Secret Management Configuration

The SecretManagement section controls where Vectra resolves sensitive configuration values (API keys, connection strings, JWT signing keys).

Class: Vectra.BuildingBlocks.Configuration.SecretManagement.SecretManagementConfiguration

Properties

Property	Type	Default	Description
`DefaultProvider`	`SecretManagementProviderType`	`None`	Active provider: `None`, `EnvironmentVariables`, or `AzureKeyVault`
`Providers.EnvironmentVariables`	`EnvironmentVariablesSecretConfiguration`	`{}`	Environment variable provider (no extra config needed)
`Providers.AzureKeyVault.VaultUri`	`string`	—	Azure Key Vault URI

Providers

None (Default)

No external secret resolution. Configuration values are read directly from appsettings.json or environment variables passed to the process.

"SecretManagement": {
  "DefaultProvider": "None"
}

Environment Variables

Resolves secrets from environment variables. Useful for containerised deployments.

"SecretManagement": {
  "DefaultProvider": "EnvironmentVariables"
}

Azure Key Vault

Integrates with Azure Key Vault using the Azure SDK. Vectra uses DefaultAzureCredential, so it works with managed identities, service principals, or az login locally.

"SecretManagement": {
  "DefaultProvider": "AzureKeyVault",
  "Providers": {
    "AzureKeyVault": {
      "VaultUri": "https://your-vault.vault.azure.net/"
    }
  }
}

How It Works

The SecretManagementService wraps the configured ISecretProvider. Secrets can be resolved at startup (via AddVectraSecretManagement() in VectraCommandLine) before the service container is built, making them available in IConfiguration.

The provider factory (SecretProviderFactory) selects the correct implementation based on DefaultProvider.

Properties​

Providers​

None (Default)​

Environment Variables​

Azure Key Vault​

How It Works​