Documentation

Secret Vault

A Secret Vault is Polysync's pointer to an external secret manager. It holds the configuration needed to read credentials at runtime — Polysync never copies the secret material itself, it only resolves references on demand.

Supported providers

Provider Typical authentication options
Azure Key Vault Polysync Service Principal, Managed Identity, Service Principal, Certificate, Default Credential
AWS Secrets Manager Access Key, Role ARN (AssumeRole)
Google Cloud Secret Manager Service Account Key, Default Credentials, Workload Identity Federation, Impersonated Service Account
HashiCorp Vault Token, AppRole, Username/Password

Setup checklist

  1. Pick a vault provider — see the provider-specific topics for the exact attributes and recommended authentication.
  2. Choose an authentication method. Prefer credential-free options (Polysync SP, Managed Identity, Workload Identity Federation, Role ARN) wherever they are available.
  3. Provide the required attribute values (vault URL/name, project id, …).
  4. Test connectivity before linking the vault to a Platform.

How Platforms reference vault secrets

When you create a Platform that needs a secret (for example, a Service Principal client secret), the Platform editor lets you point an attribute at a vault://<vault-name>/<secret-name> reference. At runtime the resolver fetches the value through the vault provider and substitutes it into the Platform configuration. Secrets are never persisted in clear text.

Best practices

  • One vault per environment (dev / staging / prod) to keep blast radius small.
  • Use the same vault for related Platforms so rotation is centralised.
  • Rotate secrets according to the provider's guidance and update the reference — Platforms automatically pick up the new value on next call.