From 8c5ec718fa8ce28d8f4806bf6a52f14244f0d83b Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 10 Mar 2026 19:00:01 -0600 Subject: [PATCH 01/13] DOC-2043 Document AI gateway cloud secret store integration --- modules/ROOT/nav.adoc | 1 + .../ai-gateway/admin/secret-management.adoc | 72 +++++++++++++++++++ .../pages/ai-gateway/admin/setup-guide.adoc | 2 +- .../partials/ai-hub/configure-ai-hub.adoc | 4 +- modules/security/pages/secrets.adoc | 25 +++++++ 5 files changed, 101 insertions(+), 3 deletions(-) create mode 100644 modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 60e12bcec..4cd5b39a9 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -69,6 +69,7 @@ *** xref:ai-agents:ai-gateway/gateway-architecture.adoc[Architecture] *** For Administrators **** xref:ai-agents:ai-gateway/admin/setup-guide.adoc[Setup Guide] +**** xref:ai-agents:ai-gateway/admin/secret-management.adoc[Secret Management] *** For Builders **** xref:ai-agents:ai-gateway/builders/discover-gateways.adoc[Discover Gateways] **** xref:ai-agents:ai-gateway/builders/connect-your-agent.adoc[Connect Your Agent] diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc new file mode 100644 index 000000000..5a0326ed0 --- /dev/null +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -0,0 +1,72 @@ += AI Gateway Secret Management +:description: Understand how AI Gateway stores provider API keys in the Secrets Store and how to view, rotate, and manage them. +:page-topic-type: how-to +:personas: platform_admin +:learning-objective-1: Understand how AI Gateway secrets are stored in the Secrets Store +:learning-objective-2: View AI Gateway secrets in the Secrets Store UI +:learning-objective-3: Rotate provider API keys + +include::ai-agents:partial$adp-la.adoc[] + +When you add a provider API key through the AI Gateway configuration UI, the key is automatically stored in the xref:security:secrets.adoc[Secrets Store]. Unlike Redpanda Connect or MCP Server secrets, which you create manually, AI Gateway secrets are created and managed for you. + +== How AI Gateway secrets work + +AI Gateway integrates with the Secrets Store to manage provider API keys securely: + +* When you add an API key to a provider configuration, AI Gateway automatically creates a corresponding secret in the Secrets Store. +* These secrets are labeled *managed by AI gateway* in the Secrets Store UI. +* Secrets are backed by https://aws.amazon.com/secrets-manager/[AWS Secrets Manager^] or https://cloud.google.com/secret-manager[GCP Secret Manager^] and never leave the data plane. +* At runtime, the gateway reads provider credentials directly from the Secret Store. + +AI Gateway secrets are *read-only* in the Secrets Store UI. To create, rotate, or delete provider API keys, use the AI Gateway provider configuration UI. + +== View AI Gateway secrets + +To see the secrets that AI Gateway has created: + +. In the Redpanda Cloud Console, navigate to *Security* → *Secrets*. +. Look for secrets with the *AI Gateway* scope label. ++ +These secrets are labeled *managed by AI gateway* to distinguish them from secrets created manually for other services. + +You can view secret metadata (name, scope, creation date) but cannot edit values directly. To manage these secrets, use the provider configuration in *Agentic* → *AI Gateway* → *Providers*. + +== Rotate provider API keys + +When you rotate a provider API key through the AI Gateway provider configuration UI, the corresponding Secret Store entry is automatically updated. + +To rotate credentials without downtime: + +. Navigate to *Agentic* → *AI Gateway* → *Providers* and select the provider. +. Add a new API key (don't remove the old one yet). +. Wait for the new key to propagate (approximately 5 minutes). +. Verify the new key works by sending a test request through the gateway. +. Remove the old API key. + +Each provider configuration supports multiple API keys. AI Gateway automatically load-balances across them, which allows zero-downtime rotation. For more details, see the credential rotation steps in xref:ai-gateway/admin/setup-guide.adoc[]. + +== Secret scopes + +The Secrets Store organizes secrets by scope. Each scope corresponds to a different Redpanda Cloud service: + +[cols="1,2,1"] +|=== +| Scope | Description | Management + +| Redpanda Connect +| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. +| Manual (xref:develop:connect/configuration/secret-management.adoc[]) + +| Redpanda Cluster +| Secrets used by the Redpanda cluster, such as Schema Registry credentials. +| Manual + +| MCP Server +| Secrets used by remote MCP server configurations. +| Manual + +| AI Gateway +| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled *managed by AI gateway*. +| Automatic (managed through provider configuration UI) +|=== diff --git a/modules/ai-agents/pages/ai-gateway/admin/setup-guide.adoc b/modules/ai-agents/pages/ai-gateway/admin/setup-guide.adoc index 15acbcd86..ca1ba07d4 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/setup-guide.