Ask HN: How are you managing secrets with AI agents?
2 pointsby m-hodges6 hours ago2 comments
  • kageiit6 hours ago
    We built our own harness from the ground up to account for this

    Secrets come from aws secret manager and never injected into env directly.

    Each part of the agentic workflow only gets the secrets it needs injected. Agent can see env var names but not the values (our harness masks them) . We also mask any attempts to output to stdout/files.

    This keeps the agent architecture simple with env vars that all agents can operate on as it locally. Prompt injection attempts will only yield masked values

    Has been working well for us so far

  • whinvik4 hours ago
    Curious if anyone has experimented with dotenvx - https://dotenvx.com/
    • m-hodges4 hours ago
      What would stop the agent from writing+running its own script wrapped in `dotenvx run` to access the secrets?