Skip to main content
The Secret File provider reads secrets from a local YAML file on disk. This is the simplest secret provider and is useful for development and testing where an external secret management system is not available.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the Secret File provider, the Orchestrator reads secret values from a YAML file at startup. Each key in the file maps to a secret that can be referenced in the Orchestrator configuration using angle bracket syntax. The file is read once at startup — changes to the file require restarting the Orchestrator.
The Secret File provider stores secrets in plaintext on disk. Use it only for local development and testing. For production deployments, use a dedicated secret management system like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.

Use Cases

  • Local development — use a secrets file during development without requiring an external vault or cloud credentials
  • Testing and CI/CD — provide test secrets via a file for automated test runs
  • Quick prototyping — get started with the Orchestrator quickly before configuring a production secret provider

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Configuration via Environment Variable

export MAVERICS_SECRET_PROVIDER="secretfile:///path/to/secrets.yaml"
The secretfile:// URL uses three forward slashes for an absolute path: secretfile:// (scheme) + /path/to/file (absolute path). For example, secretfile:///etc/maverics/secrets.yaml.

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "secretfile:///path/to/secrets.yaml"

Secrets File Format

The secrets file is a YAML file where keys use dot notation to define namespaces and secret names: 
# secrets.yaml
maverics:
  azure_client_secret: "my-client-secret-value"
  okta_client_secret: "another-secret-value"
  tls_private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEA...
    -----END RSA PRIVATE KEY-----

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax: 
connectors:
  - name: azure
    oauthClientSecret: <maverics.azure_client_secret>
  - name: okta
    oauthClientSecret: <maverics.okta_client_secret>
The namespace (maverics) maps to the top-level key in the secrets file, and the key (azure_client_secret) maps to the nested key under that namespace.

Configuration Reference

URL Structure

secretfile://{absolute-path-to-file}

URL Parameters

ParameterRequiredDescription
File pathYesAbsolute path to the YAML secrets file (e.g., /etc/maverics/secrets.yaml)

Troubleshooting

“file not found” when starting the Orchestrator Verify the file path is correct and uses an absolute path. The secretfile:// URL requires three forward slashes for absolute paths (e.g., secretfile:///etc/maverics/secrets.yaml). Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the key hierarchy in the secrets file. The namespace in <namespace.key> must match the top-level key, and the key must match the nested key under it. Permission denied reading the secrets file Ensure the Orchestrator process has read access to the secrets file. Check file permissions with ls -la /path/to/secrets.yaml.

Secret Providers

Overview of all secret providers

HashiCorp Vault

Enterprise secret management for production