Secret Providers
Istek can fetch secrets from cloud providers to use as variables.
Supported Providers
| Provider | Service |
|---|---|
| AWS | AWS Secrets Manager |
| GCP | Google Secret Manager |
| Azure | Azure Key Vault |
Configuration
AWS Secrets Manager
- Open Variable Manager
- Go to Integrations tab
- Click Add Provider → AWS
- Configure:
| Field | Description |
|---|---|
| Name | Display name for this provider |
| Region | AWS region (e.g., us-east-1) |
| Access Key ID | AWS access key |
| Secret Access Key | AWS secret key |
| Secret Name | Name of the secret in Secrets Manager |
- Click Test Connection
- Click Save
GCP Secret Manager
- Open Variable Manager
- Go to Integrations tab
- Click Add Provider → GCP
- Configure:
| Field | Description |
|---|---|
| Name | Display name |
| Project ID | GCP project ID |
| Credentials JSON | Service account JSON key |
| Secret Name | Name of the secret |
- Click Test Connection
- Click Save
Azure Key Vault
- Open Variable Manager
- Go to Integrations tab
- Click Add Provider → Azure
- Configure:
| Field | Description |
|---|---|
| Name | Display name |
| Vault URL | Key Vault URL (e.g., https://myvault.vault.azure.net) |
| Tenant ID | Azure AD tenant ID |
| Client ID | Application (client) ID |
| Client Secret | Client secret |
| Secret Name | Name of the secret |
- Click Test Connection
- Click Save
Using Secrets
Once configured, secrets are available as variables:
- Fetch Secrets: Click the refresh button on the provider
- View Secrets: Secrets appear in the Variables tab
- Use in Requests: Reference as
{{SECRET_NAME}}
Secret Format
Secrets should be JSON objects:
{
"API_KEY": "sk-xxx",
"DATABASE_URL": "postgres://...",
"JWT_SECRET": "secret123"
}
Each key becomes a variable.
Provider Priority
When the same variable exists in multiple places:
- Environment variables (highest)
- Secret provider values
- Global variables (lowest)
Security Considerations
Credentials Storage
Provider credentials are stored in the local SQLite database. Consider:
- Using IAM roles instead of access keys when possible
- Rotating credentials regularly
- Using least-privilege access policies
Secret Caching
Fetched secrets are cached in memory. They are:
- Cleared when Istek closes
- Refreshed on manual fetch
- Not persisted to disk
AWS IAM Policy
Minimum required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:your-secret-*"
}
]
}
GCP IAM Role
Required role: roles/secretmanager.secretAccessor
Or custom role with:
secretmanager.versions.access
Azure RBAC
Required role: Key Vault Secrets User
Or custom role with:
Microsoft.KeyVault/vaults/secrets/getSecret/action
Troubleshooting
Connection Failed
- Verify credentials are correct
- Check network connectivity
- Ensure IAM permissions are configured
Secret Not Found
- Verify secret name matches exactly
- Check if secret exists in the specified region/project
- Ensure secret is not disabled
Invalid Format
- Secrets must be valid JSON objects
- Each key-value pair becomes a variable
- Nested objects are not supported
Best Practices
Separate Secrets
Use different secrets for different environments:
myapp/dev/secretsmyapp/prod/secrets
Naming Convention
Use consistent key names across environments:
{
"DATABASE_URL": "...",
"API_KEY": "...",
"JWT_SECRET": "..."
}
Regular Rotation
Rotate secrets regularly and refresh in Istek.