Keybrake

Argo Workflows · AI agents · API key security

Argo Workflows AI agent API key: scoping vendor calls in Kubernetes-native pipelines

Argo Workflows is the most widely deployed Kubernetes-native workflow engine — GitOps-friendly YAML templates, DAG-based step graphs, and tight integration with the Kubernetes RBAC and Secrets APIs. When AI agents use Argo to orchestrate vendor API calls, each task step runs in its own container pod and reads the Stripe or Twilio key directly from a Kubernetes Secret. That architecture makes fan-out spend risks invisible: a DAG with 500 parallel tasks issues 500 simultaneous vendor API calls with no per-workflow dollar cap. retryStrategy at the step level multiplies each failed call into up to N+1 pod executions. And revoking a key mid-run means rotating the Kubernetes Secret — which breaks every other running workflow that reads it. This page covers the vault-key pattern that scopes spend per workflow execution without touching your Kubernetes Secrets or YAML templates.

TL;DR

Issue a vault key in the entry-point step of your Argo workflow, store it in the workflow's parameters or an artifact, and pass it to downstream task templates as a step argument. Each workflow execution gets its own vault key with its own dollar cap. The real Stripe secret stays in Keybrake — it never appears in your Kubernetes Secrets manifest, pod environment, or Argo workflow logs. Revoking a runaway workflow is a single DELETE to the Keybrake API, not a Kubernetes Secret rotation that breaks all other live workflows.

How Argo Workflows AI agents call vendor APIs

In a typical Argo Workflows setup for AI agent billing work, a workflow template defines a DAG where one step calls Stripe for each customer partition. The Stripe key comes from a Kubernetes Secret mounted as an environment variable:

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: billing-agent-
spec:
  entrypoint: billing-dag
  templates:
  - name: billing-dag
    dag:
      tasks:
      - name: charge-customers
        template: charge-batch
        arguments:
          parameters:
          - name: customer_ids
            value: "{{item}}"
        withItems:         # expands into N parallel tasks
        - "cus_001,cus_002,cus_003"
        - "cus_004,cus_005,cus_006"

  - name: charge-batch
    inputs:
      parameters:
      - name: customer_ids
    container:
      image: your-billing-agent:latest
      env:
      - name: STRIPE_SECRET_KEY
        valueFrom:
          secretKeyRef:
            name: stripe-credentials  # full-access Kubernetes Secret
            key: secret_key
      command: [python, charge.py, "{{inputs.parameters.customer_ids}}"]

This is standard Argo. The withItems expansion creates one pod per list item, all running simultaneously with the same full-access Stripe key. Each pod independently calls Stripe — and there is no mechanism to cap how much total spend the workflow can trigger.

Three gaps Argo Workflows' native tooling doesn't fill for vendor spend control

GapWhat happens in practiceArgo's answer
No per-workflow spend cap A data pipeline bug duplicates customer IDs before passing them to the workflow. withItems expands to 2,000 items instead of 200. Argo schedules 2,000 pods; Kubernetes schedules them based on node capacity; Stripe confirms each charge. The error is discovered in the Stripe dashboard — after the money has moved. Argo's workflow-level resource quotas govern CPU and memory, not vendor dollars. None. Argo observes workflow resource consumption (CPU, memory, pod count) but has no visibility into the dollar cost of vendor API calls made inside pods.
No mid-run vendor revoke without Secret rotation To stop an in-flight Argo workflow from making more Stripe calls, you can terminate the workflow (stops new pods from starting) or patch the Kubernetes Secret to an invalid value. Terminating the workflow kills pending tasks but in-progress pod containers continue executing until the container process exits. Rotating the Kubernetes Secret breaks every other workflow that reads the same secret — including unrelated workflows currently running in the cluster. Workflow termination and suspension stop scheduling but don't interrupt running containers. Kubernetes RBAC does not provide per-pod Secret revocation.
No per-call audit with workflow context Argo's built-in logging captures container stdout/stderr and step completion events. It doesn't parse dollar amounts from Stripe responses, cross-reference Stripe Request-Id values with Argo workflow names and step IDs, or provide a per-call cost table queryable by workflow execution ID. Argo's workflow archive stores step inputs, outputs, and status. No structured cost tracking or vendor-call correlation with external transaction IDs.

The withItems risk: parallel pod fan-out and simultaneous vendor calls

Argo's withItems and withParam constructs are the primary fan-out mechanism for AI agent workloads. Each item in the list spawns an independent pod. Pod scheduling is bounded by cluster capacity, not by vendor spend limits. On a cluster with sufficient nodes, 500 items can mean 500 simultaneous Stripe calls within seconds of workflow submission.

Unlike task queues with configurable concurrency, Argo's DAG parallelism is controlled by the cluster's scheduling capacity and any explicitly configured parallelism field on the workflow or template. Setting parallelism: 10 slows the fan-out but doesn't set a dollar cap — it just means the $500 charge happens over 10 minutes instead of 30 seconds.

A per-workflow vault key enforces the dollar cap across all parallel pods sharing that execution. The cap is enforced atomically at the proxy layer regardless of how many pods are calling simultaneously.

The retryStrategy risk: pod restarts multiply vendor calls

Argo's retryStrategy is applied at the template level and retries the entire pod on failure:

  - name: charge-batch
    retryStrategy:
      limit: "3"
      retryPolicy: "Always"  # retries on any failure, including transient network errors
    container:
      ...

