> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Providers

Secret providers allow the Maverics Orchestrator to retrieve sensitive values -- such as API keys, certificates, and database credentials -- from external secret management systems at runtime. This keeps secrets out of configuration files and ensures they are managed according to your organization's security policies.

<Note>
  **Console terminology:** In the Maverics Console, Orchestrator instances and
  configuration delivery are managed through **Deployments**. When working directly
  with YAML, configuration is managed as files delivered via the `-config` flag or
  `MAVERICS_CONFIG` environment variable.
</Note>

## How Secret Providers Work

Secret providers are configured via the `MAVERICS_SECRET_PROVIDER` environment variable or the `-secretProvider` CLI flag -- not in YAML configuration. Only one secret provider may be active at a time.

```bash theme={null}
# Configure via environment variable
export MAVERICS_SECRET_PROVIDER="hashivault://vault.example.com:8200/secret/data/maverics?token=<token>"

# Or via CLI flag
maverics -config maverics.yaml -secretProvider "hashivault://vault.example.com:8200/secret/data/maverics?token=<token>"
```

Once a secret provider is configured, you reference secrets in your YAML configuration using angle bracket syntax:

```yaml theme={null}
connectors:
  - name: my-idp
    oauthClientSecret: <maverics.client_secret>
```

At startup (and on config reloads), the Orchestrator resolves `<maverics.client_secret>` by fetching it from the configured secret provider. The namespace (`maverics`) and key (`client_secret`) map to the secret path and key in the provider.

### Using Secret References in the Console

The same angle bracket syntax works in the Maverics Console. When configuring connectors, apps, or other resources in the Console, use secret references (e.g., `<maverics.client_secret>`) in any field that accepts a sensitive value. The Orchestrator resolves them at runtime just as it does with YAML.

<Warning>
  Never enter actual secret values into the Console. Always use secret provider
  references instead. Configuration entered in the Console is stored as a
  deployment config -- secret references ensure that sensitive values remain in
  your secret management system and are never persisted in the configuration
  itself.
</Warning>

This applies even during testing. While you could enter plaintext values for local testing against non-production resources, we recommend using secret references from the start to build good habits. The [Secret File](/reference/orchestrator/configuration/secret-providers/environment) provider makes this easy -- point the Orchestrator at a local YAML file and reference those secrets in the Console the same way you would in production.

## Available Providers

| Provider                                                                                          | URL Scheme             | Use Case                                          |
| ------------------------------------------------------------------------------------------------- | ---------------------- | ------------------------------------------------- |
| [AWS Secrets Manager](/reference/orchestrator/configuration/secret-providers/aws-secrets-manager) | `awssecretsmanager://` | AWS-native secret storage                         |
| [Azure Key Vault](/reference/orchestrator/configuration/secret-providers/azure-key-vault)         | `azurekeyvault://`     | Azure-native secret and certificate management    |
| [CyberArk CCP](/reference/orchestrator/configuration/secret-providers/cyberark-ccp)               | `cyberarkccp://`       | CyberArk Central Credential Provider              |
| [CyberArk Conjur](/reference/orchestrator/configuration/secret-providers/conjur)                  | `conjur://`            | DevOps-oriented secrets for CI/CD and containers  |
| [Delinea Secret Server](/reference/orchestrator/configuration/secret-providers/delinea)           | `delinea://`           | Enterprise privileged access management           |
| [HashiCorp Vault](/reference/orchestrator/configuration/secret-providers/hashicorp-vault)         | `hashivault://`        | Enterprise secret management with dynamic secrets |
| [Secret File](/reference/orchestrator/configuration/secret-providers/environment)                 | `secretfile://`        | Local file-based secrets for testing              |

## Provider Pages

<CardGroup cols={2}>
  <Card title="AWS Secrets Manager" icon="cloud" href="/reference/orchestrator/configuration/secret-providers/aws-secrets-manager">
    AWS-native secret storage
  </Card>

  <Card title="Azure Key Vault" icon="cloud" href="/reference/orchestrator/configuration/secret-providers/azure-key-vault">
    Azure-native secret and certificate management
  </Card>

  <Card title="CyberArk CCP" icon="key" href="/reference/orchestrator/configuration/secret-providers/cyberark-ccp">
    CyberArk Central Credential Provider
  </Card>

  <Card title="CyberArk Conjur" icon="lock" href="/reference/orchestrator/configuration/secret-providers/conjur">
    DevOps-oriented secrets for CI/CD and containers
  </Card>

  <Card title="Delinea Secret Server" icon="shield-halved" href="/reference/orchestrator/configuration/secret-providers/delinea">
    Enterprise privileged access management
  </Card>

  <Card title="HashiCorp Vault" icon="vault" href="/reference/orchestrator/configuration/secret-providers/hashicorp-vault">
    Enterprise secret management with dynamic secrets
  </Card>

  <Card title="Secret File" icon="file" href="/reference/orchestrator/configuration/secret-providers/environment">
    Local file-based secrets for testing
  </Card>
</CardGroup>

## Related Pages

<CardGroup cols={2}>
  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Identity provider integrations
  </Card>

  <Card title="Config Sources" icon="gear" href="/reference/orchestrator/configuration/config-sources">
    Where the Orchestrator reads its configuration
  </Card>
</CardGroup>
