|
|
|
|
|
|
by goodra7174
61 days ago
|
|
|
The HTTPS_PROXY approach is clever — interface-agnostic credential brokering without modifying the agent itself. We ran into the same problem from the infrastructure side. When you're running agent workloads on Kubernetes, the blast radius of a leaked credential scales with whatever the pod's ServiceAccount can reach. We ended up combining Cilium FQDN egress policies (agents can only call approved endpoints) with per-workload tool allowlists enforced at the CRD level. The network-level lockdown means even if the agent is prompt-injected, it physically cannot exfiltrate to an unauthorized domain. Curious: have you tested AV with agents that make tool calls through MCP servers? The proxy would need to handle the MCP server's outbound requests too, not just the agent's direct calls. |
|
|
That said, there are many DX improvements to be made such as making it easier to load in credentials into AV and more thinking more around how to optimally handle token refreshes. Part of the questioning there is how much work should be delegated to AV and how much should be to the underlying secrets manager (if connected).