If a pod calls Stripe and the connection drops before the response arrives, Argo marks the pod failed and schedules a retry pod. The retry pod calls Stripe again — potentially creating a duplicate charge if an idempotency key wasn't used. With retryPolicy: "Always" and limit: "3", a single network blip can trigger four Stripe calls for one intended charge.

Use retryPolicy: "OnError" instead of "Always" to limit retries to system errors, not application errors. And use idempotency keys on every Stripe call so retries are safe — the proxy's deduplication layer provides an additional guarantee for cases where idempotency keys are misconfigured.

Scoping vault keys per Argo workflow execution

Issue the vault key in a dedicated setup step that runs before the fan-out, then pass the key as a workflow parameter to all downstream templates:

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: billing-agent-
spec:
  entrypoint: billing-dag
  arguments:
    parameters:
    - name: budget_usd
      value: "300"

  templates:
  - name: billing-dag
    dag:
      tasks:
      - name: issue-vault-key
        template: issue-vault-key-tmpl
        arguments:
          parameters:
          - name: budget_usd
            value: "{{workflow.parameters.budget_usd}}"
      - name: charge-customers
        depends: issue-vault-key
        template: charge-batch
        arguments:
          parameters:
          - name: customer_ids
            value: "{{item}}"
          - name: vault_key
            value: "{{tasks.issue-vault-key.outputs.parameters.vault_key}}"
        withItems:
        - "cus_001,cus_002,cus_003"
        - "cus_004,cus_005,cus_006"

  - name: issue-vault-key-tmpl
    inputs:
      parameters:
      - name: budget_usd
    outputs:
      parameters:
      - name: vault_key
        valueFrom:
          path: /tmp/vault_key
    container:
      image: curlimages/curl:latest
      env:
      - name: KEYBRAKE_API_KEY
        valueFrom:
          secretKeyRef:
            name: keybrake-credentials
            key: api_key
      command: [sh, -c]
      args:
      - |
        curl -s -X POST https://proxy.keybrake.com/vault/keys \
          -H "Authorization: Bearer $KEYBRAKE_API_KEY" \
          -H "Content-Type: application/json" \
          -d "{
            \"vendor\": \"stripe\",
            \"daily_usd_cap\": {{inputs.parameters.budget_usd}},
            \"allowed_endpoints\": [\"POST /v1/payment_intents\"],
            \"expires_in\": \"2h\",
            \"agent_run_label\": \"argo/{{workflow.name}}\"
          }" | jq -r .vault_key > /tmp/vault_key

  - name: charge-batch
    inputs:
      parameters:
      - name: customer_ids
      - name: vault_key
    retryStrategy:
      limit: "3"
      retryPolicy: "OnError"
    container:
      image: your-billing-agent:latest
      env:
      - name: STRIPE_SECRET_KEY
        value: "{{inputs.parameters.vault_key}}"   # vault key, not real secret
      - name: STRIPE_BASE_URL
        value: "https://proxy.keybrake.com/stripe"
      command: [python, charge.py, "{{inputs.parameters.customer_ids}}"]

The Kubernetes Secret now contains only the Keybrake API key (used once in the setup step), not the real Stripe secret. The vault key is generated per workflow execution, travels through Argo's parameter system to each pod, and enforces a per-execution dollar cap across all parallel charge-batch pods. The agent_run_label value (argo/{workflow.name}) makes every Stripe call in the audit log queryable by Argo workflow name.

How Keybrake fits

Keybrake is the proxy layer between your Argo Workflows pods and Stripe, Twilio, or Resend. The vault key replaces the full-access API key in each pod's environment. The real Stripe secret stays in Keybrake — it never appears in your Kubernetes Secrets manifest, Argo workflow YAML, pod environment variables, or container logs. Revoking a runaway workflow is a single DELETE /vault/keys/{key_id} call — it takes effect on the next vendor API call from any pod in the workflow, without rotating the Kubernetes Secret or disrupting other workflows.

Get early access

Related questions

How do I pass the vault key securely through Argo's parameter system?

Argo workflow parameters are stored in the workflow spec (visible in argo get and the UI) and in the Kubernetes Workflow object. The vault key is short-lived, dollar-capped, and endpoint-restricted — less sensitive than the real Stripe secret. However, if you want to minimize surface area, use Argo's artifact output mechanism instead of parameters: write the vault key to an S3 artifact in the setup step, and have downstream pods fetch it from the artifact store with appropriate bucket permissions. The real Stripe secret remains in Keybrake regardless.

Does this work with Argo's withParam for dynamic fan-out?

Yes. withParam generates the item list dynamically from a previous step's output — commonly used when a data step queries a database and returns a JSON array of customer IDs. Issue the vault key in the same setup step (or a separate preceding step), then pass it as a parameter alongside each item in the fan-out. The vault key is a string parameter like any other — it travels through Argo's parameter substitution system to each parallel task.

How do I handle cap exhaustion 429s in Argo retryStrategy?

Set retryPolicy: "OnError" rather than "Always" — "OnError" retries on system-level errors (pod OOM, node failure) but not application errors (non-zero exit codes from HTTP errors). When your container process receives a 429 from the proxy due to cap exhaustion, it should exit with a non-zero code and a clear error message. Argo marks the step as failed without retrying. This prevents retry storms on intentional cap exhaustion. The X-Keybrake-Cap-Hit: true response header distinguishes cap-exhaustion 429s from transient vendor rate-limit 429s — parse it in your container to choose between retryable and non-retryable exit paths.

Further reading