Skip to main content
wonderful-secrets stores tenant secrets in a backend provider. You select the backend with SECRETS_MANAGER_TYPE when the service starts. If you switch provider types, existing secrets are not migrated automatically.

Supported Providers

ProviderSECRETS_MANAGER_TYPEGuide
Local filefileFile Provider
AWS Secrets Manageraws_secrets_managerAWS Secrets Manager
Azure Key Vaultazure_key_vaultAzure Key Vault
Google Secret Managergcp_secret_managerGoogle Secret Manager
HashiCorp Vault (KV v2)hashicorp_vaultHashiCorp Vault

Switch Provider Locally

  1. Generate env files:
make env HOST=localhost
  1. Edit env_files/secrets.env and set:
SECRETS_MANAGER_TYPE=<provider_type>
  1. Add provider-specific variables from the provider page.
  2. Restart wonderful-secrets: 
set -a && source env_files/secrets.env && set +a
go run cmd/wonderful-secrets/main.go
make env preserves non-managed keys in env_files/secrets.env, so custom provider variables are kept. Managed keys like SECRETS_MANAGER_ACCESS_KEY_ID and SECRETS_MANAGER_SECRET_ACCESS_KEY can be overwritten by regeneration.

Smoke Test Any Provider

Run this after restarting wonderful-secrets: 
set -a && source env_files/secrets.env && set +a

BASE_URL="http://localhost:5056"
HOST_VALUE="${HOST:-localhost}"
TENANT_ID="smoke-tenant"
NAMESPACE="secrets"
KEY="smoke-$(date +%s)"

# Create
curl -sS -X POST \
  -H "x-api-key: ${SECRETS_SERVICE_API_KEY}" \
  -H "Content-Type: application/json" \
  "${BASE_URL}/secrets/${NAMESPACE}/${KEY}?host=${HOST_VALUE}&tenant_id=${TENANT_ID}" \
  -d '{"value":"v1"}'

# Read
curl -sS \
  -H "x-api-key: ${SECRETS_SERVICE_API_KEY}" \
  "${BASE_URL}/secrets/${NAMESPACE}/${KEY}?host=${HOST_VALUE}&tenant_id=${TENANT_ID}"

# Update
curl -sS -X PUT \
  -H "x-api-key: ${SECRETS_SERVICE_API_KEY}" \
  -H "Content-Type: application/json" \
  "${BASE_URL}/secrets/${NAMESPACE}/${KEY}?host=${HOST_VALUE}&tenant_id=${TENANT_ID}" \
  -d '{"value":"v2"}'

# Delete
curl -sS -X DELETE \
  -H "x-api-key: ${SECRETS_SERVICE_API_KEY}" \
  "${BASE_URL}/secrets/${NAMESPACE}/${KEY}?host=${HOST_VALUE}&tenant_id=${TENANT_ID}"
Expected result: each call returns HTTP 200. Use the same host and tenant_id values across calls. They are part of the backend secret name.