[Backend] Add SECRET credential type for storing generic sensitive values (#4246)

2025-12-09 11:19:57 -08:00
parent 71e4614cfe
commit eb50fdef83
7 changed files with 107 additions and 5 deletions
--- a/skyvern/forge/sdk/services/credential/azure_credential_vault_service.py
+++ b/skyvern/forge/sdk/services/credential/azure_credential_vault_service.py
@@ -14,6 +14,7 @@ from skyvern.forge.sdk.schemas.credentials import (
    CredentialVaultType,
    CreditCardCredential,
    PasswordCredential,
+    SecretCredential,
 )
 from skyvern.forge.sdk.services.credential.credential_vault_service import CredentialVaultService

@@ -36,8 +37,14 @@ class AzureCredentialVaultService(CredentialVaultService):
        card_brand: str
        card_holder_name: str

+    class _SecretCredentialDataImage(BaseModel):
+        type: Literal["secret"]
+        secret_value: str
+        secret_label: str | None = None
+
    _CredentialDataImage = Annotated[
-        Union[_PasswordCredentialDataImage, _CreditCardCredentialDataImage], Field(discriminator="type")
+        Union[_PasswordCredentialDataImage, _CreditCardCredentialDataImage, _SecretCredentialDataImage],
+        Field(discriminator="type"),
    ]

    def __init__(self, client: AsyncAzureVaultClient, vault_name: str):
@@ -128,13 +135,20 @@ class AzureCredentialVaultService(CredentialVaultService):
                name=db_credential.name,
                credential_type=CredentialType.CREDIT_CARD,
            )
+        elif isinstance(data, AzureCredentialVaultService._SecretCredentialDataImage):
+            return CredentialItem(
+                item_id=db_credential.item_id,
+                credential=SecretCredential(secret_value=data.secret_value, secret_label=data.secret_label),
+                name=db_credential.name,
+                credential_type=CredentialType.SECRET,
+            )
        else:
            raise TypeError(f"Invalid credential type: {type(data)}")

    async def _create_azure_secret_item(
        self,
        organization_id: str,
-        credential: PasswordCredential | CreditCardCredential,
+        credential: PasswordCredential | CreditCardCredential | SecretCredential,
    ) -> str:
        if isinstance(credential, PasswordCredential):
            data = AzureCredentialVaultService._PasswordCredentialDataImage(
@@ -153,6 +167,12 @@ class AzureCredentialVaultService(CredentialVaultService):
                card_brand=credential.card_brand,
                card_holder_name=credential.card_holder_name,
            )
+        elif isinstance(credential, SecretCredential):
+            data = AzureCredentialVaultService._SecretCredentialDataImage(
+                type="secret",
+                secret_value=credential.secret_value,
+                secret_label=credential.secret_label,
+            )
        else:
            raise TypeError(f"Invalid credential type: {type(credential)}")

--- a/skyvern/forge/sdk/services/credential/credential_vault_service.py
+++ b/skyvern/forge/sdk/services/credential/credential_vault_service.py
@@ -68,5 +68,19 @@ class CredentialVaultService(ABC):
                card_brand=data.credential.card_brand,
                totp_identifier=None,
            )
+        elif data.credential_type == CredentialType.SECRET:
+            return await app.DATABASE.create_credential(
+                organization_id=organization_id,
+                name=data.name,
+                vault_type=vault_type,
+                item_id=item_id,
+                credential_type=data.credential_type,
+                username=None,
+                totp_type="none",
+                card_last4=None,
+                card_brand=None,
+                totp_identifier=None,
+                secret_label=data.credential.secret_label,
+            )
        else:
            raise Exception(f"Unsupported credential type: {data.credential_type}")