Skip to main content
Vault Secrets provides secure storage for sensitive data like API keys, database credentials, and certificates. All secrets are encrypted at rest and support versioning for audit and rollback capabilities.

Key Features

Encrypted Storage

All secrets are encrypted at rest using Vault’s seal mechanism. Data is never stored in plaintext.

Version History

Every change creates a new version. View, compare, and rollback to any previous version.

Folder Organization

Organize secrets into folders (paths) for logical grouping by application, environment, or team.

Rotation Tracking

Automatic age tracking with warnings when secrets should be rotated based on policy.

Secret Rotation

Secrets are automatically tracked for age to encourage regular rotation. The system classifies secrets based on how long ago they were last updated:
StatusAgeMeaning
OK< 30 daysRecently updated, no action needed
Warning30-90 daysConsider rotating soon
Critical> 90 daysRotate immediately
Rotation status is calculated from the secret’s last update time. Any change to a secret (adding, modifying, or deleting keys) creates a new version and resets the age counter.

Required Permissions

ActionPermission
View/Read secretsiam:project:cicd:vault:read
Create/Update secretsiam:project:cicd:vault:write
Delete secretsiam:project:cicd:vault:delete

Concepts

Mounts

A mount is a logical grouping of secrets, similar to a filesystem mount point. Common mounts include:
  • secret/ - General purpose key-value secrets
  • database/ - Database credentials
  • kv/ - Key-value store

Paths

Paths organize secrets within a mount. Use slashes to create folder hierarchies: 
secret/
├── app/
│   ├── database      # secret at secret/app/database
│   └── api-keys      # secret at secret/app/api-keys
└── shared/
    └── certificates  # secret at secret/shared/certificates

Keys

Each secret contains one or more key-value pairs. For example, a database secret might have:
  • username: the database username
  • password: the database password
  • host: the database hostname

How to Navigate Secrets

1

Select a Mount

From the Vault Secrets page, click on a mount to browse its contents.
2

Browse Folders

Click on folders to navigate deeper into the path hierarchy. The breadcrumb shows your current location.
3

View a Secret

Click on a secret (key icon) to open the detail page and view its key-value pairs.
4

Go Back

Use the back button or breadcrumb to navigate up the folder hierarchy.

How to Create a Secret

1

Navigate to Target Folder

Browse to the folder where you want to create the secret.
2

Click New Secret

Click the New Secret button in the top right.
3

Enter Secret Path

Provide a name for the secret. Use slashes to create subfolders:
  • database - Creates secret at current path
  • app/config - Creates app folder and config secret inside
4

Add Key-Value Pairs

Add one or more key-value pairs:
  • Enter a key name (e.g., password)
  • Enter the value (hidden by default)
  • Toggle JSON for complex data structures
5

Create

Click Create Secret. The secret is encrypted and stored.
Secret paths can only contain alphanumeric characters, hyphens, underscores, and slashes. They cannot start or end with a slash.

How to View and Edit a Secret

1

Open the Secret

Navigate to and click on the secret to open its detail page.
2

Reveal Values

Click the eye icon on any row to reveal the hidden value.
3

Edit Values

Modify the key names or values directly in the input fields.
4

Save Changes

Click Save Changes to create a new version with your modifications.

Row View vs JSON View

Toggle between two editing modes:
ModeBest ForFeatures
Row ViewSimple key-value pairsIndividual field editing, show/hide per value
JSON ViewComplex structuresFull Monaco editor, syntax highlighting, paste JSON
Click the braces icon ({}) to switch to JSON view. Click the list icon to return to row view.

How to Add a New Key

1

Open the Secret

Navigate to the secret detail page.
2

Click Add Key

Click the Add Key button.
3

Enter Details

A new row appears at the top:
  • Enter the key name
  • Enter the value
  • Toggle JSON if needed
4

Save

Click Save Changes to persist the new key.
New keys are marked with an “Unsaved” badge until you save. You can add multiple keys before saving.

