Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:BerriAI Litellm AWS Secret Manager

From Leeroopedia
Revision as of 12:08, 16 February 2026 by Admin (talk | contribs) (Auto-imported from implementations/BerriAI_Litellm_AWS_Secret_Manager.md)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Attribute Value
Sources litellm/secret_managers/aws_secret_manager.py
Domains Secret Management, AWS, KMS, Encryption
last_updated 2026-02-15 16:00 GMT

Overview

The AWS Secret Manager module integrates AWS Key Management Service (KMS) for decrypting environment variables that are encrypted with AWS KMS, and provides initialization functions for the KMS client.

Description

This module provides two main components: (1) the load_aws_kms function, which initializes a boto3 KMS client and sets it as litellm.secret_manager_client for the proxy; and (2) the AWSKeyManagementService_V2 class, which provides a clean interface for decrypting KMS-encrypted values. The V2 class requires a valid LITELLM_LICENSE environment variable (enterprise feature). The decrypt_value method takes an environment variable name, retrieves its base64-encoded ciphertext (optionally stripping the aws_kms/ prefix), decodes and decrypts it via the KMS client, and returns the plaintext. The module also provides a decrypt_env_var function that scans all environment variables for KMS-encrypted values (those prefixed with litellm_secret_aws_kms_ or values starting with aws_kms/) and returns a dictionary of decrypted key-value pairs.

Usage

Import load_aws_kms to initialize KMS during proxy startup, or use AWSKeyManagementService_V2 and decrypt_env_var for enterprise KMS decryption of environment variables.

Code Reference

Source Location

litellm/secret_managers/aws_secret_manager.py

Functions

Function Signature Description
validate_environment def validate_environment() Raises ValueError if AWS_REGION_NAME is not in environment
load_aws_kms def load_aws_kms(use_aws_kms: Optional[bool]) Initializes boto3 KMS client and sets litellm.secret_manager_client
decrypt_env_var def decrypt_env_var() -> Dict[str, Any] Scans environment for KMS-encrypted values and returns decrypted key-value pairs

Class: AWSKeyManagementService_V2

class AWSKeyManagementService_V2:
    """V2 Clean Class for decrypting keys from AWS KeyManagementService"""

    def __init__(self) -> None:
    def validate_environment(self):
    def load_aws_kms(self, use_aws_kms: Optional[bool]):
    def decrypt_value(self, secret_name: str) -> Any:

Import

from litellm.secret_managers.aws_secret_manager import (
    load_aws_kms,
    AWSKeyManagementService_V2,
    decrypt_env_var,
    validate_environment,
)

I/O Contract

Inputs (decrypt_value)

Parameter Type Description
secret_name str Name of the environment variable containing the KMS-encrypted value

Outputs (decrypt_value)

Return Type Description
Any Decrypted plaintext string, or bool if the decrypted value is a boolean literal

Inputs (decrypt_env_var)

No parameters required. Scans os.environ automatically.

Outputs (decrypt_env_var)

Return Type Description
Dict[str, Any] Dictionary of decrypted key-value pairs, with litellm_secret_aws_kms_ prefix stripped from keys

Usage Examples

# Initialize KMS client during proxy startup
from litellm.secret_managers.aws_secret_manager import load_aws_kms

load_aws_kms(use_aws_kms=True)
# Sets litellm.secret_manager_client to a boto3 KMS client

# Decrypt all KMS-encrypted environment variables (enterprise feature)
from litellm.secret_managers.aws_secret_manager import decrypt_env_var
import os

os.environ["LITELLM_SECRET_AWS_KMS_MY_API_KEY"] = "base64_encrypted_value"
decrypted = decrypt_env_var()
# Returns {"MY_API_KEY": "decrypted_plaintext"}

# Decrypt a single value
from litellm.secret_managers.aws_secret_manager import AWSKeyManagementService_V2

kms = AWSKeyManagementService_V2()
secret = kms.decrypt_value("LITELLM_SECRET_AWS_KMS_OPENAI_API_KEY")

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment