AWS Secrets Manager

Vegha can resolve secrets directly from AWS Secrets Manager. Once a provider is configured, reference any secret with the secret:// URI scheme and Vegha fetches it at send time.

Configuring the provider

Add an AWS Secrets Manager provider in Vegha’s secret-manager settings. You supply the AWS region the secrets live in and choose how Vegha authenticates.

Authentication modes

Vegha supports two authentication modes:

Mode	What you provide
IAM access keys	Access key ID, secret access key
AWS default credential chain	Nothing — env vars, shared config, or instance role are used

IAM access keys — supply an access key ID and secret access key for an IAM principal. Use this for explicit, scoped credentials.
AWS default credential chain — Vegha uses the standard AWS credential resolution: environment variables, the shared config and credentials files, and an instance or container role when running on AWS. No credentials are entered into Vegha.

Region

AWS secrets are region-scoped. Set the provider’s region to the region the secret was created in, or resolution will fail to find it.

Permissions

The IAM principal Vegha authenticates as needs the secretsmanager:GetSecretValue permission for the secrets it must read. No other permissions are required.

The secret:// URI shape

Reference a secret with:

secret://<provider>/<secret-name-or-arn>

Secrets Manager secrets often store a JSON document. Append #field to select one key from that JSON:

secret://aws-prod/prod/db#password

Without a #field, the entire secret string is returned.

Using it in a request

Place the secret:// reference anywhere a variable is allowed — a header, the URL, the body, or an auth field. For example:

Authorization: Bearer {{secret://aws-prod/api/token#value}}

At send time Vegha calls Secrets Manager, retrieves the value, and uses it for that request only.