How to Delete a Key

1

Find the Key

Locate the key you want to delete in the secret detail page.
2

Click Delete

Click the trash icon on the key’s row.
3

Confirm

Confirm the deletion. The key is removed from the secret.
Deleting a key creates a new version without that key. The key still exists in previous versions and can be recovered via rollback.

How to Delete a Secret

1

Navigate to the Folder

Go to the folder containing the secret.
2

Click Delete

Click the trash icon on the secret’s row.
3

Confirm

Confirm the deletion. The entire secret and all its keys are removed.

How to Copy Values

  • Single Value: Click the copy icon on any row to copy that value
  • All Values: Click the clipboard icon in the toolbar to copy the entire secret as JSON
Copied values can be pasted into applications, configuration files, or other secrets.

Version History

Every change to a secret creates a new version. Access version history to:
  • View previous values
  • Compare versions side-by-side
  • Rollback to a previous state
  • Destroy old versions permanently

How to View Version History

1

Open the Secret

Navigate to the secret detail page.
2

Click History

Click the clock/history icon in the toolbar.
3

Browse Versions

The left panel shows all versions with status:
  • Current: Active version
  • Available: Can be viewed or rolled back
  • Deleted: Soft-deleted, can be restored
  • Destroyed: Permanently removed
4

Preview Version

Click a version to preview its contents in the right panel.

How to Compare Versions

1

Select Base Version

Click on a version in the history list.
2

Click Compare

Click the Compare button that appears.
3

View Diff

The preview panel shows both versions side-by-side for comparison.

How to Rollback to a Previous Version

1

Select the Version

Click on the version you want to restore.
2

Click Rollback

Click the Rollback button.
3

Confirm

A new version is created with the old data. The current version is preserved in history.
Rollback creates a new version rather than overwriting. This preserves the complete audit trail.

How to Destroy a Version

1

Select the Version

Click on the version you want to permanently remove.
2

Click Destroy

Click the trash icon on the version.
3

Confirm

The version is permanently destroyed and cannot be recovered.
Destroy is irreversible. Use this only for compliance requirements or to remove accidentally stored sensitive data.

Working with JSON Values

For complex data structures, enable JSON mode on individual keys:
1

Toggle JSON Mode

Enable the JSON switch on the key’s row.
2

Edit JSON

A code editor appears with syntax highlighting:
{
  "nested": {
    "key": "value"
  },
  "array": [1, 2, 3]
}
3

Validate

Invalid JSON shows an error. Fix syntax before saving.
Use JSON mode for storing configuration objects, arrays, or any structured data that needs to maintain its format.

Troubleshooting

  • Verify you have read permission for Vault
  • Check that the mount exists and is accessible
  • Ensure you’re in the correct project context
  • You need write permission for Vault
  • The secret path may already exist (use a different name)
  • Check for invalid characters in the path
  • Check for missing commas between key-value pairs
  • Ensure strings are wrapped in double quotes
  • Validate brackets and braces match
  • Use a JSON validator to find syntax errors
  • New secrets have only one version initially
  • Make and save changes to create new versions
  • Destroyed versions don’t appear in history
  • You need write permission to rollback
  • Destroyed versions cannot be rolled back
  • The target version may be corrupted
  • This is a policy reminder, not an error
  • Rotate the secret by updating its values
  • Any change creates a new version and resets the age

FAQ

Secrets are encrypted using Vault’s seal mechanism with AES-256-GCM. The encryption key is protected by the unseal keys and never stored in plaintext.
Access is controlled by Vault policies. Only users with appropriate permissions can read, write, or delete secrets in specific paths.
Soft-deleted secrets can be recovered if not yet destroyed. Destroyed secrets are permanently removed and cannot be recovered.
Version history is kept indefinitely unless explicitly destroyed. Storage policies may vary by installation.
Yes. Secrets can be injected into pipeline environments using the Vault integration. See pipeline documentation for details.
Delete removes the current version but keeps it recoverable. Destroy permanently removes the data with no recovery possible.