[8.19] [Security Assistant] Simplifies Security Gen AI Evaluation secret management (elastic#219885) (elastic#220700)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[Security Assistant] Simplifies Security Gen AI Evaluation secret
management (elastic#219885)](elastic#219885)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Garrett
Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-05-09T17:01:36Z","message":"[Security
Assistant] Simplifies Security Gen AI Evaluation secret management
(elastic#219885)\n\n## Summary\n\nSimplifies secret management for running the
Security Gen AI\nEvaluations. See updated README.md for full details,
but includes:\n\n* Consolidation of multiple vault keys to a
single\n`KIBANA_SECURITY_GEN_AI_CONFIG` key, which contains all
connectors,\nlangsmith creds and now a way to specify
`evaluatorConnectorId`.\n* Added `vault` params to both
`retrieve_secrets.js` and\n`upload_secrets.js` for specifying the vault.
Defaults to `sieam-team`\nsecrets.elastic.co for ease of use by
developers.\n* Introduces `get_commands.js` script for fetching commands
to hand off\nto either Kibana Ops for updating, or specifying config
overrides when\nmanually running BuildKite pipelines.\n* Deleted
`export_env_secrets.js` as it couldn't be used for setting env\nvars
locally for the dev testing experience.\n* Updated `connectors` as per
team discussion to include: GPT-4.1,\nClaude 3.5/3.7, and Gemini 2.5
Pro. This was a config change made by\nKibana Ops, so no code change
present. But you can confirm by running\n`retrieve_secrets.js`.\n\nAnd
finally, a much more detailed `README.md` for testing locally, on\nPR's
and CI, and the process for updating secrets. See
full\n[README.md](https://github.com/spong/kibana/blob/ci-eval-tweaks/x-pack/test/security_solution_api_integration/test_suites/genai/evaluations/README.md)\n\n\n\nExample
LangSmith Runs:\n\n* `ES|QL Generation Regression Suite`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/261dcc59-fbe7-4397-a662-ff94042f666c)\n*
`Alerts RAG Regression (Episodes 1-8)`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/bd5bba1d-97aa-4512-bce7-b09aa943c651)\n*
`Assistant Eval: Custom Knowledge`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/2d5f7c18-4bf4-4cdb-97a1-16e39a865cab)\n*
`Eval AD: All Scenarios`:
[Run\n300138](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/4690ee16-9df5-416c-8bf0-b62bc2f2aba9/compare?selectedSessions=6d44134b-6492-4f2d-9b28-6d4a82a0e9ae&baseline=undefined)\n\nNote:
there is currently a timing bug with Alerts/KB entries being\ncleaned up
before the server is complete, so you may see poor evals for\n`Alerts
RAG Regression (Episodes 1-8)` and `Assistant Eval: Custom\nKnowledge`
until that is fixed. I'll address this in a follow-up PR\nsince it is
unrelated to this
change-set.","sha":"e9a8909fad8075cee246793697d6f252e6227a44","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Security
Generative AI","Feature:Assistant
Evaluation","backport:version","v9.1.0","v8.19.0","ci:security-genai-run-evals"],"title":"[Security
Assistant] Simplifies Security Gen AI Evaluation secret
management","number":219885,"url":"https://github.com/elastic/kibana/pull/219885","mergeCommit":{"message":"[Security
Assistant] Simplifies Security Gen AI Evaluation secret management
(elastic#219885)\n\n## Summary\n\nSimplifies secret management for running the
Security Gen AI\nEvaluations. See updated README.md for full details,
but includes:\n\n* Consolidation of multiple vault keys to a
single\n`KIBANA_SECURITY_GEN_AI_CONFIG` key, which contains all
connectors,\nlangsmith creds and now a way to specify
`evaluatorConnectorId`.\n* Added `vault` params to both
`retrieve_secrets.js` and\n`upload_secrets.js` for specifying the vault.
Defaults to `sieam-team`\nsecrets.elastic.co for ease of use by
developers.\n* Introduces `get_commands.js` script for fetching commands
to hand off\nto either Kibana Ops for updating, or specifying config
overrides when\nmanually running BuildKite pipelines.\n* Deleted
`export_env_secrets.js` as it couldn't be used for setting env\nvars
locally for the dev testing experience.\n* Updated `connectors` as per
team discussion to include: GPT-4.1,\nClaude 3.5/3.7, and Gemini 2.5
Pro. This was a config change made by\nKibana Ops, so no code change
present. But you can confirm by running\n`retrieve_secrets.js`.\n\nAnd
finally, a much more detailed `README.md` for testing locally, on\nPR's
and CI, and the process for updating secrets. See
full\n[README.md](https://github.com/spong/kibana/blob/ci-eval-tweaks/x-pack/test/security_solution_api_integration/test_suites/genai/evaluations/README.md)\n\n\n\nExample
LangSmith Runs:\n\n* `ES|QL Generation Regression Suite`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/261dcc59-fbe7-4397-a662-ff94042f666c)\n*
`Alerts RAG Regression (Episodes 1-8)`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/bd5bba1d-97aa-4512-bce7-b09aa943c651)\n*
`Assistant Eval: Custom Knowledge`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/2d5f7c18-4bf4-4cdb-97a1-16e39a865cab)\n*
`Eval AD: All Scenarios`:
[Run\n300138](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/4690ee16-9df5-416c-8bf0-b62bc2f2aba9/compare?selectedSessions=6d44134b-6492-4f2d-9b28-6d4a82a0e9ae&baseline=undefined)\n\nNote:
there is currently a timing bug with Alerts/KB entries being\ncleaned up
before the server is complete, so you may see poor evals for\n`Alerts
RAG Regression (Episodes 1-8)` and `Assistant Eval: Custom\nKnowledge`
until that is fixed. I'll address this in a follow-up PR\nsince it is
unrelated to this
change-set.","sha":"e9a8909fad8075cee246793697d6f252e6227a44"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.19"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/219885","number":219885,"mergeCommit":{"message":"[Security
Assistant] Simplifies Security Gen AI Evaluation secret management
(elastic#219885)\n\n## Summary\n\nSimplifies secret management for running the
Security Gen AI\nEvaluations. See updated README.md for full details,
but includes:\n\n* Consolidation of multiple vault keys to a
single\n`KIBANA_SECURITY_GEN_AI_CONFIG` key, which contains all
connectors,\nlangsmith creds and now a way to specify
`evaluatorConnectorId`.\n* Added `vault` params to both
`retrieve_secrets.js` and\n`upload_secrets.js` for specifying the vault.
Defaults to `sieam-team`\nsecrets.elastic.co for ease of use by
developers.\n* Introduces `get_commands.js` script for fetching commands
to hand off\nto either Kibana Ops for updating, or specifying config
overrides when\nmanually running BuildKite pipelines.\n* Deleted
`export_env_secrets.js` as it couldn't be used for setting env\nvars
locally for the dev testing experience.\n* Updated `connectors` as per
team discussion to include: GPT-4.1,\nClaude 3.5/3.7, and Gemini 2.5
Pro. This was a config change made by\nKibana Ops, so no code change
present. But you can confirm by running\n`retrieve_secrets.js`.\n\nAnd
finally, a much more detailed `README.md` for testing locally, on\nPR's
and CI, and the process for updating secrets. See
full\n[README.md](https://github.com/spong/kibana/blob/ci-eval-tweaks/x-pack/test/security_solution_api_integration/test_suites/genai/evaluations/README.md)\n\n\n\nExample
LangSmith Runs:\n\n* `ES|QL Generation Regression Suite`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/261dcc59-fbe7-4397-a662-ff94042f666c)\n*
`Alerts RAG Regression (Episodes 1-8)`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/bd5bba1d-97aa-4512-bce7-b09aa943c651)\n*
`Assistant Eval: Custom Knowledge`:
[Run\n298372](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/2d5f7c18-4bf4-4cdb-97a1-16e39a865cab)\n*
`Eval AD: All Scenarios`:
[Run\n300138](https://smith.langchain.com/o/b739bf24-7ba4-4994-b632-65dd677ac74e/datasets/4690ee16-9df5-416c-8bf0-b62bc2f2aba9/compare?selectedSessions=6d44134b-6492-4f2d-9b28-6d4a82a0e9ae&baseline=undefined)\n\nNote:
there is currently a timing bug with Alerts/KB entries being\ncleaned up
before the server is complete, so you may see poor evals for\n`Alerts
RAG Regression (Episodes 1-8)` and `Assistant Eval: Custom\nKnowledge`
until that is fixed. I'll address this in a follow-up PR\nsince it is
unrelated to this
change-set.","sha":"e9a8909fad8075cee246793697d6f252e6227a44"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Garrett Spong <[email protected]>

Author: kibanamachine

.buildkite/scripts/common/setup_job_env.sh

@@ -144,8 +144,7 @@ EOF
 {
   if [[ "${FTR_SECURITY_GEN_AI:-}" =~ ^(1|true)$ ]]; then
     echo "FTR_SECURITY_GEN_AI was set - exposing LLM connectors"
-    export KIBANA_SECURITY_TESTING_AI_CONNECTORS="$(vault_get security-gen-ai/connectors config)"
-    export KIBANA_SECURITY_TESTING_LANGSMITH_KEY="$(vault_get security-gen-ai/langsmith key)"
+    export KIBANA_SECURITY_GEN_AI_CONFIG="$(vault_get security-gen-ai config)"
   fi
 }
 

x-pack/test/security_solution_api_integration/.gitignore

@@ -1,2 +1,3 @@
 connector_config.json
 langsmith_key.txt
+config.json

x-pack/test/security_solution_api_integration/scripts/genai/vault/export_env_secrets.js

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+require('@kbn/babel-register').install();
+const { getCommand } = require('./manage_secrets');
+const minimist = require('minimist');
+
+/**
+ * Gets a command for working with Security Gen AI secrets either as a vault write command or environment variable.
+ * By default, the command is formatted as a 'vault-write' command, but it can be overridden with the --format parameter
+ * to use 'env-var' format.
+ *
+ * @returns {Promise<void>}
+ */
+async function run() {
+  const argv = minimist(process.argv.slice(2));
+  const format = argv.format || 'vault-write';
+  const vault = argv.vault || 'ci-prod';
+
+  if (format !== 'vault-write' && format !== 'env-var') {
+    console.error('Error: format parameter must be either "vault-write" or "env-var"');
+    process.exit(1);
+  }
+
+  if (format === 'vault-write' && vault !== 'siem-team' && vault !== 'ci-prod') {
+    console.error('Error: vault parameter must be either "siem-team" or "ci-prod"');
+    process.exit(1);
+  }
+
+  console.log(await getCommand(format, vault));
+}
+
+run();

x-pack/test/security_solution_api_integration/scripts/genai/vault/get_command.js

@@ -11,36 +11,42 @@ import { writeFile, readFile } from 'fs/promises';
 import { REPO_ROOT } from '@kbn/repo-info';
 import { schema } from '@kbn/config-schema';
 
-const SECURITY_GEN_AI_CONNECTORS_ENV_VAR = 'KIBANA_SECURITY_TESTING_AI_CONNECTORS';
-const SECURITY_GEN_AI_LANGSMITH_KEY_ENV_VAR = 'KIBANA_SECURITY_TESTING_LANGSMITH_KEY';
-
-// siem-team secrets discussed w/ operations and we will mirror them here
-// const SECURITY_GEN_AI_VAULT = 'secret/siem-team/security-gen-ai';
-
-// CI Vault
-const SECURITY_GEN_AI_VAULT = 'secret/ci/elastic-kibana/security-gen-ai';
-const SECURITY_GEN_AI_VAULT_CONNECTORS = `${SECURITY_GEN_AI_VAULT}/connectors`;
-const SECURITY_GEN_AI_VAULT_LANGSMITH = `${SECURITY_GEN_AI_VAULT}/langsmith`;
-const SECURITY_GEN_AI_CONNECTORS_FIELD = 'config';
-const SECURITY_GEN_AI_LANGSMITH_FIELD = 'key';
-const CONNECTOR_FILE = Path.join(
-  REPO_ROOT,
-  'x-pack/test/security_solution_api_integration/scripts/genai/vault/connector_config.json'
-);
-const LANGSMITH_FILE = Path.join(
+// Environment variable set within BuildKite and read from in FTR tests
+// CI env vars are set by .buildkite/scripts/common/setup_job_env.sh
+const KIBANA_SECURITY_GEN_AI_CONFIG = 'KIBANA_SECURITY_GEN_AI_CONFIG';
+
+// Vault paths
+// siem-team users (secrets.elastic.co vault) do not have access to the ci-prod vault, so secrets
+// are mirrored between the two vaults
+type VaultType = 'siem-team' | 'ci-prod';
+const VAULT_PATHS: Record<VaultType, string> = {
+  'siem-team': 'secret/siem-team/security-gen-ai',
+  'ci-prod': 'secret/ci/elastic-kibana/security-gen-ai',
+};
+
+const getVaultPath = (vault: VaultType = 'siem-team') => {
+  return VAULT_PATHS[vault];
+};
+
+const SECURITY_GEN_AI_CONFIG_FIELD = 'config';
+const SECURITY_GEN_AI_CONFIG_FILE = Path.join(
   REPO_ROOT,
-  'x-pack/test/security_solution_api_integration/scripts/genai/vault/langsmith_key.txt'
+  'x-pack/test/security_solution_api_integration/scripts/genai/vault/config.json'
 );
 
-const connectorsSchema = schema.recordOf(
-  schema.string(),
-  schema.object({
-    name: schema.string(),
-    actionTypeId: schema.string(),
-    config: schema.recordOf(schema.string(), schema.any()),
-    secrets: schema.recordOf(schema.string(), schema.any()),
-  })
-);
+const configSchema = schema.object({
+  evaluatorConnectorId: schema.string(),
+  langsmithKey: schema.string(),
+  connectors: schema.recordOf(
+    schema.string(),
+    schema.object({
+      name: schema.string(),
+      actionTypeId: schema.string(),
+      config: schema.recordOf(schema.string(), schema.any()),
+      secrets: schema.recordOf(schema.string(), schema.any()),
+    })
+  ),
+});
 
 export interface AvailableConnector {
   name: string;
@@ -49,50 +55,75 @@ export interface AvailableConnector {
   secrets: Record<string, unknown>;
 }
 
-export const retrieveFromVault = async (
-  vault: string,
-  filePath: string,
-  field: string,
-  isJson = true
-) => {
+/**
+ * Retrieve generic value from vault and write to file
+ *
+ * @param vault
+ * @param filePath
+ * @param field
+ */
+export const retrieveFromVault = async (vault: string, filePath: string, field: string) => {
   const { stdout } = await execa('vault', ['read', `-field=${field}`, vault], {
     cwd: REPO_ROOT,
     buffer: true,
   });
 
   const value = Buffer.from(stdout, 'base64').toString('utf-8').trim();
-  const config = isJson ? JSON.stringify(JSON.parse(value), null, 2) : value;
+  const config = JSON.stringify(JSON.parse(value), null, 2);
 
   await writeFile(filePath, config);
 
   // eslint-disable-next-line no-console
-  console.log(`Config dumped into ${filePath}`);
+  console.log(`Config written to: ${filePath}`);
 };
 
-export const retrieveConnectorConfig = async () => {
-  await retrieveFromVault(
-    SECURITY_GEN_AI_VAULT_CONNECTORS,
-    CONNECTOR_FILE,
-    SECURITY_GEN_AI_CONNECTORS_FIELD
-  );
-};
-
-export const retrieveLangsmithKey = async () => {
+/**
+ * Retrieve Security Gen AI secrets config from vault and write to file
+ * @param vault
+ */
+export const retrieveConfigFromVault = async (vault: VaultType = 'siem-team') => {
   await retrieveFromVault(
-    SECURITY_GEN_AI_VAULT_LANGSMITH,
-    LANGSMITH_FILE,
-    SECURITY_GEN_AI_LANGSMITH_FIELD,
-    false
+    getVaultPath(vault),
+    SECURITY_GEN_AI_CONFIG_FILE,
+    SECURITY_GEN_AI_CONFIG_FIELD
   );
 };
 
-export const formatCurrentConfig = async (filePath: string) => {
-  const config = await readFile(filePath, 'utf-8');
+/**
+ * Returns command for manually working with secrets from `config.json`.
+ * Format can be either 'vault-write' (for vault command) or 'env-var' (for environment variable).
+ * Run this command and share with @kibana-ops via https://p.elstc.co to make updating secrets easier, or for pasting
+ * custom configs into the BuildKite pipeline: https://buildkite.com/elastic/kibana-ess-security-solution-gen-ai-evals
+
+ * Alternatively, have @kibana-ops run the following to update the secrets for CI:
+ *
+ * node retrieve_secrets.js --vault siem-team
+ * node upload_secrets.js --vault ci-prod
+ *
+ * @param format - The format of the command to return ('vault-write' or 'env-var')
+ * @param vault - The vault to use (only applicable for 'vault-write' format)
+ */
+export const getCommand = async (
+  format: 'vault-write' | 'env-var' = 'vault-write',
+  vault: VaultType = 'ci-prod'
+) => {
+  const config = await readFile(SECURITY_GEN_AI_CONFIG_FILE, 'utf-8');
   const asB64 = Buffer.from(config).toString('base64');
-  // eslint-disable-next-line no-console
-  console.log(asB64);
+
+  if (format === 'vault-write') {
+    return `vault write ${getVaultPath(vault)} ${SECURITY_GEN_AI_CONFIG_FIELD}=${asB64}`;
+  } else {
+    return `${KIBANA_SECURITY_GEN_AI_CONFIG}=${asB64}`;
+  }
 };
 
+/**
+ * Write generic value to vault from a file
+ *
+ * @param vault
+ * @param filePath
+ * @param field
+ */
 export const uploadToVault = async (vault: string, filePath: string, field: string) => {
   const config = await readFile(filePath, 'utf-8');
   const asB64 = Buffer.from(config).toString('base64');
@@ -103,69 +134,35 @@ export const uploadToVault = async (vault: string, filePath: string, field: stri
   });
 };
 
-export const uploadConnectorConfigToVault = async () => {
-  await uploadToVault(
-    SECURITY_GEN_AI_VAULT_CONNECTORS,
-    CONNECTOR_FILE,
-    SECURITY_GEN_AI_CONNECTORS_FIELD
-  );
-};
-
-export const uploadLangsmithKeyToVault = async () => {
+/**
+ * Read Security Gen AI secrets from `config.json` and upload to vault
+ * @param vault
+ */
+export const uploadConfigToVault = async (vault: VaultType = 'siem-team') => {
   await uploadToVault(
-    SECURITY_GEN_AI_VAULT_LANGSMITH,
-    LANGSMITH_FILE,
-    SECURITY_GEN_AI_LANGSMITH_FIELD
+    getVaultPath(vault),
+    SECURITY_GEN_AI_CONFIG_FILE,
+    SECURITY_GEN_AI_CONFIG_FIELD
   );
 };
 
 /**
- * FOR LOCAL USE ONLY! Export connectors and langsmith secrets from vault to env vars before manually
- * running evaluations. CI env vars are set by .buildkite/scripts/common/setup_job_env.sh
+ * Returns parsed config from environment variable
  */
-export const exportToEnvVars = async () => {
-  const { stdout: connectors } = await execa(
-    'vault',
-    ['read', `-field=${SECURITY_GEN_AI_CONNECTORS_FIELD}`, SECURITY_GEN_AI_VAULT_CONNECTORS],
-    {
-      cwd: REPO_ROOT,
-      buffer: true,
-    }
-  );
-  const { stdout: langsmithKey } = await execa(
-    'vault',
-    ['read', `-field=${SECURITY_GEN_AI_LANGSMITH_FIELD}`, SECURITY_GEN_AI_VAULT_LANGSMITH],
-    {
-      cwd: REPO_ROOT,
-      buffer: true,
-    }
-  );
-  process.env[SECURITY_GEN_AI_CONNECTORS_ENV_VAR] = connectors;
-  process.env[SECURITY_GEN_AI_LANGSMITH_KEY_ENV_VAR] = langsmithKey;
-};
-
-export const loadConnectorsFromEnvVar = (): Record<string, AvailableConnector> => {
-  const connectorsValue = process.env[SECURITY_GEN_AI_CONNECTORS_ENV_VAR];
-  if (!connectorsValue) {
-    return {};
+export const getSecurityGenAIConfigFromEnvVar = () => {
+  const configValue = process.env[KIBANA_SECURITY_GEN_AI_CONFIG];
+  if (!configValue) {
+    throw new Error(`Environment variable ${KIBANA_SECURITY_GEN_AI_CONFIG} does not exist!`);
   }
 