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/setup-guide.adoc @@ -31,7 +31,7 @@ Providers represent upstream services (Anthropic, OpenAI, Google AI) and associa . On the Configuration tab for the provider, click *Add configuration*. . Enter your API Key for the provider. + -TIP: Store provider API keys securely. Each provider configuration can have multiple API keys for rotation and redundancy. +NOTE: Provider API keys are automatically stored in the xref:security:secrets.adoc[Secrets Store] when you save the configuration. Each provider configuration supports multiple API keys for rotation and redundancy. For details, see xref:ai-gateway/admin/secret-management.adoc[]. . Click *Save* to enable the provider. diff --git a/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc b/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc index 328e2f8cc..43f9526ba 100644 --- a/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc +++ b/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc @@ -222,7 +222,7 @@ curl https://api.redpanda.com/v1/gateways/${GATEWAY_ID}/ai-hub/preferences \ == Manage provider credentials -AI Hub gateways require provider credentials to route requests. Credentials are stored encrypted and shared across all gateways in your workspace. +AI Hub gateways require provider credentials to route requests. Credentials are automatically stored in the xref:security:secrets.adoc[Secrets Store] (backed by AWS Secrets Manager or GCP Secret Manager) and shared across all gateways in your workspace. For details on how AI Gateway manages secrets, see xref:ai-agents:ai-gateway/admin/secret-management.adoc[]. === Add OpenAI credentials @@ -265,7 +265,7 @@ To rotate credentials without downtime: . Test with a sample request to verify the new key works. . Delete the old API key. -AI Gateway automatically load-balances across multiple API keys if you configure more than one per provider. +When you rotate credentials, the corresponding entry in the Secrets Store is automatically updated. AI Gateway automatically load-balances across multiple API keys if you configure more than one per provider. === Verify credentials diff --git a/modules/security/pages/secrets.adoc b/modules/security/pages/secrets.adoc index 01295ed8d..0d3914c2b 100644 --- a/modules/security/pages/secrets.adoc +++ b/modules/security/pages/secrets.adoc @@ -12,3 +12,28 @@ https://cloud.google.com/secret-manager[GCP Secret Manager^] services. Static secrets managed through Redpanda Console never leave their corresponding data plane account or network. They stay securely stored in AWS Secrets Manager or GCP Secret Manager. + +== Secret scopes + +The Secret Store organizes secrets by scope. Each scope corresponds to a Redpanda Cloud service that uses secrets: + +[cols="1,2,1"] +|=== +| Scope | Description | Management + +| Redpanda Connect +| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. +| xref:develop:connect/configuration/secret-management.adoc[Manual] + +| Redpanda Cluster +| Secrets used by the Redpanda cluster, such as Schema Registry credentials. +| Manual + +| MCP Server +| Secrets used by remote MCP server configurations. +| Manual + +| AI Gateway +| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled *managed by AI gateway* in the Secret Store. +| xref:ai-agents:ai-gateway/admin/secret-management.adoc[Automatic] +|=== From 12b7fd576f75434f2a818edadf7ea777fca82b16 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 10 Mar 2026 19:26:26 -0600 Subject: [PATCH 02/13] Update AI Gateway secret management docs with review feedback - Use correct UI flow for adding API keys (Providers > Configuration > Add Configuration) - Label is managed-by:aigateway, not "managed by AI gateway" - Secrets are editable in the Secrets Store (value, scopes, tags) - Add "Edit AI Gateway secrets" section - Remove hardcoded Security nav path for Secrets Store - Remove AWS/GCP Secret Manager parenthetical from AI Hub config Co-Authored-By: Claude Opus 4.6 --- .../ai-gateway/admin/secret-management.adoc | 42 +++++++++++++------ .../partials/ai-hub/configure-ai-hub.adoc | 2 +- modules/security/pages/secrets.adoc | 2 +- 3 files changed, 32 insertions(+), 14 deletions(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 5a0326ed0..02b8ce94c 