From 2b5eabd0f63c6a461f02bacb22540485fbe8b64d Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 1 Mar 2026 02:42:37 +0000 Subject: [PATCH 1/7] docs: add AWS, GCP, and Azure secrets provider documentation Add documentation for three new cloud secrets providers: - AWS Secrets Manager: configuration, authentication via AWS credential chain, custom endpoints for LocalStack - GCP Secret Manager: configuration, ADC and service account auth, regional secrets support - Azure Key Vault: configuration, DefaultAzureCredential auth methods Also updates the pro.mdx page to reflect that cloud provider support is now available (no longer "coming soon"). Closes #398, Closes #390 https://claude.ai/code/session_01KAfEyV81ZochM2Z9dT9CKB --- docs/v2/configuration/secrets.mdx | 203 +++++++++++++++++++++++++++++- docs/v2/pro.mdx | 6 +- 2 files changed, 200 insertions(+), 9 deletions(-) diff --git a/docs/v2/configuration/secrets.mdx b/docs/v2/configuration/secrets.mdx index f66910b..f8994df 100644 --- a/docs/v2/configuration/secrets.mdx +++ b/docs/v2/configuration/secrets.mdx @@ -21,11 +21,6 @@ Instead of storing sensitive values directly in Flipt configuration files, exter Flipt supports multiple secret providers to fit different deployment scenarios: - - We're working on adding support for more secret providers, including AWS - Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager. - - Store secrets in local files - ideal for development and simple deployments @@ -34,6 +29,16 @@ Flipt supports multiple secret providers to fit different deployment scenarios: Enterprise-grade secret management with advanced authentication and access controls + + Retrieve secrets from AWS Secrets Manager using standard AWS credentials + + + Retrieve secrets from Google Cloud Secret Manager with Application Default + Credentials or service account keys + + + Retrieve secrets from Azure Key Vault using Azure identity credentials + ## Configuration Overview @@ -51,6 +56,14 @@ secrets: enabled: true address: "https://vault.company.com" auth_method: "token" + aws: + enabled: true + gcp: + enabled: true + project: "my-gcp-project" + azure: + enabled: true + vault_url: "https://my-vault.vault.azure.net/" ``` ## File Provider @@ -151,6 +164,165 @@ export FLIPT_SECRETS_PROVIDERS_VAULT_ROLE_ID="your_role_id" export FLIPT_SECRETS_PROVIDERS_VAULT_SECRET_ID="your_secret_id" ``` +## AWS Secrets Manager Provider + +The AWS Secrets Manager provider retrieves secrets stored in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). It uses the AWS SDK for Go v2, which automatically resolves credentials from the standard AWS credential chain. + +### Configuration + +```yaml +secrets: + providers: + aws: + enabled: true +``` + +| Field | Type | Required | Default | Description | +| -------------- | ------ | -------- | --------- | -------------------------------------------------------------------------------- | +| `enabled` | bool | No | `false` | Enables the AWS Secrets Manager provider | +| `endpoint_url` | string | No | _(empty)_ | Custom endpoint URL (useful for [LocalStack](https://localstack.cloud/) testing) | + +### Authentication + +The AWS provider relies on the [default AWS credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html). You can authenticate using any of the following methods: + +- Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) +- Shared credentials file (`~/.aws/credentials`) +- IAM roles for Amazon EC2 or ECS +- IAM Roles Anywhere +- SSO credentials + +Set the AWS region using the `AWS_DEFAULT_REGION` or `AWS_REGION` environment variable. + +### Environment Variables + +```bash +export AWS_DEFAULT_REGION="us-east-1" +export AWS_ACCESS_KEY_ID="your_access_key" +export AWS_SECRET_ACCESS_KEY="your_secret_key" +``` + +You can also configure the provider itself through environment variables: + +```bash +export FLIPT_SECRETS_PROVIDERS_AWS_ENABLED=true +export FLIPT_SECRETS_PROVIDERS_AWS_ENDPOINT_URL="http://localhost:4566" +``` + +### Custom Endpoint + +For local development with LocalStack or other AWS-compatible services, specify a custom endpoint: + +```yaml +secrets: + providers: + aws: + enabled: true + endpoint_url: "http://localhost:4566" +``` + +## GCP Secret Manager