-  let connectors: Record<string, AvailableConnector>;
+  let config: typeof configSchema;
   try {
-    connectors = JSON.parse(Buffer.from(connectorsValue, 'base64').toString('utf-8'));
+    config = JSON.parse(Buffer.from(configValue, 'base64').toString('utf-8'));
   } catch (e) {
     throw new Error(
-      `Error trying to parse value from ${SECURITY_GEN_AI_CONNECTORS_ENV_VAR} environment variable: ${e.message}`
+      `Error trying to parse value from ${KIBANA_SECURITY_GEN_AI_CONFIG} environment variable: ${e.message}`
     );
   }
-  return connectorsSchema.validate(connectors);
-};
-
-export const loadLangSmithKeyFromEnvVar = (): string | undefined => {
-  const langsmithKeyValue = process.env[SECURITY_GEN_AI_LANGSMITH_KEY_ENV_VAR];
-  if (!langsmithKeyValue) {
-    return undefined;
-  }
 
-  return Buffer.from(langsmithKeyValue, 'base64').toString('utf-8').trim();
+  return configSchema.validate(config);
 };

x-pack/test/security_solution_api_integration/scripts/genai/vault/manage_secrets.ts

@@ -6,11 +6,27 @@
  */
 
 require('@kbn/babel-register').install();
-const { retrieveConnectorConfig, retrieveLangsmithKey } = require('./manage_secrets');
+const { retrieveConfigFromVault } = require('./manage_secrets');
+const minimist = require('minimist');
 
-async function retrieveConfigs() {
-  await retrieveConnectorConfig();
-  await retrieveLangsmithKey();
+/**
+ * Retrieves Security Gen AI secrets for testing from vault. By default, the 'siem-team' accessible
+ * vault from secrets.elastic.co is used, but it can be overridden with the --vault parameter to use
+ * the 'ci-prod' vault.
+ *
+ * @returns {Promise<void>}
+ */
+async function retrieveSecrets() {
+  const argv = minimist(process.argv.slice(2));
+  const vault = argv.vault || 'siem-team';
+
+  if (vault !== 'siem-team' && vault !== 'ci-prod') {
+    console.error('Error: vault parameter must be either "siem-team" or "ci-prod"');
+    process.exit(1);
+  }
+
+  console.log(`Using ${vault} vault...`);
+  await retrieveConfigFromVault(vault);
 }
 
-retrieveConfigs();
+retrieveSecrets();

x-pack/test/security_solution_api_integration/scripts/genai/vault/retrieve_secrets.js

@@ -6,12 +6,27 @@
  */
 
 require('@kbn/babel-register').install();
+const { uploadConfigToVault } = require('./manage_secrets');
+const minimist = require('minimist');
 
-const { uploadConnectorConfigToVault, uploadLangsmithKeyToVault } = require('./manage_secrets');
+/**
+ * Uploads Security Gen AI secrets for testing from local `config.json` to vault. By default, the 'siem-team' accessible
+ * vault from secrets.elastic.co is used, but it can be overridden with the --vault parameter to use the 'ci-prod' vault.
+ *
+ * @returns {Promise<void>}
+ */
+async function uploadSecrets() {
+  const argv = minimist(process.argv.slice(2));
+  const vault = argv.vault || 'siem-team';
+
+  if (vault !== 'siem-team' && vault !== 'ci-prod') {
+    console.error('Error: vault parameter must be either "siem-team" or "ci-prod"');
+    process.exit(1);
+  }
 
-async function uploadConfigs() {
-  await uploadConnectorConfigToVault();
-  await uploadLangsmithKeyToVault();
+  console.log(`Using ${vault} vault...`);
+  await uploadConfigToVault(vault);
+  console.log(`Secret upload complete!`);
 }
 
-uploadConfigs();
+uploadSecrets();