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -14,32 +14,50 @@ When you add a provider API key through the AI Gateway configuration UI, the key AI Gateway integrates with the Secrets Store to manage provider API keys securely: -* When you add an API key to a provider configuration, AI Gateway automatically creates a corresponding secret in the Secrets Store. -* These secrets are labeled *managed by AI gateway* in the Secrets Store UI. -* Secrets are backed by https://aws.amazon.com/secrets-manager/[AWS Secrets Manager^] or https://cloud.google.com/secret-manager[GCP Secret Manager^] and never leave the data plane. -* At runtime, the gateway reads provider credentials directly from the Secret Store. +* When you add an API key to an LLM provider (through *Agentic* → *AI Gateway* → *Providers* → select a provider → *Configuration* → *Add Configuration*), AI Gateway automatically creates a corresponding secret in the Secrets Store. +* These secrets are labeled `managed-by:aigateway` in the Secrets Store. +* Secrets are backed by the LLM provider's secret manager and never leave the data plane. +* At runtime, the AI Gateway reads provider credentials directly from the Secrets Store. -AI Gateway secrets are *read-only* in the Secrets Store UI. To create, rotate, or delete provider API keys, use the AI Gateway provider configuration UI. +You can also edit AI Gateway secrets directly in the Secrets Store. The secret ID cannot be changed, but you can update the secret value, scopes, and tags. + +TIP: To create or delete provider API keys, use the AI Gateway provider configuration UI (*Agentic* → *AI Gateway* → *Providers* → select a provider → *Configuration*). To update an existing secret's value, scopes, or tags, you can use either the provider configuration UI or the Secrets Store directly. == View AI Gateway secrets To see the secrets that AI Gateway has created: -. In the Redpanda Cloud Console, navigate to *Security* → *Secrets*. +. In the Redpanda Cloud Console, open the *Secrets Store*. . Look for secrets with the *AI Gateway* scope label. + -These secrets are labeled *managed by AI gateway* to distinguish them from secrets created manually for other services. +These secrets are labeled `managed-by:aigateway` to distinguish them from secrets created manually for other services. + +== Edit AI Gateway secrets + +You can edit an AI Gateway secret directly in the Secrets Store: + +. Open the *Secrets Store*. +. Select the secret you want to update. +. Update any of the following fields: ++ +-- +* *Value*: The API key value. Leave empty to keep the existing value. +* *Scopes*: The resources that can access this secret. +* *Tags*: Key-value pairs for organizing and categorizing secrets. +-- ++ +The *ID* field (the secret identifier) cannot be changed. -You can view secret metadata (name, scope, creation date) but cannot edit values directly. To manage these secrets, use the provider configuration in *Agentic* → *AI Gateway* → *Providers*. +. Click *Save*. == Rotate provider API keys -When you rotate a provider API key through the AI Gateway provider configuration UI, the corresponding Secret Store entry is automatically updated. +When you rotate a provider API key through the provider's *Configuration* tab, the corresponding Secrets Store entry is automatically updated. To rotate credentials without downtime: -. Navigate to *Agentic* → *AI Gateway* → *Providers* and select the provider. -. Add a new API key (don't remove the old one yet). +. Navigate to *Agentic* → *AI Gateway* → *Providers*, select the provider, and click *Configuration*. +. Click *Add Configuration* to add a new API key (don't remove the old one yet). . Wait for the new key to propagate (approximately 5 minutes). . Verify the new key works by sending a test request through the gateway. . Remove the old API key. @@ -67,6 +85,6 @@ The Secrets Store organizes secrets by scope. Each scope corresponds to a differ | Manual | AI Gateway -| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled *managed by AI gateway*. +| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway`. | Automatic (managed through provider configuration UI) |=== diff --git a/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc b/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc index 43f9526ba..291263a02 100644 --- a/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc +++ b/modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc @@ -222,7 +222,7 @@ curl https://api.redpanda.com/v1/gateways/${GATEWAY_ID}/ai-hub/preferences \ == Manage provider credentials -AI Hub gateways require provider credentials to route