Skip to main content
Secrets are stored in YAML files locally and synced to AWS Secrets Manager for production.

Quick Setup

The infra/secrets/ directory is excluded from version control (see .gitignore). Treat these files with the same security as passwords.

API Keys

Required

Optional

Set your keys

Edit infra/secrets/prd_api_secrets.yml:
infra/secrets/prd_api_secrets.yml

Verify keys work

Before deploying, test that your keys are valid:

Database Credentials

Edit infra/secrets/prd_db_secrets.yml:
infra/secrets/prd_db_secrets.yml
Generate a secure password:
Avoid special characters in DB_PASS: @, #, %, &, ", 'These require URL encoding and cause silent connection failures. Stick to alphanumeric characters and !.Safe example: MySecurePass123!

How credentials flow

How Secrets Work

Local Development

Apps read secrets directly from YAML files:
dev_resources.py

Production

Secrets are stored in AWS Secrets Manager and injected into ECS tasks:
prd_resources.py
Why two secrets? API keys and database credentials are stored separately for security isolation. You can rotate one without affecting the other.

Verify Secrets in AWS

After deploying (ag infra up prd:aws), verify secrets were created:
If you changed infra_name in settings.py, replace agentos-aws-template with your value.
Expected output:
To view secret values (be careful - this exposes credentials):

Troubleshooting

The secret doesn’t exist yet. Run ag infra up prd:aws to create it from your YAML files.
Check for special characters in DB_PASS. Remove any @, #, %, & characters and redeploy.
  1. Verify the key works locally (use the curl commands above)
  2. Check the secret was updated: aws secretsmanager get-secret-value --secret-id {name}
  3. Redeploy the task to pick up new secrets: ag infra patch prd:aws::service