_name: str) -> str Builds the URL-encoded Conjur variable endpoint URL
async_read_secret async def async_read_secret(self, secret_name, optional_params=None, timeout=None) -> Optional[str] Reads a secret asynchronously with caching
sync_read_secret def sync_read_secret(self, secret_name, optional_params=None, timeout=None) -> Optional[str] Reads a secret synchronously with caching
async_write_secret async def async_write_secret(self, secret_name, secret_value, description=None, optional_params=None, timeout=None, tags=None) -> Dict[str, Any] Writes a secret (ensures variable exists first via policy)
async_delete_secret async def async_delete_secret(self, secret_name, recovery_window_in_days=7, optional_params=None, timeout=None) -> dict Returns a "not_supported" status (Conjur requires policy updates for deletion)

Import

from litellm.secret_managers.cyberark_secret_manager import CyberArkSecretManager

Environment Variables

Variable Description Default
CYBERARK_API_BASE Conjur API base URL http://127.0.0.1:8080
CYBERARK_ACCOUNT Conjur account name default
CYBERARK_USERNAME Conjur username admin
CYBERARK_API_KEY API key for authentication (required if no TLS cert)
CYBERARK_CLIENT_CERT Path to TLS client certificate (optional)
CYBERARK_CLIENT_KEY Path to TLS client key (optional)
CYBERARK_SSL_VERIFY Enable/disable SSL verification true
CYBERARK_REFRESH_INTERVAL Token cache TTL in seconds 300

I/O Contract

Inputs (async_read_secret)

Parameter Type Description
secret_name str Variable name/path in Conjur (will be URL-encoded)
optional_params Optional[dict] Additional parameters (not used by Conjur)
timeout Optional[Union[float, httpx.Timeout]] Request timeout

Outputs (async_read_secret)

Return Type Description
Optional[str] The raw secret value text, or None if not found

Usage Examples

import os
os.environ["CYBERARK_API_BASE"] = "https://conjur.example.com"
os.environ["CYBERARK_ACCOUNT"] = "myaccount"
os.environ["CYBERARK_USERNAME"] = "admin"
os.environ["CYBERARK_API_KEY"] = "my-api-key"

from litellm.secret_managers.cyberark_secret_manager import CyberArkSecretManager

manager = CyberArkSecretManager()

# Read a secret
api_key = await manager.async_read_secret("production/openai-api-key")

# Write a secret (creates policy entry if needed)
result = await manager.async_write_secret(
    secret_name="production/new-key",
    secret_value="sk-abc123",
)

# Delete is not supported by Conjur API
result = await manager.async_delete_secret("production/old-key")
# Returns: {"status": "not_supported", "message": "..."}

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:BerriAI_Litellm_CyberArk_Secret_Manager&oldid=5248"