This likely won’t solve everyone’s use case, but I think I’ve got a fix for there not being any built-in secrets management on Codex and wanted to check if anybody saw issues with it.
We’re trying to solve this problem for scripts we initiate runs of manually to perform tasks (meaning the codebase Codex is working on won’t be an application deployed out somewhere nor run automatically via cron, etc). Our plan is to use LastPass to store secrets remotely and retrieve them at runtime with a Python script. So instead of any locally stored credentials, there’s a secrets.py file that’s imported by the other scripts. When we invoke a script and secrets.py is called, we’re prompted to authenticate into LastPass, after which the note is retrieved and the secrets are parsed/used.
If I understand Codex correctly, this keeps the secrets out of its sight, as they’re only loaded in memory during a human-initiated code execution. If Codex tried to invoke the secrets.py file itself, it doesn’t know the LastPass credentials (and couldn’t MFA if it did), so it’s unable to leverage the script we use to access the secrets.
Again - I understand this doesn’t work in everyone’s use case (I’ve read over several similar threads), but what does this seem viable for our situation? Am I correct in my understanding Codex wouldn’t have access to our secrets with this method?