Provider + +The GCP Secret Manager provider retrieves secrets stored in [Google Cloud Secret Manager](https://cloud.google.com/secret-manager). It supports both global and regional secrets. + +### Configuration + +```yaml +secrets: + providers: + gcp: + enabled: true + project: "my-gcp-project" +``` + +| Field | Type | Required | Default | Description | +| ------------- | ------ | ------------------ | --------- | ------------------------------------------------------------------------------------------------------ | +| `enabled` | bool | No | `false` | Enables the GCP Secret Manager provider | +| `project` | string | Yes (when enabled) | _(none)_ | GCP project ID | +| `location` | string | No | _(empty)_ | GCP region for [regional secrets](https://cloud.google.com/secret-manager/docs/create-secret-regional) | +| `credentials` | string | No | _(empty)_ | Path to a service account credentials JSON file | + +### Authentication + +The GCP provider supports two authentication methods: + +- **Application Default Credentials (ADC)**: Automatically used when no `credentials` path is specified. This works with GCE metadata, GKE workload identity, and `gcloud auth application-default login`. +- **Service account key file**: Specify an explicit path to a service account JSON credentials file. + +```yaml +secrets: + providers: + gcp: + enabled: true + project: "my-gcp-project" + credentials: "/path/to/service-account.json" +``` + +### Regional Secrets + +By default, the provider accesses global secrets. To use [regional secrets](https://cloud.google.com/secret-manager/docs/create-secret-regional), specify the `location` field: + +```yaml +secrets: + providers: + gcp: + enabled: true + project: "my-gcp-project" + location: "us-central1" +``` + +### Environment Variables + +```bash +export FLIPT_SECRETS_PROVIDERS_GCP_ENABLED=true +export FLIPT_SECRETS_PROVIDERS_GCP_PROJECT="my-gcp-project" +export FLIPT_SECRETS_PROVIDERS_GCP_LOCATION="us-central1" +export FLIPT_SECRETS_PROVIDERS_GCP_CREDENTIALS="/path/to/credentials.json" +``` + +## Azure Key Vault Provider + +The Azure Key Vault provider retrieves secrets stored in [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault). It uses the Azure SDK for Go with `DefaultAzureCredential`, which supports multiple authentication methods. + +### Configuration + +```yaml +secrets: + providers: + azure: + enabled: true + vault_url: "https://my-vault.vault.azure.net/" +``` + +| Field | Type | Required | Default | Description | +| ----------- | ------ | ------------------ | -------- | ---------------------------------------------------------------------- | +| `enabled` | bool | No | `false` | Enables the Azure Key Vault provider | +| `vault_url` | string | Yes (when enabled) | _(none)_ | Azure Key Vault URL (for example, `https://my-vault.vault.azure.net/`) | + +### Authentication + +The Azure provider uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication), which tries multiple authentication methods in order: + +- Environment variables (`AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`) +- Workload identity (for Kubernetes) +- Managed identity (for Azure VMs, App Service, and other Azure services) +- Azure CLI credentials + +### Environment Variables + +```bash +export AZURE_CLIENT_ID="your_client_id" +export AZURE_TENANT_ID="your_tenant_id" +export AZURE_CLIENT_SECRET="your_client_secret" +``` + +You can also configure the provider itself through environment variables: + +```bash +export FLIPT_SECRETS_PROVIDERS_AZURE_ENABLED=true +export FLIPT_SECRETS_PROVIDERS_AZURE_VAULT_URL="https://my-vault.vault.azure.net/" +``` + ## Using Secrets in Configuration Secrets can be referenced throughout your Flipt v2 configuration using the secret reference syntax. Secret references must always include the provider specification. @@ -159,7 +331,7 @@ Secrets can be referenced throughout your Flipt v2 configuration using the secre Secret references use the format `${secret:provider:key}` where: -- `provider` is the name of the configured secrets provider (e.g., `file`, `vault`) +- `provider` is the name of the configured secrets provider (e.g., `file`, `vault`, `aws`, `gcp`, `azure`) - `key` is the name of the secret