The External Secrets Enterprise product suite is a premium product. It requires a specific subscription. Contact us for more information.
To use the OpenAI Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

The OpenAI Generator allows automated management of OpenAI Service Accounts and their associated API Keys using the OpenAI Admin API. It simplifies the process of provisioning scoped credentials for different applications or environments, enabling secure, automated key rotation without manual intervention. This approach reduces operational overhead and enhances security posture by providing each workload with its own unique, managed API key.

Output Keys and Values

KeyDescription
api_keyThe generated OpenAI API key (sk-...).

Parameters

KeyDefaultDescription
projectIdRequiredThe ID of the OpenAI project where the service account will be created.
host"https://api.openai.com/v1"Base URL for the OpenAI Admin API. Typically the default endpoint is sufficient.
openAiAdminKeyRequiredKubernetes secret reference holding the OpenAI Admin API Key used for authentication.
serviceAccountNamePrefixOptionalPrefix for the generated service account name.
serviceAccountNameSize12Length of the randomly generated suffix for the service account name.

Set up

Requirements

  • An OpenAI project with Admin API Key.

Authentication

The Admin API Key must be stored in a Kubernetes secret and referenced in the openAiAdminKey field. Example secret: 
apiVersion: v1
kind: Secret
metadata:
  name: openai-admin-secret
  namespace: default
type: Opaque
data:
  api-key: <base64-admin-api-key>

Generator Config

apiVersion: generators.external-secrets.io/v1alpha1
kind: OpenAI
metadata:
  name: openai-generator
  namespace: default
spec:
  projectId: my-openai-project-id
  openAiAdminKey:
    name: openai-admin-secret
    key: api-key
  host: https://api.openai.com/v1
  serviceAccountNamePrefix: app
  serviceAccountNameSize: 10

ExternalSecret Config

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openai-credentials
  namespace: default
spec:
  refreshInterval: 1h
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: OpenAI
          name: openai-generator

Using the generated secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-container
          image: my-image:latest
          env:
            - name: OPENAI_API_KEY
              valueFrom:
                secretKeyRef:
                  name: openai-credentials
                  key: api_key

Notes and Considerations

  • Each time the secret rotates, a new service account and API key are created.
  • Service accounts are deleted during cleanup, ensuring no orphaned resources remain.
  • The generator strictly requires the OpenAI Admin API; standard API keys for model inference are not sufficient.
  • serviceAccountNameSize controls only the suffix length after any optional prefix.