requests. Credentials are automatically stored in the xref:security:secrets.adoc[Secrets Store] (backed by AWS Secrets Manager or GCP Secret Manager) and shared across all gateways in your workspace. For details on how AI Gateway manages secrets, see xref:ai-agents:ai-gateway/admin/secret-management.adoc[]. +AI Hub gateways require provider credentials to route requests. Credentials are automatically stored in the xref:security:secrets.adoc[Secrets Store] and shared across all gateways in your workspace. For details on how AI Gateway manages secrets, see xref:ai-agents:ai-gateway/admin/secret-management.adoc[]. === Add OpenAI credentials diff --git a/modules/security/pages/secrets.adoc b/modules/security/pages/secrets.adoc index 0d3914c2b..0404117d5 100644 --- a/modules/security/pages/secrets.adoc +++ b/modules/security/pages/secrets.adoc @@ -34,6 +34,6 @@ The Secret Store organizes secrets by scope. Each scope corresponds to a Redpand | Manual | AI Gateway -| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled *managed by AI gateway* in the Secret Store. +| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway` in the Secrets Store. | xref:ai-agents:ai-gateway/admin/secret-management.adoc[Automatic] |=== From ed1b5499388e20842d074e00ecb04b68eb2b79c3 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 10 Mar 2026 19:35:12 -0600 Subject: [PATCH 03/13] Update secret scopes to match UI - Add AI Agent scope - Rename "Redpanda Cluster" to "Cluster" - Reorder scopes to match UI: AI Gateway, MCP Server, AI Agent, Cluster, Redpanda Connect Co-Authored-By: Claude Opus 4.6 --- .../ai-gateway/admin/secret-management.adoc | 24 +++++++++++-------- modules/security/pages/secrets.adoc | 24 +++++++++++-------- 2 files changed, 28 insertions(+), 20 deletions(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 02b8ce94c..7c45c68ee 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -72,19 +72,23 @@ The Secrets Store organizes secrets by scope. Each scope corresponds to a differ |=== | Scope | Description | Management -| Redpanda Connect -| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. -| Manual (xref:develop:connect/configuration/secret-management.adoc[]) - -| Redpanda Cluster -| Secrets used by the Redpanda cluster, such as Schema Registry credentials. -| Manual +| AI Gateway +| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway`. +| Automatic (managed through provider configuration UI) | MCP Server | Secrets used by remote MCP server configurations. | Manual -| AI Gateway -| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway`. -| Automatic (managed through provider configuration UI) +| AI Agent +| Secrets used by AI agent configurations. +| Manual + +| Cluster +| Secrets used by the Redpanda cluster, such as Schema Registry credentials. +| Manual + +| Redpanda Connect +| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. +| Manual (xref:develop:connect/configuration/secret-management.adoc[]) |=== diff --git a/modules/security/pages/secrets.adoc b/modules/security/pages/secrets.adoc index 0404117d5..62cab810e 100644 --- a/modules/security/pages/secrets.adoc +++ b/modules/security/pages/secrets.adoc @@ -21,19 +21,23 @@ The Secret Store organizes secrets by scope. Each scope corresponds to a Redpand |=== | Scope | Description | Management -| Redpanda Connect -| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. -| xref:develop:connect/configuration/secret-management.adoc[Manual] - -| Redpanda Cluster -| Secrets used by the Redpanda cluster, such as Schema Registry credentials. -| Manual +| AI Gateway +| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway` in the Secrets Store. +| xref:ai-agents:ai-gateway/admin/secret-management.adoc[Automatic] | MCP Server | Secrets used by remote MCP server configurations. | Manual -| AI Gateway -| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway` in the Secrets Store. -| xref:ai-agents:ai-gateway/admin/secret-management.adoc[Automatic] +| AI Agent +| Secrets used by AI agent configurations. +| Manual + +| Cluster +| Secrets used by the Redpanda cluster, such as Schema Registry credentials. +| Manual + +| Redpanda Connect +| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. +| xref:develop:connect/configuration/secret-management.adoc[Manual] |=== From 2b8f891a64b455a66f9a3f436dbf495ee3a5384e Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 10 Mar 2026 19:48:19 -0600 Subject: [PATCH 04/13] minor edits --- modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc | 2 +- modules/security/pages/secrets.