> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vantedge.run/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets Management

> Secure storage for API keys, credentials, and sensitive configuration

## What is Secrets Management?

VantEdge provides secure, encrypted storage for sensitive information like API keys, database passwords, and service credentials. Secrets are stored in cloud-native secret managers (AWS Secrets Manager, GCP Secret Manager) and automatically injected into your deployments.

## Key Features

**🔒 Cloud-Native Security**\
Secrets stored in your cloud provider's managed services with encryption at rest and in transit. No secrets stored on VantEdge infrastructure.

**👥 Role-Based Access**\
Workspace-level isolation with granular permissions. Only admins and owners can retrieve secret values—members can create and reference secrets without seeing actual values.

**🔄 Automatic Injection**\
Secrets automatically injected into agent deployments, model containers, and applications as environment variables or mounted files.

**📊 Complete Audit Trail**\
Every secret access, creation, and modification is logged for compliance and security monitoring.

## Secret Types

**API Tokens**\
Service-specific API keys for OpenAI, HuggingFace, Anthropic, and other platforms.

**Database Credentials**\
Connection strings, passwords, and authentication details for PostgreSQL, MongoDB, Redis, and other data stores.

**Service Credentials**\
OAuth tokens, JWT secrets, and other service authentication credentials.

**Generic Secrets**\
Any sensitive configuration values, encryption keys, or custom credentials.

## Creating Secrets

```yaml theme={null}
# Example secret configuration
name: "openai-api-key"
type: "api-token"
value: "sk-proj-..."
description: "OpenAI API key for GPT-4 models"
workspace: "production"
```

Secrets are created through the platform UI or API and immediately encrypted in your cloud provider's secret manager.

## Using Secrets in Deployments

**Environment Variables**

```yaml theme={null}
# Automatic injection into containers
env:
  - name: OPENAI_API_KEY
    valueFrom:
      secretKeyRef:
        name: openai-api-key

  - name: DATABASE_URL
    valueFrom:
      secretKeyRef:
        name: postgres-connection
```

**File Mounts**

```yaml theme={null}
# Mount secrets as files
volumes:
  - name: api-credentials
    secret:
      secretName: service-account-key
volumeMounts:
  - name: api-credentials
    mountPath: /etc/secrets
    readOnly: true
```

Deployments automatically receive the latest secret values without manual updates.

## Permission Model

| Role       | Create | View List | Retrieve Values | Update | Delete |
| ---------- | ------ | --------- | --------------- | ------ | ------ |
| **Viewer** | ❌      | ✅         | ❌               | ❌      | ❌      |
| **Member** | ✅      | ✅         | ❌               | ✅      | ✅      |
| **Admin**  | ✅      | ✅         | ✅               | ✅      | ✅      |
| **Owner**  | ✅      | ✅         | ✅               | ✅      | ✅      |

**Security Features:**

* Write-only by default (values hidden after creation)
* Admin-only value retrieval prevents accidental exposure
* Complete audit logging tracks all access
* Encryption using cloud provider services

## Workspace Isolation

```
Organization: "AI Startup"
├── Workspace: "Production"
│   ├── openai-api-key (prod key)
│   ├── database-password (prod DB)
│   └── stripe-api-key (live mode)
└── Workspace: "Development"
    ├── openai-dev-key (dev key)
    ├── test-db-password (dev DB)
    └── stripe-test-key (test mode)
```

Secrets in different workspaces are completely isolated—no cross-workspace access is possible.

## Integration with Deployments

Secrets automatically integrate with:

* **Agent deployments** for API access and authentication
* **Model deployments** for inference service credentials
* **Data sources** for database and storage authentication
* **Tool integrations** for Slack, Gmail, and other services

Reference secrets by name in your deployment configurations, and VantEdge handles the secure injection automatically.

## Cloud Provider Support

**AWS Secrets Manager**\
Encryption with AWS KMS, IAM-based access control, automatic rotation support, and multi-region replication.

**Google Cloud Secret Manager**\
Google-managed encryption keys, IAM policies, version management, and global access.

**Azure Key Vault**\
Coming soon with Azure Active Directory integration and FIPS 140-2 compliance.

***

Secrets Management provides secure credential storage with automatic injection into your AI deployments, ensuring sensitive data is protected while remaining accessible to authorized applications.