alt Hacker NewsAlternative, and more robust approach is to give the agent surrogate credentials and replace them on the way out in a proxy. If proxy runs in an environment to which agent has no access to, the real secrets are not available to it directly; it can only make requests to scoped hosts with those.
I’ve built this in Airut and so far seems to handle all the common cases (GitHub, Anthropic / Google API keys, and even AWS, which requires slightly more work due to the request signing approach). Described in more detail here: https://github.com/airutorg/airut/blob/main/doc/network-sand...
Replies
OP isn't talking about giving agents credentials, that's a whole nother can of worms. And yes, agreed, don't do it. Some kind of additional layer is crucial.
Personally I don't like the proxy / MITM approach for that, because you're adding an additional layer of surface area for problems to arise and attacks to occur. That code has to be written and maintained somewhere, and then you're back to the original problem.
How does this work with SSL? Do you need to provision certs on the agent VM?
This is cool! Solving the same problem (authority delegation to resources like Github and Gmail) but in a slightly different way at https://agentblocks.ai
That's great for API credentials but some secrets are ment for local use, like encryption keys.