Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:BerriAI Litellm Secret Manager Main

From Leeroopedia
Revision as of 12:11, 16 February 2026 by Admin (talk | contribs) (Auto-imported from implementations/BerriAI_Litellm_Secret_Manager_Main.md)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Attribute Value
Sources litellm/secret_managers/main.py
Domains Secret Management, Configuration, OIDC, Environment Variables
last_updated 2026-02-15 16:00 GMT

Overview

The Secret Manager Main module is the central entry point for secret retrieval in LiteLLM, dispatching to the configured secret manager backend, OIDC token providers, or environment variables.

Description

This module provides the get_secret function and its typed wrappers (get_secret_str, get_secret_bool) that serve as the unified interface for retrieving secrets across the LiteLLM system. The retrieval logic follows this priority: (1) OIDC token providers (Google, CircleCI, GitHub, Azure, file-based, env-based) when the secret name starts with "oidc/"; (2) the configured secret manager client (AWS Secrets Manager, HashiCorp Vault, CyberArk, Google Secret Manager, Azure Key Vault, custom implementations) when _key_management_system is set and access mode allows reading; (3) fallback to os.environ if the secret manager fails or is not configured. The function also handles "os.environ/" prefix stripping, boolean value parsing via ast.literal_eval, and OIDC token caching via a DualCache instance. The helper _should_read_secret_from_secret_manager checks whether the secret manager is configured with read_only or read_and_write access mode.

Usage

Import get_secret (or get_secret_str / get_secret_bool) anywhere in LiteLLM where a configuration value or API key needs to be retrieved. This is the standard way to access secrets throughout the codebase.

Code Reference

Source Location

litellm/secret_managers/main.py

Functions

Function Signature Description
str_to_bool def str_to_bool(value: Optional[str]) -> Optional[bool] Converts "true"/"false" strings to booleans; returns None for other values
get_secret_str def get_secret_str(secret_name: str, default_value: Optional[Union[str, bool]] = None) -> Optional[str] Typed wrapper that guarantees a string or None return
get_secret_bool def get_secret_bool(secret_name: str, default_value: Optional[bool] = None) -> Optional[bool] Typed wrapper that guarantees a boolean or None return
get_secret def get_secret(secret_name: str, default_value: Optional[Union[str, bool]] = None) Main dispatcher: OIDC providers, secret manager client, or os.environ
_should_read_secret_from_secret_manager def _should_read_secret_from_secret_manager() -> bool Returns True if the secret manager is configured with read access

Module-Level Objects

oidc_cache = DualCache()  # Caches OIDC tokens

def _get_oidc_http_handler(timeout: Optional[httpx.Timeout] = None) -> HTTPHandler:
    """Factory function to create HTTPHandler for OIDC requests."""

Import

from litellm.secret_managers.main import get_secret, get_secret_str, get_secret_bool, str_to_bool

I/O Contract

Inputs (get_secret)

Parameter Type Description
secret_name str Name of the secret. Supports prefixes: "os.environ/" (stripped), "oidc/{provider}/{audience}"
default_value Optional[Union[str, bool]] Fallback value if the secret is not found and no error should be raised

Outputs (get_secret)

Return Type Description
Union[str, bool, None] The secret value as a string, boolean (if value is "true"/"false"), or None
Raises ValueError For OIDC provider failures or missing environment variables

Supported OIDC Providers

Provider Secret Name Format Description
google oidc/google/{audience} Google Compute Engine metadata identity token
circleci oidc/circleci/{audience} CircleCI OIDC token from CIRCLE_OIDC_TOKEN
circleci_v2 oidc/circleci_v2/{audience} CircleCI V2 OIDC token from CIRCLE_OIDC_TOKEN_V2
github oidc/github/{audience} GitHub Actions OIDC token
azure oidc/azure/{scope} Azure workload identity or AD token provider
file oidc/file/{path} Token read from a file path
env oidc/env/{var_name} Token from an environment variable
env_path oidc/env_path/{var_name} Token from a file path stored in an environment variable

Usage Examples

from litellm.secret_managers.main import get_secret, get_secret_str, get_secret_bool

# Simple environment variable lookup
api_key = get_secret("OPENAI_API_KEY")

# With os.environ/ prefix (stripped automatically)
api_key = get_secret("os.environ/OPENAI_API_KEY")

# With default value
debug_mode = get_secret("DEBUG_MODE", default_value="false")

# Typed string retrieval
api_key: str = get_secret_str("OPENAI_API_KEY")

# Typed boolean retrieval
is_debug: bool = get_secret_bool("LITELLM_DEBUG", default_value=False)

# OIDC token for Google
token = get_secret("oidc/google/https://bedrock-runtime.us-east-1.amazonaws.com")

# OIDC token for GitHub Actions
token = get_secret("oidc/github/sts.amazonaws.com")

# Secret from configured secret manager (e.g., AWS Secrets Manager)
# Automatically delegates when litellm._key_management_system is set
db_password = get_secret("DATABASE_PASSWORD")

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment