The Secrets Store is used for:

Retrieving secrets from external secrets management systems
Managing secrets in memory within Substation
Referencing secrets in transform configurations using pattern matching and string interpolation

Secrets are retrieved from external systems using the utility_secret transform. Items in the Secrets Store are interpolated into specific transform configurations using the pattern ${SECRET:ID}, where ID is the name of a secret retrieved from the external system. See the project repository for an example.

aws.secrets_manager

Secrets are retrieved from AWS Secrets Manager.

Settings

Field	Type	Description	Required
id	string	The internal ID that the secret value is referenced as.	Yes
name	string	The name of the secret in AWS Secrets Manager that the secret is retrieved from.	Yes
ttl_offset	string	The amount of time that the secret is available for use before it is evicted from the store. Defaults to 15m (15 minutes).	Yes
aws.region	string	AWS region that the Secrets Manager secret is in. Defaults to the `AWS_REGION` and `AWS_DEFAULT_REGION` environment variables.	No
aws.assume_role_arn	string	AWS role that is used to authenticate. Defaults to an empty string (no role assumption is used).	No
retry.count	integer	Maximum number of times to retry calls to retrieve the secret. Defaults to the `AWS_MAX_ATTEMPTS` environment variable.	No

environment_variable

Secrets are retrieved from an environment variable on the local system.

Settings

Field	Type	Description	Required
id	string	The internal ID that the secret value is referenced as.	Yes
name	string	The name of the environment variable that the secret is retrieved from.	Yes
ttl_offset	string	The amount of time that the secret is available for use before it is evicted from the store. Defaults to 15m (15 minutes).	Yes