Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Best practice to store and rotate OpenAI API keys in AWS Secrets Manager

0

Hi,

I’m using OpenAI’s API in my AWS-hosted application. OpenAI currently does not provide an API to programmatically create or rotate API keys — we can only create and revoke keys manually from the dashboard.

I want to store our OpenAI API key in AWS Secrets Manager. However, Secrets Manager’s automatic rotation requires a Lambda that can generate new credentials. Since OpenAI doesn’t have a rotation endpoint, I’m not sure what the recommended / industry-standard approach is.

Our current architecture works like this:

  • Client App (Web/Mobile) sends a request with a user prompt to our AWS API Gateway endpoint.
  • AWS API Gateway triggers our Lambda proxy function.
  • AWS Lambda: Fetches the OpenAI API key from AWS Secrets Manager + Prepares a request to the OpenAI API, adding the API key to the Authorization header + Waits for OpenAI’s response
  • OpenAI API processes the request and returns the result
  • Lambda returns the processed result to API Gateway, which forwards it to the Client App

Because of this design, the OpenAI API key never leaves our backend and end-users don’t see it.

Is it acceptable to store an OpenAI API key in AWS Secrets Manager without automatic rotation?

How do AWS customers typically handle third-party API keys with no rotation API?

Any best practices to make manual rotation easier / more secure?

Thanks for your guidance!

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS Secrets ManagerAWS Lambda
Language
English
asked 2 months ago78 views
2 Answers
1
Accepted Answer

Hello.

Is it acceptable to store an OpenAI API key in AWS Secrets Manager without automatic rotation?

When creating a secret in Secrets Manager, you can disable the rotation toggle and register the secret with the API key rotation disabled.
https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html

Any best practices to make manual rotation easier / more secure?

Secrets Manager secrets support resource-based policies, so you can restrict which IAM users have access to them using policies.
This means you can ensure that only specific IAM users can update secrets.
https://repost.aws/knowledge-center/secrets-manager-resource-policy

EXPERT
answered 2 months ago
1

It is completely acceptable to store API keys without automatic rotation when the service doesn't provide rotation APIs. Focus on good operational practices and regular manual rotation schedules instead.

For storing and managing OpenAI API keys in AWS Secrets Manager without automatic rotation capability:

Basic Storage Recommendations:

  • Store the API key in AWS Secrets Manager

  • Include metadata like rotation date and expiry date

  • Document ownership and environment information

Best Practices:

  • Use IAM roles with least privilege

  • Enable CloudTrail logging for audit

  • Set up CloudWatch reminders for manual rotation

  • Create a documented rotation process/runbook

  • Implement monitoring and alerting

  • Version control your secrets

Manual Rotation Process:

  • Generate new API key in OpenAI dashboard

  • Update secret in Secrets Manager

  • Verify functionality

  • Delete old API key

Resources: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html

Hope this helps!

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content