Crate llm_orchestrator_secrets 

Secret management for LLM Orchestrator.

This crate provides secure secret storage and retrieval with support for:

• HashiCorp Vault (KV v2)
• AWS Secrets Manager
• Environment variables (fallback)
• In-memory caching with TTL

Features

• Multiple backends: Vault, AWS Secrets Manager, or environment variables
• Automatic caching: Optional TTL-based caching to reduce backend calls
• Secret rotation: Support for rotating secrets without downtime
• Version management: Access historical versions of secrets (where supported)
• Security: Zero secrets in logs, secure token handling

Examples

Using Environment Variables

use llm_orchestrator_secrets::{EnvSecretStore, SecretStore};

let store = EnvSecretStore::new();
let secret = store.get_secret("openai/api_key").await?;
// Reads from environment variable: OPENAI_API_KEY

Using HashiCorp Vault

use llm_orchestrator_secrets::{VaultSecretStore, SecretStore};

let store = VaultSecretStore::new(
    "https://vault.example.com:8200".to_string(),
    "hvs.CAESIJ...".to_string(),
)?;

let secret = store.get_secret("database/password").await?;

Using AWS Secrets Manager

use llm_orchestrator_secrets::{AwsSecretStore, SecretStore};
use aws_sdk_secretsmanager::config::Region;

let store = AwsSecretStore::new(Region::new("us-east-1")).await?;
let secret = store.get_secret("prod/api/key").await?;

Using the Builder with Caching

use llm_orchestrator_secrets::{SecretManagerBuilder, SecretStoreType};
use chrono::Duration;

let store = SecretManagerBuilder::new(SecretStoreType::Environment)
    .with_cache(Duration::minutes(10))
    .build()
    .await?;

let secret = store.get_secret("api_key").await?;

Security Best Practices

1. Never log secret values: All implementations avoid logging sensitive data
2. Use Vault or AWS in production: Environment variables are for development only
3. Enable caching cautiously: Balance performance with security requirements
4. Rotate secrets regularly: Use built-in rotation features
5. Use least-privilege access: Limit secret access to what’s needed

Performance Considerations

• Caching: Reduces backend calls from ~100ms to <1ms for cached secrets
• TTL: Default 5 minutes balances freshness with performance
• Cleanup: Run cleanup_expired() periodically to prevent memory growth

Re-exports

pub use aws::AwsSecretStore;

pub use builder::AwsConfig;

pub use builder::SecretManagerBuilder;

pub use builder::SecretStoreType;

pub use builder::VaultConfig;

pub use cache::CacheStats;

pub use cache::SecretCache;

pub use env::EnvSecretStore;

pub use models::Secret;

pub use models::SecretMetadata;

pub use models::SecretVersion;

pub use traits::Result;

pub use traits::SecretError;

pub use traits::SecretStore;

pub use vault::VaultSecretStore;

Modules

aws

AWS Secrets Manager secret store implementation.

builder

Secret manager builder and factory.

cache

In-memory secret cache with TTL.

env

Environment variable secret store implementation.

models

Data models for secret management.

traits

Traits for secret store implementations.

vault

HashiCorp Vault secret store implementation.