Overview
Secure secret storage and retrieval across any cloud.
Vault provides encrypted secret storage — store API keys, database credentials, and sensitive configuration that your application reads at runtime. Secrets are encrypted at rest and transmitted over TLS on all cloud platforms.
Platform Mapping
| Platform | Backing Service | Provisioned by |
|---|---|---|
| AWS | AWS Systems Manager Parameter Store (SecureString) | Alien (implicit) |
| GCP | Google Secret Manager | Alien (implicit) |
| Azure | Azure Key Vault | Alien |
| Kubernetes / On-Prem | Kubernetes Secrets | Alien (on-demand) |
| Local | Plaintext JSON files | Alien |
On AWS and GCP, Vault uses services that exist by default — no new infrastructure is created. On Azure, Alien provisions a Key Vault resource. On Kubernetes / on-prem, secrets are created in the namespace on-demand.
Management Access
Vaults that you declare in alien.ts are customer-managed by default. Alien can provision the vault resource and give your runtime identity the permissions you declare, but the management identity does not get secret read or write access to those vaults unless you explicitly grant it.
Alien also creates an internal secrets vault for deployment environment secrets. That vault is Alien-managed, and the management identity can write and read it so per-deployment secret environment variables can be synced.
If you want the management identity to write a user-declared vault, extend management permissions deliberately:
export default new alien.Stack("my-app")
.add(customerSecrets, "frozen")
.permissions({
management: {
extend: {
"customer-secrets": ["vault/data-write"],
},
},
})
.build()Use vault/data-read only when the management identity must read secret values back. vault/data-write allows creating, updating, and deleting secrets but does not include value-read permission.
When to Use
Use Vault for secrets your application needs at runtime — API keys, database credentials, encryption keys, third-party tokens.
Don't use Vault for non-sensitive configuration (use environment variables) or for large data (vault values are limited to 25 KB).
Stack Definition
Declare a Vault resource in your alien.ts:
const secrets = new alien.Vault("app-secrets").build()| Parameter | Type | Description |
|---|---|---|
id | string | Resource identifier. [A-Za-z0-9-_], max 64 characters. |
Vault has no additional configuration options. The backing service (SSM, Secret Manager, Key Vault) is determined by the deployment platform.
Quick Start
import { vault } from "@alienplatform/sdk"
const secrets = await vault("app-secrets")
const apiKey = await secrets.get("STRIPE_API_KEY")
await secrets.set("API_KEY", "sk_live_abc123")let secrets = ctx.bindings().load_vault("app-secrets").await?;
let api_key = secrets.get_secret("STRIPE_API_KEY").await?;
secrets.set_secret("API_KEY", "sk_live_abc123").await?;Stack Secrets vs. Vault
| Feature | Stack secrets (env vars) | Vault |
|---|---|---|
| Set by | Stack definition | Application code at runtime |
| Read by | Environment variable | SDK call |
| Lifecycle | Tied to deployment | Independent |
| Use case | Static config | Dynamic credentials, rotation |