diff --git a/docs/docs.json b/docs/docs.json
index f83d2de..ed72790 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -512,7 +512,7 @@
"dark": "/logo/dark-logo.svg"
},
"banner": {
- "content": "🎉 **Flipt v2 is now available!** Experience the next generation of feature management with [Pro features](https://docs.flipt.io/v2/pro) and enhanced GitOps workflow.",
+ "content": "🎉 **New in Flipt Pro:** Integrated secrets management with HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault. [Learn more](https://docs.flipt.io/v2/pro).",
"dismissible": true
},
"api": {
diff --git a/docs/package-lock.json b/docs/package-lock.json
index 3641feb..2f6f681 100644
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
@@ -468,6 +468,7 @@
"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
"dev": true,
"license": "MIT",
+ "peer": true,
"bin": {
"acorn": "bin/acorn"
},
@@ -854,6 +855,7 @@
"deprecated": "This version is no longer supported. Please see https://eslint.org/version-support for other options.",
"dev": true,
"license": "MIT",
+ "peer": true,
"dependencies": {
"@eslint-community/eslint-utils": "^4.2.0",
"@eslint-community/regexpp": "^4.6.1",
@@ -3212,6 +3214,7 @@
"integrity": "sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q==",
"dev": true,
"license": "MIT",
+ "peer": true,
"bin": {
"prettier": "bin-prettier.js"
},
diff --git a/docs/v2/configuration/overview.mdx b/docs/v2/configuration/overview.mdx
index 4aada1f..5e03ea2 100644
--- a/docs/v2/configuration/overview.mdx
+++ b/docs/v2/configuration/overview.mdx
@@ -448,7 +448,7 @@ Credentials configuration manages authentication details for accessing remote Gi
### Secrets
-Secrets configuration enables integration with external secret management systems like Vault for secure credential storage.
+Secrets configuration enables integration with external secret management systems for secure credential storage. See the [Secrets](/v2/configuration/secrets) documentation for detailed provider setup and usage.
| Property | Description | Default | Since |
| ------------------------------ | -------------------------------------- | ------- | ------ |
@@ -471,6 +471,26 @@ Secrets configuration enables integration with external secret management system
| secrets.providers.vault.mount | Vault mount path for secrets | secret | v2.0.0 |
| secrets.providers.vault.namespace | Vault namespace for enterprise Vault deployments | | v2.0.0 |
+#### Secrets Provider: AWS Secrets Manager
+
+| Property | Description | Default | Since |
+| ---------------------------------- | --------------------------------------------------------------- | ------- | ------ |
+| secrets.providers.aws.endpoint_url | Custom endpoint URL (for LocalStack or AWS-compatible services) | | v2.8.0 |
+
+#### Secrets Provider: GCP Secret Manager
+
+| Property | Description | Default | Since |
+| --------------------------------- | --------------------------------------------- | ------- | ------ |
+| secrets.providers.gcp.project | GCP project ID | | v2.8.0 |
+| secrets.providers.gcp.location | GCP region for regional secrets | | v2.8.0 |
+| secrets.providers.gcp.credentials | Path to service account credentials JSON file | | v2.8.0 |
+
+#### Secrets Provider: Azure Key Vault
+
+| Property | Description | Default | Since |
+| --------------------------------- | --------------------------------------------------------------- | ------- | ------ |
+| secrets.providers.azure.vault_url | Azure Key Vault URL (e.g., `https://my-vault.vault.azure.net/`) | | v2.8.0 |
+
## Observability & Operations
### Logging
diff --git a/docs/v2/configuration/secrets.mdx b/docs/v2/configuration/secrets.mdx
index f66910b..2924f9e 100644
--- a/docs/v2/configuration/secrets.mdx
+++ b/docs/v2/configuration/secrets.mdx
@@ -21,19 +21,36 @@ Instead of storing sensitive values directly in Flipt configuration files, exter
Flipt supports multiple secret providers to fit different deployment scenarios:
-
- We're working on adding support for more secret providers, including AWS
- Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.
