diff --git a/litellm/__init__.py b/litellm/__init__.py
index 9812de1d8..5fdc9d0fc 100644
--- a/litellm/__init__.py
+++ b/litellm/__init__.py
@@ -304,7 +304,7 @@ secret_manager_client: Optional[Any] = (
 )
 _google_kms_resource_name: Optional[str] = None
 _key_management_system: Optional[KeyManagementSystem] = None
-_key_management_settings: Optional[KeyManagementSettings] = None
+_key_management_settings: KeyManagementSettings = KeyManagementSettings()
 #### PII MASKING ####
 output_parse_pii: bool = False
 #############################################
diff --git a/litellm/proxy/_types.py b/litellm/proxy/_types.py
index f2feee8b4..4baf13b61 100644
--- a/litellm/proxy/_types.py
+++ b/litellm/proxy/_types.py
@@ -1134,6 +1134,11 @@ class KeyManagementSettings(LiteLLMBase):
     If True, virtual keys created by litellm will be stored in the secret manager
     """
 
+    access_mode: Literal["read_only", "write_only", "read_and_write"] = "read_only"
+    """
+    Access mode for the secret manager, when write_only will only use for writing secrets
+    """
+
 
 class TeamDefaultSettings(LiteLLMBase):
     team_id: str
diff --git a/litellm/secret_managers/main.py b/litellm/secret_managers/main.py
index 35274092c..5c47fbd00 100644
--- a/litellm/secret_managers/main.py
+++ b/litellm/secret_managers/main.py
@@ -198,7 +198,10 @@ def get_secret(  # noqa: PLR0915
             raise ValueError("Unsupported OIDC provider")
 
     try:
-        if litellm.secret_manager_client is not None:
+        if (
+            _should_read_secret_from_secret_manager()
+            and litellm.secret_manager_client is not None
+        ):
             try:
                 client = litellm.secret_manager_client
                 key_manager = "local"
@@ -321,3 +324,20 @@ def get_secret(  # noqa: PLR0915
             return default_value
         else:
             raise e
+
+
+def _should_read_secret_from_secret_manager() -> bool:
+    """
+    Returns True if the secret manager should be used to read the secret, False otherwise
+
+    - If the secret manager client is not set, return False
+    - If the `_key_management_settings` access mode is "read_only" or "read_and_write", return True
+    - Otherwise, return False
+    """
+    if litellm.secret_manager_client is not None:
+        if (
+            litellm._key_management_settings.access_mode == "read_only"
+            or litellm._key_management_settings.access_mode == "read_and_write"
+        ):
+            return True
+    return False