Managing Secret Stores

New
  • Published on Sep 14, 2025
  • 3 minute(s) read
Prev Next

Secret stores are the foundation of how secrets are securely defined, managed, and consumed across the Platform and PAA deployments. Once a store is created, it can be used by services such as POP, PDP, or PIP data sources to retrieve credentials at Runtime, eliminating the need to hardcode sensitive information in configuration files.

From within the Platform, you can:

  • Create and configure new secret stores for supported providers (e.g., HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault.
  • Edit existing stores to update details such as authentication methods or usage settings.
  • Delete stores that are no longer required.
  • Reference secrets from store so that connections (such as POP connections in Orchestration) use secure credentials fetched from customer's Secret Provider.

The following sections provide step-by-step instructions for creating, editing, and deleting secret stores, as well as using them with supported services.

To learn more about Secret Stores and how to configure them, refer to Configuring Secret Stores

For more details revolving around the technical aspects of the Secret Management capability, refer to Secret Management Configuration.

Managing Secret Stores

The following steps provide a high-level workflow for defining and using secret stores within the platform.

Creating a Secret Store

To create a Secret Store:

  1. In your Environment Navigation bar, select the relevant Environment.
  2. Click on Environment Settings.
  3. Click on Secret Stores.
  4. Click on New Store.
  5. In the General section, input a Store ID and optional Description.
  6. In the Type and Usage section, choose a store type (e.g., HashiCorp Vault, Azure Key Vault, or AWS RDS IAM/Secrets Manager) and set whether the store utilizes Cloud Platform or PAAs.
  7. Fill out the Additional Details and Authentication sections according to the guide in Configuring Store Types.

Authentication to Secret Store Provider

Authentication to the Secret Store must be set up so that, at Runtime, the provider can be reached and secrets can be retrieved. To securely set up the credentials for the Store Provider store's credentials field(s) need to be set up using a reference to a secret key:

  • For Cloud used stores, set the credentials and will be stored securely in the PlainID Internal Cloud Vault.
    For PAA-managed stores, configure a reference to a secret key that holds the required sensitive credentials:

  • Option 1: Environment Variable Reference: Use the predefined Environment Variable pattern: storeId=ENV_VAR with a secret key referring to an Environment Variable defined in the PAA SM configuration.

    • Environment Variables must follow the pattern: ENV_VAR_<some_env_var_name>.
      • Example: {{storeId=ENV_VAR,key=ENV_VAR_CredsOfAKV1}}

  • Option 2: Store Reference

    • Define a secret key that references another store using the template: {{storeId=<storeID>,key=<secretKeyName>}}
      • Example: You can reference another store manually defined in the PAA SM configuration that holds credentials for other stores: {{storeId=AWS_Dev,key=CredsOfAKV1}}
    • This type of nested reference can be applied up to three levels deep.

Editing a Secret Store

To edit a Secret Store:

  1. In your Environment Navigation bar, select the relevant Environment.
  2. Click on Environment Settings.
  3. Click on Secret Stores.
  4. Select the Secret Store you wish to edit.
  5. Click on Edit on the top right.
  6. Edit the relevant fields.
  7. Click Save.

Deleting a Secret Store

To delete a Secret Store:

  1. In your Environment Navigation bar, select the relevant Environment.
  2. Click on Environment Settings.
  3. Click on Secret Stores.
  4. Hover over the Secret Store you wish to delete.
  5. Click on the trash icon   trash icon
  6. A confirmation prompt appears. Click Delete.
Deleting Secret Stores

Before deleting a Secret Store, ensure it's no longer in use by any configurations to maintain seamless operations.

POP Integration with Secret Stores

When configuring services, like POP connections, you can choose between two options:

  1. Setting up your POP connection credentials and utilizing the PlainID Internal Cloud Vault.
  2. Choosing a Managed Store and referencing to Secret Keys storing your sensitive credentials in your secured secret provider.

After choosing a Store from the list, if you chose to utilize a managed store, you are required to reference a Secret Key for any sensitive credentials field, such as Client Secret, Private Key, etc. The secret is securely retrieved when required.

Refer to the following articles to learn how to add a Secret Store to your POP.
Snowflake Setup
Databricks
Power BI Setup