How we isolate accounts, mount secrets, and never let your code see plaintext keys.
Secret paths
Every account's secrets live under a per-account prefix in AWS Secrets Manager: agentdepot/{accountId}/{secret_name}. The runtime IAM role for that account has secretsmanager:GetSecretValue scoped to that prefix only — agents from one customer cannot read another's secrets.
# Runtime IAM policy (auto-generated per account)
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:471176250120:secret:agentdepot/acc_abc123*/*"
}How secrets reach your code
AgentCore Runtime injects secrets as environment variables at runtime. Your code reads OPENAI_API_KEY via os.environ['OPENAI_API_KEY'] (Python) or process.env.OPENAI_API_KEY (Node) — same as local dev. The plaintext value never appears in your container image, ECR repository, CloudWatch logs, or runtime config.
Composio OAuth tokens
OAuth tokens live on Composio's infrastructure (SOC 2 Type II). Your code never holds the raw token. Instead, you call composio.actions.execute({ action: 'SLACK_SEND_MESSAGE', connectionId, ... }) and Composio injects the bearer token at the API call site. Refresh and rotation are handled by Composio.
Rotation
Plain API keys: rotate via the portal Credentials tab. New value overwrites the existing Secrets Manager entry; agent picks it up on next invocation. Composio OAuth: re-authenticate from the portal — Composio swaps the connection in place.