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 7c45c68ee..6f8b97391 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -14,7 +14,7 @@ When you add a provider API key through the AI Gateway configuration UI, the key AI Gateway integrates with the Secrets Store to manage provider API keys securely: -* When you add an API key to an LLM provider (through *Agentic* → *AI Gateway* → *Providers* → select a provider → *Configuration* → *Add Configuration*), AI Gateway automatically creates a corresponding secret in the Secrets Store. +* When you add an API key to an LLM provider (through *AI Gateway* → *Providers* → select a provider → *Configuration* → *Add Configuration*), AI Gateway automatically creates a corresponding secret in the Secrets Store. * These secrets are labeled `managed-by:aigateway` in the Secrets Store. * Secrets are backed by the LLM provider's secret manager and never leave the data plane. * At runtime, the AI Gateway reads provider credentials directly from the Secrets Store. diff --git a/modules/security/pages/secrets.adoc b/modules/security/pages/secrets.adoc index 62cab810e..3618b4869 100644 --- a/modules/security/pages/secrets.adoc +++ b/modules/security/pages/secrets.adoc @@ -15,7 +15,7 @@ GCP Secret Manager. == Secret scopes -The Secret Store organizes secrets by scope. Each scope corresponds to a Redpanda Cloud service that uses secrets: +The Secrets Store organizes secrets by scope. Each scope corresponds to a Redpanda Cloud service that uses secrets: [cols="1,2,1"] |=== From bba00aeeba14d57512364389be60a25cdfc0fd5d Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 10 Mar 2026 19:54:35 -0600 Subject: [PATCH 05/13] Remove duplicate secret scopes table from AI Gateway page Link to the secrets page instead of duplicating the scopes table. Co-Authored-By: Claude Opus 4.6 --- .../ai-gateway/admin/secret-management.adoc | 29 +------------------ 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 6f8b97391..fc5863a5b 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -64,31 +64,4 @@ To rotate credentials without downtime: Each provider configuration supports multiple API keys. AI Gateway automatically load-balances across them, which allows zero-downtime rotation. For more details, see the credential rotation steps in xref:ai-gateway/admin/setup-guide.adoc[]. -== Secret scopes - -The Secrets Store organizes secrets by scope. Each scope corresponds to a different Redpanda Cloud service: - -[cols="1,2,1"] -|=== -| Scope | Description | Management - -| AI Gateway -| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway`. -| Automatic (managed through provider configuration UI) - -| MCP Server -| Secrets used by remote MCP server configurations. -| Manual - -| AI Agent -| Secrets used by AI agent configurations. -| Manual - -| Cluster -| Secrets used by the Redpanda cluster, such as Schema Registry credentials. -| Manual - -| Redpanda Connect -| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. -| Manual (xref:develop:connect/configuration/secret-management.adoc[]) -|=== +For an overview of all secret scopes in Redpanda Cloud, see xref:security:secrets.adoc[]. From 1cc2dd27df9ed1f89bd75a866b0fa0f8a8b91192 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Tue, 10 Mar 2026 20:00:33 -0600 Subject: [PATCH 06/13] coderabbit edits --- .../ai-agents/pages/ai-gateway/admin/secret-management.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index fc5863a5b..72074b30b 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -16,12 +16,12 @@ AI Gateway integrates with the Secrets Store to manage provider API keys securel * When you add an API key to an LLM provider (through *AI Gateway* → *Providers* → select a provider → *Configuration* → *Add Configuration*), AI Gateway automatically creates a corresponding secret in the Secrets Store. * These secrets are labeled `managed-by:aigateway` in the Secrets Store. -* Secrets are backed by the LLM provider's secret manager and never leave the data plane. +* Secrets are backed by the secret store used by the Redpanda Cloud data plane and never leave the data plane. * At runtime, the AI Gateway reads provider credentials directly from the Secrets Store. You can also edit AI Gateway secrets directly in the Secrets Store. The secret ID cannot be changed, but you can update the secret value, scopes, and tags. -TIP: To create or delete provider API keys, use the AI Gateway provider configuration UI (*Agentic* → *AI Gateway* → *Providers* → select a provider → *Configuration*). To update an existing secret's value, scopes, or tags, you can use either the provider configuration UI or the Secrets Store directly. +TIP: To create or delete provider API keys, use the AI Gateway provider configuration UI (*Agentic* → *AI Gateway* → *Providers* → select a provider → *Configuration*). To update an existing secret's value, scopes, or tags, go to the Secrets Store. == View AI Gateway secrets From a536c61b7defd580b286cf5ea814fc7bb143f9a4 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 11 Mar 2026 08:43:52 -0600 Subject: [PATCH 07/13] incorporating review feedback --- .../ai-agents/pages/ai-gateway/admin/secret-management.adoc | 3 +-- modules/security/pages/secrets.adoc | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 72074b30b..6f886ab74 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -8,14 +8,13 @@ include::ai-agents:partial$adp-la.adoc[] -When you add a provider API key through the AI Gateway configuration UI, the key is automatically stored in the xref:security:secrets.adoc[Secrets Store]. Unlike Redpanda Connect or MCP Server secrets, which you create manually, AI Gateway secrets are created and managed for you. +When you add a provider API key through the AI Gateway configuration UI, the key is automatically stored in the xref:security:secrets.adoc[Secrets Store]. == How AI Gateway secrets work AI Gateway integrates with the Secrets Store to manage provider API keys securely: * When you add an API key to an LLM provider (through *AI Gateway* → *Providers* → select a provider → *Configuration* → *Add Configuration*), AI Gateway automatically creates a corresponding secret in the Secrets Store. -* These secrets are labeled `managed-by:aigateway` in the Secrets Store. * Secrets are backed by the secret store used by the Redpanda Cloud data plane and never leave the data plane. * At runtime, the AI Gateway reads provider credentials directly from the Secrets Store. diff --git a/modules/security/pages/secrets.adoc b/modules/security/pages/secrets.adoc index 3618b4869..ab0f73b5f 100644 --- a/modules/security/pages/secrets.adoc +++ b/modules/security/pages/secrets.adoc @@ -22,7 +22,7 @@ The Secrets Store organizes secrets by scope. Each scope corresponds to a Redpan | Scope | Description | Management | AI Gateway -| Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway` in the Secrets Store. +| Secrets used by the AI Gateway for authentication and integration. | xref:ai-agents:ai-gateway/admin/secret-management.adoc[Automatic] | MCP Server @@ -40,4 +40,4 @@ The Secrets Store organizes secrets by scope. Each scope corresponds to a Redpan | Redpanda Connect | Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. | xref:develop:connect/configuration/secret-management.adoc[Manual] -|=== +|=== \ No newline at end of file From 2f3d7d3decea47c31bbf7234d9e4442dd3dc5609 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Wed, 11 Mar 2026 13:52:00 -0600 Subject: [PATCH 08/13] Update modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 6f886ab74..0bb756526 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -1,5 +1,5 @@ = AI Gateway Secret Management -:description: Understand how AI Gateway stores provider API keys in the Secrets Store and how to view, rotate, and manage them. +:description: Describes how AI Gateway stores provider API keys in the Secrets Store and how to view, rotate, and manage them. :page-topic-type: how-to :personas: platform_admin :learning-objective-1: Understand how AI Gateway secrets are stored in the Secrets Store From f6de51f8e388b0a054de7eecd590bf28c60c5a2b Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Wed, 11 Mar 2026 13:52:15 -0600 Subject: [PATCH 09/13] Update modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 0bb756526..5236a3c53 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -45,7 +45,7 @@ You can edit an AI Gateway secret directly in the Secrets Store: * *Tags*: Key-value pairs for organizing and categorizing secrets. -- + -The *ID* field (the secret identifier) cannot be changed. +You cannot edit the *ID* field (the secret identifier). . Click *Save*. From 598e819a606e0921d916489329cd9555f89e880e Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 11 Mar 2026 13:56:42 -0600 Subject: [PATCH 10/13] remove Secret scopes table for now --- modules/security/pages/secrets.adoc | 31 +---------------------------- 1 file changed, 1 insertion(+), 30 deletions(-) diff --git a/modules/security/pages/secrets.adoc b/modules/security/pages/secrets.adoc index ab0f73b5f..587c09e85 100644 --- a/modules/security/pages/secrets.adoc +++ b/modules/security/pages/secrets.adoc @@ -11,33 +11,4 @@ https://aws.amazon.com/secrets-manager/[AWS Secrets Manager^] or https://cloud.google.com/secret-manager[GCP Secret Manager^] services. Static secrets managed through Redpanda Console never leave their corresponding data plane account