Skip to main content
The Secret File provider reads secrets from a local YAML file on disk. This is the simplest secret provider and is useful for development and testing where an external secret management system is not available.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the Secret File provider, the Orchestrator reads secret values from a YAML file at startup. Each key in the file maps to a secret that can be referenced in the Orchestrator configuration using angle bracket syntax. The file is read once at startup — changes to the file require restarting the Orchestrator.
The Secret File provider stores secrets in plaintext on disk. Use it only for local development and testing. For production deployments, use a dedicated secret management system like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.

Use Cases

  • Local development — use a secrets file during development without requiring an external vault or cloud credentials
  • Testing and CI/CD — provide test secrets via a file for automated test runs
  • Quick prototyping — get started with the Orchestrator quickly before configuring a production secret provider

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.

Configuration via Environment Variable

export MAVERICS_SECRET_PROVIDER="secretfile:///path/to/secrets.yaml"
The secretfile:// URL uses three forward slashes for an absolute path: secretfile:// (scheme) + /path/to/file (absolute path). For example, secretfile:///etc/maverics/secrets.yaml.

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "secretfile:///path/to/secrets.yaml"

Secrets File Format

The secrets file is a YAML file with a top-level secrets key containing flat key-value pairs: 
# secrets.yaml
secrets:
  azureClientSecret: "my-client-secret-value"
  oktaClientSecret: "another-secret-value"
  tlsPrivateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEA...
    -----END RSA PRIVATE KEY-----

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps directly to the key name under the secrets key in the file: 
connectors:
  - name: azure
    oauthClientSecret: <azureClientSecret>
  - name: okta
    oauthClientSecret: <oktaClientSecret>

Configuration Reference

URL Structure

secretfile://{absolute-path-to-file}

URL Parameters

ParameterRequiredDescription
File pathYesAbsolute path to the YAML secrets file (e.g., /etc/maverics/secrets.yaml)

Troubleshooting

“file not found” when starting the Orchestrator Verify the file path is correct and uses an absolute path. The secretfile:// URL requires three forward slashes for absolute paths (e.g., secretfile:///etc/maverics/secrets.yaml). Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the key names under the secrets key in the file. The key in <key> must match exactly. Permission denied reading the secrets file Ensure the Orchestrator process has read access to the secrets file. Check file permissions with ls -la /path/to/secrets.yaml.

Secret Providers

Overview of all secret providers

HashiCorp Vault

Enterprise secret management for production