Stores

Updated
  • Updated on Oct 27, 2025
  • Published on Oct 27, 2025
  • 1 minute(s) read
Prev Next

Configuring a Secret Store

The Secret Store retrieves relevant Secrets—such as private keys, tokens, or database credentials—for use at Runtime. The Secrets Management Service supports various store integrations, allowing multiple Secret Stores to be defined in a single configuration. This flexibility enables you to source Secrets from different providers based on their intended use or target environment.

Each configured store must include a unique id, which is later referenced when defining how and where a Secret is used. You can define one store as the default, or specify the store explicitly for each Secret.

Refer to the individual Secret Store pages for store-specific parameters and examples based on the following parameters:

General Store Parameters

The following example shows how to define one or more Secret Stores in your configuration. Each store is defined under the top-level secretStore section.

secretStore:
  - id: vault
    type: Vault
    isDefault: true
    details:
      defaultPath: vault_
      skipVerify: true
      url: vault
      timeout: 3s
      enginePath: custom
      pathPrefix: prefix
    auth:  # Authentication can be via Token or Kubernetes
      method: Token  # Token, Kubernetes
      tokenValue: token
#    tokenFileName: ${ VAULT_TOKEN }  # Optional alternative to tokenValue
#
#  auth:
#    method: Kubernetes
#    path: /var/path-to-file/file.txt
#    role: secrets-mgmt

Parameter Reference

The table below describes the common parameters used when configuring a Secret Store. Store-specific parameters are defined under the details object and vary by store type.

Parameter Value Description
id vault A unique identifier for the Secret Store. This ID is used when referencing the store in other configuration blocks.
type Vault The type of Secret Store. Supported types include:
- Vault
- AWSRDSIAMAuth
- AWSSecretsManager
- AzureKeyVault
- Environment
- File
isDefault true Indicates whether this store should be used as the default. If multiple Secret Stores are configured, the default is used when a store is not explicitly specified. If no store is marked as default—or if more than one is—then the first listed store is used as the default.
Decoder none Optional. The decoder to use when retrieving the Secret value. Supported values are:
- Base64
- None
details — A section containing additional store-specific parameters. These vary depending on the selected type and are documented on the individual store pages.
details.defaultPath vault_ Optional. The default path to use when accessing Secrets in the store. This can be used as a prefix or fallback location.