-
-
-
+
Store secrets in local files - ideal for development and simple deployments
-
+
Enterprise-grade secret management with advanced authentication and access
controls
+
+ Retrieve secrets from AWS Secrets Manager using standard AWS credentials
+
+
+ Retrieve secrets from Google Cloud Secret Manager with Application Default
+ Credentials or service account keys
+
+
+ Retrieve secrets from Azure Key Vault using Azure identity credentials
+
## Configuration Overview
@@ -51,6 +68,14 @@ secrets:
enabled: true
address: "https://vault.company.com"
auth_method: "token"
+ aws:
+ enabled: true
+ gcp:
+ enabled: true
+ project: "my-gcp-project"
+ azure:
+ enabled: true
+ vault_url: "https://my-vault.vault.azure.net/"
```
## File Provider
@@ -151,6 +176,166 @@ export FLIPT_SECRETS_PROVIDERS_VAULT_ROLE_ID="your_role_id"
export FLIPT_SECRETS_PROVIDERS_VAULT_SECRET_ID="your_secret_id"
```
+## AWS Secrets Manager Provider
+
+The AWS Secrets Manager provider retrieves secrets stored in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). It uses the AWS SDK for Go v2, which automatically resolves credentials from the standard AWS credential chain.
+
+### Configuration
+
+```yaml
+secrets:
+ providers:
+ aws:
+ enabled: true
+```
+
+| Field | Type | Required | Default | Description |
+| -------------- | ------ | -------- | --------- | -------------------------------------------------------------------------------- |
+| `enabled` | bool | No | `false` | Enables the AWS Secrets Manager provider |
+| `endpoint_url` | string | No | _(empty)_ | Custom endpoint URL (useful for [LocalStack](https://localstack.cloud/) testing) |
+
+### Authentication
+
+The AWS provider relies on the [default AWS credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html). You can authenticate using any of the following methods:
+
+- Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and optionally `AWS_SESSION_TOKEN` for temporary credentials)
+- Shared credentials file (`~/.aws/credentials`)
+- IAM roles for Amazon EC2 or ECS
+- IAM Roles Anywhere
+- SSO credentials
+
+Set the AWS region using the `AWS_DEFAULT_REGION` or `AWS_REGION` environment variable.
+
+### Environment Variables
+
+```bash
+export AWS_DEFAULT_REGION="us-east-1"
+export AWS_ACCESS_KEY_ID="your_access_key"
+export AWS_SECRET_ACCESS_KEY="your_secret_key"
+export AWS_SESSION_TOKEN="your_session_token" # Only needed for temporary credentials (STS, assumed roles)
+```
+
+You can also configure the provider itself through environment variables:
+
+```bash
+export FLIPT_SECRETS_PROVIDERS_AWS_ENABLED=true
+export FLIPT_SECRETS_PROVIDERS_AWS_ENDPOINT_URL="http://localhost:4566"
+```
+
+### Custom Endpoint
+
+For local development with LocalStack or other AWS-compatible services, specify a custom endpoint:
+
+```yaml
+secrets:
+ providers:
+ aws:
+ enabled: true
+ endpoint_url: "http://localhost:4566"
+```
+
+## GCP Secret Manager Provider
+
+The GCP Secret Manager provider retrieves secrets stored in [Google Cloud Secret Manager](https://cloud.google.com/secret-manager). It supports both global and regional secrets.
+
+### Configuration
+
+```yaml
+secrets:
+ providers:
+ gcp:
+ enabled: true
+ project: "my-gcp-project"
+```
+
+| Field | Type | Required | Default | Description |
+| ------------- | ------ | ------------------ | --------- | ------------------------------------------------------------------------------------------------------ |
+| `enabled` | bool | No | `false` | Enables the GCP Secret Manager provider |
+| `project` | string | Yes (when enabled) | _(none)_ | GCP project ID |
+| `location` | string | No | _(empty)_ | GCP region for [regional secrets](https://cloud.google.com/secret-manager/docs/create-secret-regional) |
+| `credentials` | string | No | _(empty)_ | Path to a service account credentials JSON file |
+
+### Authentication
+
+The GCP provider supports two authentication methods:
+
+- **Application Default Credentials (ADC)**: Automatically used when no `credentials` path is specified. This works with GCE metadata, GKE workload identity, and `gcloud auth application-default login`.
+- **Service account key file**: Specify an explicit path to a service account JSON credentials file.
+
+```yaml
+secrets:
+ providers:
+ gcp:
+ enabled: true
+ project: "my-gcp-project"
+ credentials: "/path/to/service-account.json"
+```
+
+### Regional Secrets
+
+By default, the provider accesses global secrets. To use [regional secrets](https://cloud.google.com/secret-manager/docs/create-secret-regional), specify the `location` field:
+
+```yaml
+secrets:
+ providers:
+ gcp:
+ enabled: true
+ project: "my-gcp-project"
+ location: "us-central1"
+```
+
+### Environment Variables
+
+```bash
+export FLIPT_SECRETS_PROVIDERS_GCP_ENABLED=true
+export FLIPT_SECRETS_PROVIDERS_GCP_PROJECT="my-gcp-project"
+export FLIPT_SECRETS_PROVIDERS_GCP_LOCATION="us-central1"
+export FLIPT_SECRETS_PROVIDERS_GCP_CREDENTIALS="/path/to/credentials.json"
+```
+
+## Azure Key Vault Provider
+
+The Azure Key Vault provider retrieves secrets stored in [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault). It uses the Azure SDK for Go with `DefaultAzureCredential`, which supports multiple authentication methods.
