Docs

Behavior & Limits

Guarantees, limits, and platform-specific behavior for Alien Vault.

Guarantees

On cloud platforms (AWS, GCP, Azure), Alien provisions and manages the vault backing service. These guarantees apply:

Encryption at Rest. All cloud platforms encrypt secrets with managed keys. AWS uses SSM's KMS encryption, GCP uses Google-managed encryption, Azure uses Key Vault's built-in encryption.

Encryption in Transit. All communication uses TLS.

Upsert Semantics. set() creates the secret if it doesn't exist, or updates it if it does.

Get Fails on Missing. get() throws an error if the secret does not exist. Use exists() to check first.

Customer Vault Privacy. User-declared vaults do not grant the Alien management identity data read or write access by default. The management identity can operate the internal secrets vault, and it can access a user vault only when the stack explicitly extends management permissions for that vault.

Limits

LimitValue
Max secret value size25 KB (Azure Key Vault limit; AWS/GCP support 64 KB)
Secret name charsetAlphanumeric, -, _

Platform Details

AWS (SSM Parameter Store)

  • SecureString parameters. No infrastructure created — Parameter Store is always available.
  • Naming: {stackPrefix}-{vaultName}-{secretName}.
  • Resource-scoped IAM uses the full vault prefix, so access to one vault does not imply access to another vault with the same stack prefix.
  • Read: 10,000 GetParameter/second. Write: avoid sustained writes more than once per 10 minutes per parameter.
  • Max value: 64 KB.

GCP (Secret Manager)

  • Versioned secrets — each set() creates a new version.
  • Requires API enablement (handled during provisioning).
  • Secret creation is project-scoped in GCP IAM, so Alien uses IAM Conditions on the secret resource name prefix for vault-scoped read and write access.
  • Read: 90,000 access requests/minute/project.
  • Max value: 64 KiB.

Azure (Key Vault)

  • Actual Azure resource provisioned by Alien.
  • Data-plane access is granted through Azure RBAC on the specific Key Vault resource.
  • Read: 4,000 GET/10 seconds. Write: 300 CREATE/10 seconds. Returns HTTP 429 when exceeded.
  • Max value: 25 KB — smallest of all platforms.

Kubernetes / On-Prem

Depends on Helm configuration:

Kubernetes Secrets (default): Stored as native K8s Secrets. Created on-demand. No versioning. Encryption at rest depends on the cluster's etcd encryption configuration — Alien does not control this.

External vault (HashiCorp Vault, cloud KMS): Behavior depends entirely on the external service.

Local

  • Secrets stored as plaintext JSON files on disk. No encryption.
  • File-based with read-modify-write pattern.

Design Decisions

25 KB cross-platform limit. Azure Key Vault sets the floor. Alien documents this as the portable limit.

Simple CRUD API. Advanced features (versioning, rotation, audit) vary too much across providers. Use the native SDK via Direct Access for those.

API Reference

Complete API reference for Alien Vault bindings.

Pricing

Cloud provider pricing for Alien Vault resources.

On this page

GuaranteesLimitsPlatform DetailsAWS (SSM Parameter Store)GCP (Secret Manager)Azure (Key Vault)Kubernetes / On-PremDesign Decisions