Secret Providers
Connect Provenance to external secrets managers — AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and HashiCorp Vault.
Secret providers are connections to external secrets managers. You configure a provider connection once with the necessary credentials, then reference it when creating secrets that should be fetched from that provider at runtime.
Supported providers
| Provider | Type key | SDK required | Auth method |
|---|---|---|---|
| AWS Secrets Manager | aws-sm | @aws-sdk/client-secrets-manager | Access key or IAM role |
| Azure Key Vault | azure-kv | @azure/keyvault-secrets + @azure/identity | Client credentials or managed identity |
| GCP Secret Manager | gcp-sm | @google-cloud/secret-manager | Service account JSON or default credentials |
| HashiCorp Vault | vault | None (uses HTTP API) | Vault token |
All cloud SDKs are declared as optional dependencies in the Provenance API. They're installed with npm install but won't break the server if unavailable on a specific platform.
Creating a provider connection
Via the UI
Navigate to Settings → Secret Providers and click + New Connection.
- Enter a connection name (e.g. "Production AWS", "Staging Vault")
- Select the provider type
- Fill in the provider-specific configuration fields
- Optionally add a description
- Click Create
Sensitive fields (access keys, tokens, client secrets) are encrypted before storage using the same AES-256-GCM encryption as Provenance-stored secrets.
Via the API
POST /api/secret-providers
{
"name": "Production AWS",
"type": "aws-sm",
"config": {
"region": "eu-west-1",
"accessKeyId": "AKIA...",
"secretAccessKey": "..."
},
"description": "Production AWS account"
}Provider configuration
AWS Secrets Manager
| Field | Required | Description |
|---|---|---|
| Region | Yes | AWS region (e.g. eu-west-1) |
| Access Key ID | No | IAM access key. Omit to use IAM role / default credentials |
| Secret Access Key | No | IAM secret key. Required if Access Key ID is set |
Secret path format: The secret name or ARN in AWS Secrets Manager.
my-app/api-keys → fetches the full secret string
arn:aws:secretsmanager:eu-west-1:123456:secret:my-secretIf the secret value is JSON and you need a specific key, configure jsonKey in the per-secret provider config:
POST /api/secrets
{
"secretPath": "stripe.apiKey",
"provider": "aws-sm",
"providerPath": "prod/stripe",
"secretProviderId": "...",
"providerConfig": { "jsonKey": "api_key" }
}Azure Key Vault
| Field | Required | Description |
|---|---|---|
| Vault URL | Yes | https://my-vault.vault.azure.net |
| Tenant ID | No | Azure AD tenant. Omit for managed identity |
| Client ID | No | App registration client ID |
| Client Secret | No | App registration secret. Required if Client ID is set |
Secret path format: The secret name in Key Vault (not the full URL).
my-api-key
database-passwordGCP Secret Manager
| Field | Required | Description |
|---|---|---|
| Project ID | Yes | GCP project ID (e.g. my-project-123) |
| Service Account JSON | No | Full service account key JSON. Omit for default credentials |
Secret path format: Either the short name or the full resource path.
my-secret → auto-expands to projects/{projectId}/secrets/my-secret/versions/latest
projects/my-project/secrets/my-secret/versions/latest → used as-is
projects/my-project/secrets/my-secret/versions/3 → specific versionHashiCorp Vault
| Field | Required | Description |
|---|---|---|
| Vault URL | Yes | https://vault.example.com |
| Vault Token | Yes | Authentication token (hvs.xxx) |
| Namespace | No | Vault namespace (enterprise feature) |
Secret path format: The Vault KV path. For KV v2, the /data/ segment is auto-inserted if missing.
secret/data/my-app/api-key → used as-is (KV v2 explicit)
secret/my-app/api-key → auto-converted to secret/data/my-app/api-keyIf the secret contains multiple keys, use jsonKey to extract a specific one:
POST /api/secrets
{
"secretPath": "db.password",
"provider": "vault",
"providerPath": "secret/data/database",
"secretProviderId": "...",
"providerConfig": { "jsonKey": "password" }
}If jsonKey is not set and the secret has a single key, that value is returned. If it has multiple keys, the full JSON is returned as a string.
Editing connections
When editing a provider connection, sensitive fields show ••••••••. Leaving them as-is preserves the existing encrypted value. Clear the field and enter a new value to update it.
Deleting connections
A provider connection cannot be deleted if any secrets reference it. Delete or reassign the referencing secrets first. The API returns a 409 Conflict with the count of referencing secrets.
Provider types API
The GET /api/secret-providers/types endpoint returns the available provider types with their configuration schemas. This powers the dynamic form in the UI.
GET /api/secret-providers/types
[
{
"type": "aws-sm",
"name": "AWS Secrets Manager",
"description": "Fetch secrets from AWS Secrets Manager at runtime",
"configSchema": [
{ "key": "region", "label": "Region", "type": "text", "required": true },
{ "key": "accessKeyId", "label": "Access Key ID", "type": "password", "required": false, "sensitive": true },
{ "key": "secretAccessKey", "label": "Secret Access Key", "type": "password", "required": false, "sensitive": true }
]
}
]Self-hosted setup
For self-hosted deployments, ensure:
-
Master key: Set
SECRETS_MASTER_KEYin your.envfile. This key encrypts both Provenance-stored secrets and provider connection credentials. Use a strong random string and back it up — losing it means losing access to all encrypted secrets. -
Cloud SDKs: The relevant cloud SDK must be installed for each provider you want to use. They're declared as optional dependencies and installed with
npm install:- AWS:
@aws-sdk/client-secrets-manager - Azure:
@azure/keyvault-secrets+@azure/identity - GCP:
@google-cloud/secret-manager - Vault: No SDK needed (uses HTTP API via
fetch)
- AWS:
-
IAM / default credentials: If you omit explicit credentials in the provider config, the SDK falls back to the environment's default credential chain (IAM roles, managed identity, application default credentials). This is the recommended approach for cloud-hosted deployments.