Configure Network Access and Secrets
Control outbound access, add scoped secrets, and avoid common environment-variable mistakes.
Salambo lets you manage both outbound network access and agent-scoped environment variables from the agent detail page.
Choose The Right Network Mode
The runtime supports two outbound modes:
- Restricted: only approved domains can be reached
- Open internet: any public destination can be reached
Even in open mode, some destinations stay blocked, including localhost, metadata endpoints, and private-network targets.
Restricted mode is the safer default for most production agents.
Use The Allowlist Correctly
When you use restricted mode, add only the hostnames the agent actually needs. The UI accepts hostnames and wildcard patterns such as:
api.example.com*.githubusercontent.com
Do not paste full URLs. The field expects hostnames only.
Add Environment Variables
The Environment Variables section is where you add:
- API keys
- service tokens
- non-secret runtime values
- host-scoped secrets
Secret values are encrypted at rest and can be scoped to the domains where they are allowed to be used.
Use Host Scopes For Secrets
When you add a secret, scope it to the minimum set of domains where it should be substituted. This is especially useful when:
- one agent talks to several external services
- multiple credentials exist in the same agent
- you want to reduce the blast radius of a leaked or misused secret
Reserved Variable Names
Some names are reserved for the platform and cannot be overridden. This includes system-managed prefixes and identifiers such as:
S2_*GATEWAY_*THREAD_IDPROCESS_IDAGENT_ID
If a variable name is rejected, first check whether it belongs to the reserved system namespace.
Recommended Setup Pattern
For a production agent:
- keep network mode on Restricted
- add only required domains to the allowlist
- add secrets as environment variables
- scope each secret to the domains where it should be valid
- save the network settings
- run a small smoke test through the API
Common Problems
The agent cannot reach a service
Usually either:
- the domain is missing from the allowlist
- the secret is scoped to the wrong host
- the runtime is using a different endpoint than you expected
The agent has a secret, but requests still fail
Check the host scope first. A correct secret with an incorrect host scope behaves like no secret at all.