Secrets Management
Realm9 integrates with external secret vaults so that sensitive values — database passwords, API keys, certificates — never need to be stored directly in Realm9. Instead, Terraform variables reference secrets using a vault:// URI, which Realm9 resolves at provisioning time.
Path: /secrets
Secrets Management is available on all licence tiers including Free.
Access: Admins and Provisioners can manage vault connections.
Supported Vault Providers
| Provider | Auth methods |
|---|---|
| AWS Secrets Manager | IAM role assumption (recommended), static access keys, default credential chain |
| Azure Key Vault | Service Principal credentials, managed identity / workload identity |
| HashiCorp Vault | AppRole (recommended), direct token |
| OpenBao | Same as HashiCorp Vault (API-compatible) |
Connecting a Vault
- Navigate to Secrets in the sidebar
- Click Add Vault
- Select the vault type
- Fill in the connection details (see per-provider fields below)
- Optionally mark as Default Vault
- Save — then click Test to verify connectivity
Only one vault can be marked as default per organisation. The default vault is used when resolving vault:// references.
AWS Secrets Manager
| Field | Required | Notes |
|---|---|---|
| Region | Yes | e.g. us-east-1 |
| Role ARN | No | IAM role to assume via STS (recommended for production) |
| Access Key ID | No | Static credentials (must be paired with Secret Access Key) |
| Secret Access Key | No | Must be paired with Access Key ID |
The IAM role or credentials must have: secretsmanager:GetSecretValue, secretsmanager:DescribeSecret, secretsmanager:ListSecrets.
Azure Key Vault
| Field | Required | Notes |
|---|---|---|
| Vault URL | Yes | e.g. https://myvault.vault.azure.net |
| Tenant ID | No | Required if using Service Principal |
| Client ID | No | Service Principal client ID (must be paired with Tenant ID and Client Secret) |
| Client Secret | No | Must be paired with Tenant ID and Client ID |
Without credentials, Realm9 falls back to the default Azure credential chain (managed identity, workload identity).
Required role: Key Vault Secrets User (minimum).
HashiCorp Vault / OpenBao
| Field | Required | Notes |
|---|---|---|
| Address | Yes | e.g. https://vault.example.com:8200 |
| Token | No* | Direct Vault token |
| Role ID | No* | AppRole Role ID (must be paired with Secret ID) |
| Secret ID | No* | AppRole Secret ID (must be paired with Role ID) |
| Namespace | No | Vault namespace prefix (e.g. admin/) |
| Mount Path | No | KV secrets engine path (default: secret) |
| CA Certificate | No | PEM certificate for self-signed TLS |
* Either Token or AppRole (Role ID + Secret ID) is required.
Required Vault policy:
path "secret/data/*" { capabilities = ["read", "list"] }
Default Vault
The default vault is used to resolve all vault:// references in your organisation. Set it by toggling Default Vault when creating or editing a connection.
When no default vault is set, Terraform runs that include vault:// variable references will fail with a clear error message prompting you to configure one.
Using vault:// References
In Terraform workspace variables, enter a vault:// URI instead of a plain value:
vault://path/to/secret
vault://path/to/secret#key
Examples:
| Reference | Resolves to |
|---|---|
vault://prod/db-password | The value of the secret at that path (auto-unwraps if single value key) |
vault://prod/db#password | The password field from the secret at prod/db |
vault://secret/app/config#api_key | The api_key field from the secret at secret/app/config |
Realm9 resolves vault references at provisioning time — the secret value is injected into the Terraform run and is never stored in Realm9's database. Only the path is logged in the audit trail, never the value.
Vault Connection List
The Secrets page shows all configured vault connections. Each card displays:
- Vault name and type
- Default indicator (star icon) if this is the default vault
- Status badge: Active, Inactive, or Error
- Last tested timestamp
- Error message from the last failed test (if applicable)
Actions (Admins and Provisioners only): Test, Edit, Delete.
Testing a Connection
Click Test on any vault connection to verify:
- AWS: Calls
ListSecrets— confirms credentials and permissions - Azure: Lists secret properties — confirms vault URL and auth
- HashiCorp / OpenBao: Calls
/v1/sys/health— confirms server is reachable, unsealed, and active; returns vault version
The test result and timestamp are saved and displayed on the card. The vault status is updated to Active on success or Error on failure.
Editing a Connection
Sensitive fields (secret keys, tokens, client secrets) are masked as •••••••• when editing. Leave a masked field unchanged to keep the existing value — only enter a new value to replace it. Non-sensitive fields (region, address, tenant ID, etc.) are shown in full.
Security
- All vault configurations are encrypted at rest using AES-256-GCM before being stored in the database
- Secret values are never stored in Realm9 — only resolved at provisioning time
- Every vault reference resolution is recorded in the audit log with the secret path (never the value)
- Sensitive fields are masked in the API response when fetching vault details for editing
Role-Based Access
| Action | Viewer | User | Provisioner | Admin |
|---|---|---|---|---|
| View vault connections | — | — | ✓ | ✓ |
| Add / edit / delete vaults | — | — | ✓ | ✓ |
| Test connections | — | — | ✓ | ✓ |
| Set default vault | — | — | ✓ | ✓ |