+
+### Configuration
+
+```yaml
+secrets:
+ providers:
+ azure:
+ enabled: true
+ vault_url: "https://my-vault.vault.azure.net/"
+```
+
+| Field | Type | Required | Default | Description |
+| ----------- | ------ | ------------------ | -------- | ---------------------------------------------------------------------- |
+| `enabled` | bool | No | `false` | Enables the Azure Key Vault provider |
+| `vault_url` | string | Yes (when enabled) | _(none)_ | Azure Key Vault URL (for example, `https://my-vault.vault.azure.net/`) |
+
+### Authentication
+
+The Azure provider uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication), which tries multiple authentication methods in order:
+
+- Environment variables (`AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`)
+- Workload identity (for Kubernetes)
+- Managed identity (for Azure VMs, App Service, and other Azure services)
+- Azure CLI credentials
+
+### Environment Variables
+
+```bash
+export AZURE_CLIENT_ID="your_client_id"
+export AZURE_TENANT_ID="your_tenant_id"
+export AZURE_CLIENT_SECRET="your_client_secret"
+```
+
+You can also configure the provider itself through environment variables:
+
+```bash
+export FLIPT_SECRETS_PROVIDERS_AZURE_ENABLED=true
+export FLIPT_SECRETS_PROVIDERS_AZURE_VAULT_URL="https://my-vault.vault.azure.net/"
+```
+
## Using Secrets in Configuration
Secrets can be referenced throughout your Flipt v2 configuration using the secret reference syntax. Secret references must always include the provider specification.
@@ -159,7 +344,7 @@ Secrets can be referenced throughout your Flipt v2 configuration using the secre
Secret references use the format `${secret:provider:key}` where:
-- `provider` is the name of the configured secrets provider (e.g., `file`, `vault`)
+- `provider` is the name of the configured secrets provider (e.g., `file`, `vault`, `aws`, `gcp`, `azure`)
- `key` is the name of the secret to retrieve
### File Provider Examples
@@ -205,6 +390,27 @@ authentication:
credential: "${secret:vault:flipt/tokens:ci-token}"
```
+### Cloud Provider Examples
+
+For cloud providers (AWS, GCP, Azure), the `key` in the secret reference corresponds to the exact secret name as stored in the provider. Path separators and version specifiers are not supported in the key — use the secret's name directly.
+
+```yaml
+storage:
+ default:
+ git:
+ authentication:
+ token: "${secret:gcp:git-token}" # GCP Secret Manager
+ password: "${secret:aws:git-password}" # AWS Secrets Manager
+
+authentication:
+ methods:
+ oidc:
+ providers:
+ azure_ad:
+ client_id: "${secret:azure:oidc-client-id}" # Azure Key Vault
+ client_secret: "${secret:azure:oidc-client-secret}" # Azure Key Vault
+```
+
### Combined with Environment Variables
You can combine secret references with environment variables in the same configuration:
diff --git a/docs/v2/pro.mdx b/docs/v2/pro.mdx
index a8f2d29..6b53d9c 100644
--- a/docs/v2/pro.mdx
+++ b/docs/v2/pro.mdx
@@ -17,8 +17,8 @@ mode: "wide"
Secure storage for sensitive configuration data including GPG keys, API keys,
- tokens, and certificates with HashiCorp Vault integration and secrets
- references.
+ tokens, and certificates with HashiCorp Vault, AWS Secrets Manager, GCP Secret
+ Manager, and Azure Key Vault.
@@ -51,8 +51,8 @@ Flipt Pro provides native integration with popular source control management (SC
Securely manage sensitive data with built-in secrets management:
- **Comprehensive Secrets Support**: Store GPG keys, API keys, tokens, and certificates securely
-- **Multiple Providers**: HashiCorp Vault integration with secrets references throughout configuration
-- **Cloud Provider Support**: AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault support coming soon
+- **Multiple Providers**: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault, with secrets references throughout configuration
+- **Cloud Provider Support**: AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault
### Air-Gapped Environment Support