or network. They stay securely stored in AWS Secrets Manager or -GCP Secret Manager. - -== Secret scopes - -The Secrets Store organizes secrets by scope. Each scope corresponds to a Redpanda Cloud service that uses secrets: - -[cols="1,2,1"] -|=== -| Scope | Description | Management - -| AI Gateway -| Secrets used by the AI Gateway for authentication and integration. -| xref:ai-agents:ai-gateway/admin/secret-management.adoc[Automatic] - -| MCP Server -| Secrets used by remote MCP server configurations. -| Manual - -| AI Agent -| Secrets used by AI agent configurations. -| Manual - -| Cluster -| Secrets used by the Redpanda cluster, such as Schema Registry credentials. -| Manual - -| Redpanda Connect -| Secrets referenced in pipeline configurations using the `$\{!secrets.}` interpolation syntax. -| xref:develop:connect/configuration/secret-management.adoc[Manual] -|=== \ No newline at end of file +GCP Secret Manager. \ No newline at end of file From 33b425466c22c0c6a1cf5c62ce49916bb2d3d3b7 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 11 Mar 2026 13:59:42 -0600 Subject: [PATCH 11/13] Secrets Store capitalized --- modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 5236a3c53..0d62268a8 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -15,7 +15,7 @@ When you add a provider API key through the AI Gateway configuration UI, the key AI Gateway integrates with the Secrets Store to manage provider API keys securely: * When you add an API key to an LLM provider (through *AI Gateway* → *Providers* → select a provider → *Configuration* → *Add Configuration*), AI Gateway automatically creates a corresponding secret in the Secrets Store. -* Secrets are backed by the secret store used by the Redpanda Cloud data plane and never leave the data plane. +* Secrets are backed by the Secrets Store used by the Redpanda Cloud data plane and never leave the data plane. * At runtime, the AI Gateway reads provider credentials directly from the Secrets Store. You can also edit AI Gateway secrets directly in the Secrets Store. The secret ID cannot be changed, but you can update the secret value, scopes, and tags. From 3a79d7dce81573b01ec3d86e48b3b0a774f11ac6 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 12 Mar 2026 22:00:58 -0600 Subject: [PATCH 12/13] minor edit --- modules/security/pages/secrets.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/security/pages/secrets.adoc b/modules/security/pages/secrets.adoc index 587c09e85..4dfe340e2 100644 --- a/modules/security/pages/secrets.adoc +++ b/modules/security/pages/secrets.adoc @@ -10,5 +10,4 @@ Redpanda Cloud also uses _static secrets_, stored in either the https://aws.amazon.com/secrets-manager/[AWS Secrets Manager^] or https://cloud.google.com/secret-manager[GCP Secret Manager^] services. Static secrets managed through Redpanda Console never leave their corresponding -data plane account or network. They stay securely stored in AWS Secrets Manager or -GCP Secret Manager. \ No newline at end of file +data plane account or network. They stay securely stored in AWS Secrets Manager or GCP Secret Manager. \ No newline at end of file From 590fc19e8c853e15f89886b5a51d093e2bb4acbf Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 12 Mar 2026 22:08:43 -0600 Subject: [PATCH 13/13] removed rotate secrets section --- .../ai-gateway/admin/secret-management.adoc | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc index 0d62268a8..d517b286d 100644 --- a/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc +++ b/modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc @@ -48,19 +48,3 @@ You can edit an AI Gateway secret directly in the Secrets Store: You cannot edit the *ID* field (the secret identifier). . Click *Save*. - -== Rotate provider API keys - -When you rotate a provider API key through the provider's *Configuration* tab, the corresponding Secrets Store entry is automatically updated. - -To rotate credentials without downtime: - -. Navigate to *Agentic* → *AI Gateway* → *Providers*, select the provider, and click *Configuration*. -. Click *Add Configuration* to add a new API key (don't remove the old one yet). -. Wait for the new key to propagate (approximately 5 minutes). -. Verify the new key works by sending a test request through the gateway. -. Remove the old API key. - -Each provider configuration supports multiple API keys. AI Gateway automatically load-balances across them, which allows zero-downtime rotation. For more details, see the credential rotation steps in xref:ai-gateway/admin/setup-guide.adoc[]. - -For an overview of all secret scopes in Redpanda Cloud, see xref:security:secrets.adoc[].