Secret Managers Overview
Vegha can pull sensitive values from external secret managers instead of storing them in your workspace. Secrets are referenced with a URI scheme and resolved only when a request is sent.
The secret:// URI scheme
Section titled “The secret:// URI scheme”A secret reference uses the form:
secret://provider/path#field- provider — the configured secret-manager provider to query
- path — the identifier of the secret within that provider
- field — an optional field to select when the secret holds structured data
Resolution at send time
Section titled “Resolution at send time”A secret:// reference is resolved at send time. Vegha contacts the provider, retrieves the value, and uses it for that request only. The resolved value is never written to disk and never stored in your .bru files — the files contain only the secret:// reference.
Where you can use a secret reference
Section titled “Where you can use a secret reference”A secret:// value can be used anywhere a variable is allowed:
- Request URLs
- Headers
- Request bodies
- Auth fields
Available providers
Section titled “Available providers”| Provider | Status |
|---|---|
| Azure Key Vault | Available |
| AWS Secrets Manager | Available |
| HashiCorp Vault | Planned |
| GCP Secret Manager | Planned |
| Doppler | Planned |
| 1Password | Planned |
| CyberArk Conjur | Planned |
See the Azure Key Vault and AWS Secrets Manager guides for configuration.
Visibility and auditing
Section titled “Visibility and auditing”Because resolution happens through the provider at send time, access to a secret is governed by that provider’s own permissions and audit logging. Grant Vegha’s credentials only the read access they need, and rely on the provider’s audit trail to see when secrets were fetched.