[hardsnow]

Alternative, and more robust approach is to give the agent surrogate credentials and replace them on the way out in a proxy. If proxy runs in an environment to which agent has no access to, the real secrets are not available to it directly; it can only make requests to scoped hosts with those.

I’ve built this in Airut and so far seems to handle all the common cases (GitHub, Anthropic / Google API keys, and even AWS, which requires slightly more work due to the request signing approach). Described in more detail here: https://github.com/airutorg/airut/blob/main/doc/network-sand...

[sesm]

That's great for API credentials but some secrets are ment for local use, like encryption keys.

[ctmnt]

OP isn't talking about giving agents credentials, that's a whole nother can of worms. And yes, agreed, don't do it. Some kind of additional layer is crucial.

Personally I don't like the proxy / MITM approach for that, because you're adding an additional layer of surface area for problems to arise and attacks to occur. That code has to be written and maintained somewhere, and then you're back to the original problem.

[NitpickLawyer]

How does this work with SSL? Do you need to provision certs on the agent VM?

[hardsnow]

Yep - requires the client to trust the SSL cert of the proxy. Cooperative clients that support eg HTTP_PROXY may be easier to support, but for Airut I went for full transparent mitmproxy. All DNS A requests resolve to the proxy IP and proxy cert is injected to the container where Claude Code runs as trusted CA. As a bonus this closes DNS as potential exfiltration channel.

[petesergeant]

This is cool! Solving the same problem (authority delegation to resources like Github and Gmail) but in a slightly different way at https://agentblocks.ai