DOC-2043 Document AI gateway cloud secret store integration #520
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| = AI Gateway Secret Management | ||
| :description: Describes how AI Gateway stores provider API keys in the Secrets Store and how to view, rotate, and manage them. | ||
| :page-topic-type: how-to | ||
| :personas: platform_admin | ||
| :learning-objective-1: Understand how AI Gateway secrets are stored in the Secrets Store | ||
| :learning-objective-2: View AI Gateway secrets in the Secrets Store UI | ||
| :learning-objective-3: Rotate provider API keys | ||
|
|
||
| include::ai-agents:partial$adp-la.adoc[] | ||
|
|
||
| When you add a provider API key through the AI Gateway configuration UI, the key is automatically stored in the xref:security:secrets.adoc[Secrets Store]. | ||
|
|
||
| == How AI Gateway secrets work | ||
|
|
||
| AI Gateway integrates with the Secrets Store to manage provider API keys securely: | ||
|
|
||
| * When you add an API key to an LLM provider (through *AI Gateway* → *Providers* → select a provider → *Configuration* → *Add Configuration*), AI Gateway automatically creates a corresponding secret in the Secrets Store. | ||
| * Secrets are backed by the Secrets Store used by the Redpanda Cloud data plane and never leave the data plane. | ||
| * At runtime, the AI Gateway reads provider credentials directly from the Secrets Store. | ||
coderabbitai[bot] marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| You can also edit AI Gateway secrets directly in the Secrets Store. The secret ID cannot be changed, but you can update the secret value, scopes, and tags. | ||
|
|
||
| TIP: To create or delete provider API keys, use the AI Gateway provider configuration UI (*Agentic* → *AI Gateway* → *Providers* → select a provider → *Configuration*). To update an existing secret's value, scopes, or tags, go to the Secrets Store. | ||
|
|
||
|
Contributor
There was a problem hiding this comment. Are there any prereqs or limitations? |
||
| == View AI Gateway secrets | ||
|
|
||
| To see the secrets that AI Gateway has created: | ||
|
|
||
| . In the Redpanda Cloud Console, open the *Secrets Store*. | ||
| . Look for secrets with the *AI Gateway* scope label. | ||
| + | ||
| These secrets are labeled `managed-by:aigateway` to distinguish them from secrets created manually for other services. | ||
|
|
||
| == Edit AI Gateway secrets | ||
|
|
||
| You can edit an AI Gateway secret directly in the Secrets Store: | ||
|
|
||
| . Open the *Secrets Store*. | ||
| . Select the secret you want to update. | ||
| . Update any of the following fields: | ||
| + | ||
| -- | ||
| * *Value*: The API key value. Leave empty to keep the existing value. | ||
| * *Scopes*: The resources that can access this secret. | ||
| * *Tags*: Key-value pairs for organizing and categorizing secrets. | ||
| -- | ||
| + | ||
| You cannot edit the *ID* field (the secret identifier). | ||
|
|
||
| . Click *Save*. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When and why would you need to use this--what is the benefit? Need a brief "benefit of using this" statement.