Overview
Secure secret storage and retrieval across any cloud.
Vault provides encrypted secret storage — store API keys, database credentials, and sensitive configuration that your application reads at runtime. Secrets are encrypted at rest and transmitted over TLS on all cloud platforms.
Platform Mapping
| Platform | Backing Service | Provisioned by |
|---|---|---|
| AWS | AWS Systems Manager Parameter Store (SecureString) | Alien (implicit) |
| GCP | Google Secret Manager | Alien (implicit) |
| Azure | Azure Key Vault | Alien |
| Local | Plaintext JSON files | Alien |
On AWS and GCP, Vault uses services that exist by default — no new infrastructure is created. On Azure, Alien provisions a Key Vault resource.
When to Use
Use Vault for secrets your application needs at runtime — API keys, database credentials, encryption keys, third-party tokens.
Don't use Vault for non-sensitive configuration (use environment variables) or for large data (vault values are limited to 25 KB).
Stack Definition
Declare a Vault resource in your alien.ts:
const secrets = new alien.Vault("app-secrets").build()| Parameter | Type | Description |
|---|---|---|
id | string | Resource identifier. [A-Za-z0-9-_], max 64 characters. |
Vault has no additional configuration options. The backing service (SSM, Secret Manager, Key Vault) is determined by the deployment platform.
Quick Start
import { vault } from "@alienplatform/sdk"
const secrets = await vault("app-secrets")
const apiKey = await secrets.get("STRIPE_API_KEY")
await secrets.set("API_KEY", "sk_live_abc123")let secrets = ctx.bindings().load_vault("app-secrets").await?;
let api_key = secrets.get_secret("STRIPE_API_KEY").await?;
secrets.set_secret("API_KEY", "sk_live_abc123").await?;Stack Secrets vs. Vault
| Feature | Stack secrets (env vars) | Vault |
|---|---|---|
| Set by | Stack definition | Application code at runtime |
| Read by | Environment variable | SDK call |
| Lifecycle | Tied to deployment | Independent |
| Use case | Static config | Dynamic credentials, rotation |