to retrieve ### File Provider Examples @@ -205,6 +377,25 @@ authentication: credential: "${secret:vault:flipt/tokens:ci-token}" ``` +### Cloud Provider Examples + +```yaml +storage: + default: + git: + authentication: + token: "${secret:gcp:git-token}" # GCP Secret Manager + password: "${secret:aws:git-password}" # AWS Secrets Manager + +authentication: + methods: + oidc: + providers: + azure_ad: + client_id: "${secret:azure:oidc-client-id}" # Azure Key Vault + client_secret: "${secret:azure:oidc-client-secret}" # Azure Key Vault +``` + ### Combined with Environment Variables You can combine secret references with environment variables in the same configuration: diff --git a/docs/v2/pro.mdx b/docs/v2/pro.mdx index a8f2d29..508a8e2 100644 --- a/docs/v2/pro.mdx +++ b/docs/v2/pro.mdx @@ -17,8 +17,8 @@ mode: "wide" Secure storage for sensitive configuration data including GPG keys, API keys, - tokens, and certificates with HashiCorp Vault integration and secrets - references. + tokens, and certificates with HashiCorp Vault, AWS Secrets Manager, GCP Secret + Manager, and Azure Key Vault. @@ -52,7 +52,7 @@ Securely manage sensitive data with built-in secrets management: - **Comprehensive Secrets Support**: Store GPG keys, API keys, tokens, and certificates securely - **Multiple Providers**: HashiCorp Vault integration with secrets references throughout configuration -- **Cloud Provider Support**: AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault support coming soon +- **Cloud Provider Support**: AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault ### Air-Gapped Environment Support From 70df51163a51cfac768c45d15bdffacda872e91f Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 1 Mar 2026 02:43:34 +0000 Subject: [PATCH 2/7] chore: apply Prettier formatting to existing files Auto-formatted by Prettier when running `npm run format`. https://claude.ai/code/session_01KAfEyV81ZochM2Z9dT9CKB --- docs/reo.js | 4 +- docs/v1/authorization/overview.mdx | 2 - .../migration/launchdarkly/openfeature.mdx | 171 ++++++++++-------- 3 files changed, 98 insertions(+), 79 deletions(-) diff --git a/docs/reo.js b/docs/reo.js index e1ed7a2..3ec99aa 100644 --- a/docs/reo.js +++ b/docs/reo.js @@ -1,6 +1,6 @@ !(function () { var e, t, n; - (e = "a9505926280f383"), + ((e = "a9505926280f383"), (t = function () { Reo.init({ clientID: "a9505926280f383" }); }), @@ -8,5 +8,5 @@ "https://static.reo.dev/" + e + "/reo.js"), (n.defer = !0), (n.onload = t), - document.head.appendChild(n); + document.head.appendChild(n)); })(); diff --git a/docs/v1/authorization/overview.mdx b/docs/v1/authorization/overview.mdx index d5c38d1..7c9c1ec 100644 --- a/docs/v1/authorization/overview.mdx +++ b/docs/v1/authorization/overview.mdx @@ -187,14 +187,12 @@ The `input.request` field contains information about the incoming request. This - `namespace`: The [namespace](/v1/concepts#namespaces) in Flipt of the resource being accessed. If no namespace is provided, the default namespace is used, or it is not applicable as the resource is not namespace scoped (e.g. authentication) - `resource`: The resource being accessed. This can be one of: - - `namespace`: Access to [namespace](/v1/concepts#namespaces) resources (e.g., listing or creating namespaces). - `flag`: Access to [flag](/v1/concepts#flags) resources and sub-resources (e.g., listing or creating flags, variants, rules or rollouts). - `segment`: Access to [segment](/v1/concepts#segments) resources and sub-resources (e.g., listing or creating segments, constraints or distributions). - `authentication`: Access to authentication resources (e.g., listing or creating client tokens). - `subject`: The (optional) nested subject of the request. This can be one of: - - `namespace`: Access to [namespace](/v1/concepts#namespaces) resources. - `flag`: Access to [flag](/v1/concepts#flags) resources. - `variant`: Access to flag [variant](/v1/concepts#variant-flags) resources. diff --git a/docs/v1/guides/migration/launchdarkly/openfeature.mdx b/docs/v1/guides/migration/launchdarkly/openfeature.mdx index 8e6805f..8374f76 100644 --- a/docs/v1/guides/migration/launchdarkly/openfeature.mdx +++ b/docs/v1/guides/migration/launchdarkly/openfeature.mdx @@ -149,11 +149,11 @@ In the LaunchDarkly SDK, here's how you fetch the value of a boolean flag: const booleanFlagValue = await ldClient.boolVariation( featureFlags.booleanFlag.key, context, - false + false, ); doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - booleanFlagValue + booleanFlagValue, ); ``` @@ -165,8 +165,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -180,8 +180,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -193,8 +193,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -210,8 +210,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -223,8 +223,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -236,8 +236,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -249,8 +249,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -262,8 +262,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -275,8 +275,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -295,8 +295,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -306,11 +306,11 @@ or, using the async/await syntax: const stringFlagValue = await ldClient.stringVariation( featureFlags.stringFlag.key, context, - "red" + "red", ); doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - stringFlagValue + stringFlagValue, ); ``` @@ -324,8 +324,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -337,8 +337,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -350,8 +350,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -363,8 +363,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -376,8 +376,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -389,8 +389,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -404,8 +404,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -415,11 +415,11 @@ or using the async/await syntax: const numberFlagValue = await ldClient.numberVariation( featureFlags.numberFlag.key, context, - 50 + 50, ); doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - numberFlagValue + numberFlagValue, ); ``` @@ -433,8 +433,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -446,8 +446,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -459,8 +459,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -472,8 +472,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -485,8 +485,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -498,8 +498,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue - ) + flagValue, + ), ); ``` @@ -517,7 +517,10 @@ You can call each of these functions with a promise call chain: ldClient .jsonVariation(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) + doSomethingDependingOnFeatureFlagValue( + featureFlags.jsonFlag.key, + flagValue, + ), ); ``` @@ -527,11 +530,11 @@ or using the async/await syntax: const jsonFlagValue = await ldClient.jsonVariation( featureFlags.jsonFlag.key, context, - {} + {}, ); doSomethingDependingOnFeatureFlagValue( featureFlags.jsonFlag.key, - jsonFlagValue + jsonFlagValue, ); ``` @@ -541,7 +544,10 @@ When migrating a `jsonVariation()` call to the OpenFeature SDK, ldClient .jsonVariation(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) + doSomethingDependingOnFeatureFlagValue( + featureFlags.jsonFlag.key, + flagValue, + ), ); ``` @@ -551,7 +557,10 @@ becomes client .getObjectValue(featureFlags.jsonFlag.key, {}, context) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) + doSomethingDependingOnFeatureFlagValue( + featureFlags.jsonFlag.key, + flagValue, + ), ); ``` @@ -561,7 +570,10 @@ When migrating a `variation()` call, ldClient .variation(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) + doSomethingDependingOnFeatureFlagValue( + featureFlags.jsonFlag.key, + flagValue, + ), ); ``` @@ -571,7 +583,10 @@ also becomes client .getObjectValue(featureFlags.jsonFlag.key, {}, context) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) + doSomethingDependingOnFeatureFlagValue( + featureFlags.jsonFlag.key, + flagValue, + ), ); ``` @@ -581,7 +596,10 @@ Finally, when migrating a `jsonVariationDetail()` call, ldClient .jsonVariationDetail(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) + doSomethingDependingOnFeatureFlagValue( + featureFlags.jsonFlag.key, + flagValue, + ), ); ``` @@ -591,7 +609,10 @@ becomes client .getObjectDetails(featureFlags.jsonFlag.key, {}, context) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) + doSomethingDependingOnFeatureFlagValue( + featureFlags.jsonFlag.key, + flagValue, + ), ); ``` @@ -649,8 +670,8 @@ try { } catch (error) { console.log( `Failed to connect to LaunchDarkly :( Here's what the error says: ${JSON.stringify( - error - )}` + error, + )}`, ); } ``` @@ -661,8 +682,8 @@ LaunchDarkly also allows listening to the `error` event that signals an abnormal ldClient.on("error", (error) => { console.log( `The LaunchDarkly client has encountered an error. Here are the details: ${JSON.stringify( - error - )}` + error, + )}`, ); }); ``` @@ -673,8 +694,8 @@ In OpenFeature SDK terms, the equivalent listener looks like this: OpenFeature.addHandler(ProviderEvents.Error, (error) => { console.log( `The OpenFeature client for LaunchDarkly has encountered an error. Here are the details: ${JSON.stringify( - error - )}` + error, + )}`, ); }); ``` @@ -689,7 +710,7 @@ ldClient.on("update", (keyObject) => { ldClient .variation(keyObject.key, context, false) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(keyObject.key, flagValue) + doSomethingDependingOnFeatureFlagValue(keyObject.key, flagValue), ); }); ``` @@ -699,15 +720,15 @@ The `update:key` listener is more specific and serves to receive configuration u ```javascript ldClient.on(`update:${featureFlags.booleanFlag.key}`, () => { console.log( - `Configuration of flag ${featureFlags.booleanFlag.key} has changed` + `Configuration of flag ${featureFlags.booleanFlag.key} has changed`, ); ldClient .variation(featureFlags.booleanFlag.key, context, false) .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue - ) + flagValue, + ), ); }); ``` @@ -719,7 +740,7 @@ OpenFeature.addHandler( ProviderEvents.ConfigurationChanged, async (_eventDetails) => { // your event handling code - } + }, ); ``` @@ -732,7 +753,7 @@ OpenFeature.addHandler( const changedFlag = _eventDetails.flagsChanged[0]; console.log(`Configuration of flag ${changedFlag} has changed`); const flagType = Object.values(featureFlags).find( - (x) => x.key === changedFlag + (x) => x.key === changedFlag, ).type; let flagValue; @@ -746,11 +767,11 @@ OpenFeature.addHandler( flagValue = await client.getObjectValue(changedFlag, null, context); } else { console.log( - "Something went awry: we don't know the type of the updated flag" + "Something went awry: we don't know the type of the updated flag", ); } doSomethingDependingOnFeatureFlagValue(changedFlag, flagValue); - } + }, ); ``` From 9ea045685270adb4b0bcbc27a7135432d00e5b03 Mon Sep 17 00:00:00 2001 From: Mark Phelps <209477+markphelps@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:59:52 -0500 Subject: [PATCH 3/7] docs: address PR review feedback for secrets provider docs - Revert unrelated changes to docs/reo.js (vendor script) - Revert unrelated Prettier reformatting in LaunchDarkly migration guide - Add href links to provider cards for in-page navigation - Add AWS_SESSION_TOKEN for temporary credentials (STS, assumed roles) - Clarify that cloud provider secret keys use exact names (no paths/versions) - Apply Prettier formatting Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com> --- docs/reo.js | 4 +- .../migration/launchdarkly/openfeature.mdx | 171 ++++++++---------- docs/v2/configuration/secrets.mdx | 27 ++- 3 files changed, 98 insertions(+), 104 deletions(-) diff --git a/docs/reo.js b/docs/reo.js index 3ec99aa..e1ed7a2 100644 --- a/docs/reo.js +++ b/docs/reo.js @@ -1,6 +1,6 @@ !(function () { var e, t, n; - ((e = "a9505926280f383"), + (e = "a9505926280f383"), (t = function () { Reo.init({ clientID: "a9505926280f383" }); }), @@ -8,5 +8,5 @@ "https://static.reo.dev/" + e + "/reo.js"), (n.defer = !0), (n.onload = t), - document.head.appendChild(n)); + document.head.appendChild(n); })(); diff --git a/docs/v1/guides/migration/launchdarkly/openfeature.mdx b/docs/v1/guides/migration/launchdarkly/openfeature.mdx index 8374f76..8e6805f 100644 --- a/docs/v1/guides/migration/launchdarkly/openfeature.mdx +++ b/docs/v1/guides/migration/launchdarkly/openfeature.mdx @@ -149,11 +149,11 @@ In the LaunchDarkly SDK, here's how you fetch the value of a boolean flag: const booleanFlagValue = await ldClient.boolVariation( featureFlags.booleanFlag.key, context, - false, + false ); doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - booleanFlagValue, + booleanFlagValue ); ``` @@ -165,8 +165,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -180,8 +180,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -193,8 +193,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -210,8 +210,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -223,8 +223,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -236,8 +236,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -249,8 +249,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -262,8 +262,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -275,8 +275,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -295,8 +295,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -306,11 +306,11 @@ or, using the async/await syntax: const stringFlagValue = await ldClient.stringVariation( featureFlags.stringFlag.key, context, - "red", + "red" ); doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - stringFlagValue, + stringFlagValue ); ``` @@ -324,8 +324,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -337,8 +337,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -350,8 +350,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -363,8 +363,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -376,8 +376,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -389,8 +389,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.stringFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -404,8 +404,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -415,11 +415,11 @@ or using the async/await syntax: const numberFlagValue = await ldClient.numberVariation( featureFlags.numberFlag.key, context, - 50, + 50 ); doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - numberFlagValue, + numberFlagValue ); ``` @@ -433,8 +433,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -446,8 +446,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -459,8 +459,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -472,8 +472,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -485,8 +485,8 @@ ldClient .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -498,8 +498,8 @@ client .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.numberFlag.key, - flagValue, - ), + flagValue + ) ); ``` @@ -517,10 +517,7 @@ You can call each of these functions with a promise call chain: ldClient .jsonVariation(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue( - featureFlags.jsonFlag.key, - flagValue, - ), + doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) ); ``` @@ -530,11 +527,11 @@ or using the async/await syntax: const jsonFlagValue = await ldClient.jsonVariation( featureFlags.jsonFlag.key, context, - {}, + {} ); doSomethingDependingOnFeatureFlagValue( featureFlags.jsonFlag.key, - jsonFlagValue, + jsonFlagValue ); ``` @@ -544,10 +541,7 @@ When migrating a `jsonVariation()` call to the OpenFeature SDK, ldClient .jsonVariation(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue( - featureFlags.jsonFlag.key, - flagValue, - ), + doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) ); ``` @@ -557,10 +551,7 @@ becomes client .getObjectValue(featureFlags.jsonFlag.key, {}, context) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue( - featureFlags.jsonFlag.key, - flagValue, - ), + doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) ); ``` @@ -570,10 +561,7 @@ When migrating a `variation()` call, ldClient .variation(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue( - featureFlags.jsonFlag.key, - flagValue, - ), + doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) ); ``` @@ -583,10 +571,7 @@ also becomes client .getObjectValue(featureFlags.jsonFlag.key, {}, context) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue( - featureFlags.jsonFlag.key, - flagValue, - ), + doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) ); ``` @@ -596,10 +581,7 @@ Finally, when migrating a `jsonVariationDetail()` call, ldClient .jsonVariationDetail(featureFlags.jsonFlag.key, context, {}) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue( - featureFlags.jsonFlag.key, - flagValue, - ), + doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) ); ``` @@ -609,10 +591,7 @@ becomes client .getObjectDetails(featureFlags.jsonFlag.key, {}, context) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue( - featureFlags.jsonFlag.key, - flagValue, - ), + doSomethingDependingOnFeatureFlagValue(featureFlags.jsonFlag.key, flagValue) ); ``` @@ -670,8 +649,8 @@ try { } catch (error) { console.log( `Failed to connect to LaunchDarkly :( Here's what the error says: ${JSON.stringify( - error, - )}`, + error + )}` ); } ``` @@ -682,8 +661,8 @@ LaunchDarkly also allows listening to the `error` event that signals an abnormal ldClient.on("error", (error) => { console.log( `The LaunchDarkly client has encountered an error. Here are the details: ${JSON.stringify( - error, - )}`, + error + )}` ); }); ``` @@ -694,8 +673,8 @@ In OpenFeature SDK terms, the equivalent listener looks like this: OpenFeature.addHandler(ProviderEvents.Error, (error) => { console.log( `The OpenFeature client for LaunchDarkly has encountered an error. Here are the details: ${JSON.stringify( - error, - )}`, + error + )}` ); }); ``` @@ -710,7 +689,7 @@ ldClient.on("update", (keyObject) => { ldClient .variation(keyObject.key, context, false) .then((flagValue) => - doSomethingDependingOnFeatureFlagValue(keyObject.key, flagValue), + doSomethingDependingOnFeatureFlagValue(keyObject.key, flagValue) ); }); ``` @@ -720,15 +699,15 @@ The `update:key` listener is more specific and serves to receive configuration u ```javascript ldClient.on(`update:${featureFlags.booleanFlag.key}`, () => { console.log( - `Configuration of flag ${featureFlags.booleanFlag.key} has changed`, + `Configuration of flag ${featureFlags.booleanFlag.key} has changed` ); ldClient .variation(featureFlags.booleanFlag.key, context, false) .then((flagValue) => doSomethingDependingOnFeatureFlagValue( featureFlags.booleanFlag.key, - flagValue, - ), + flagValue + ) ); }); ``` @@ -740,7 +719,7 @@ OpenFeature.addHandler( ProviderEvents.ConfigurationChanged, async (_eventDetails) => { // your event handling code - }, + } ); ``` @@ -753,7 +732,7 @@ OpenFeature.addHandler( const changedFlag = _eventDetails.flagsChanged[0]; console.log(`Configuration of flag ${changedFlag} has changed`); const flagType = Object.values(featureFlags).find( - (x) => x.key === changedFlag, + (x) => x.key === changedFlag ).type; let flagValue; @@ -767,11 +746,11 @@ OpenFeature.addHandler( flagValue = await client.getObjectValue(changedFlag, null, context); } else { console.log( - "Something went awry: we don't know the type of the updated flag", + "Something went awry: we don't know the type of the updated flag" ); } doSomethingDependingOnFeatureFlagValue(changedFlag, flagValue); - }, + } ); ``` diff --git a/docs/v2/configuration/secrets.mdx b/docs/v2/configuration/secrets.mdx index f8994df..a918d45 100644 --- a/docs/v2/configuration/secrets.mdx +++ b/docs/v2/configuration/secrets.mdx @@ -22,21 +22,33 @@ Instead of storing sensitive values directly in Flipt configuration files, exter Flipt supports multiple secret providers to fit different deployment scenarios: - + Store secrets in local files - ideal for development and simple deployments - + Enterprise-grade secret management with advanced authentication and access controls - + Retrieve secrets from AWS Secrets Manager using standard AWS credentials - + Retrieve secrets from Google Cloud Secret Manager with Application Default Credentials or service account keys - + Retrieve secrets from Azure Key Vault using Azure identity credentials @@ -186,7 +198,7 @@ secrets: The AWS provider relies on the [default AWS credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html). You can authenticate using any of the following methods: -- Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) +- Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and optionally `AWS_SESSION_TOKEN` for temporary credentials) - Shared credentials file (`~/.aws/credentials`) - IAM roles for Amazon EC2 or ECS - IAM Roles Anywhere @@ -200,6 +212,7 @@ Set the AWS region using the `AWS_DEFAULT_REGION` or `AWS_REGION` environment va export AWS_DEFAULT_REGION="us-east-1" export AWS_ACCESS_KEY_ID="your_access_key" export AWS_SECRET_ACCESS_KEY="your_secret_key" +export AWS_SESSION_TOKEN="your_session_token" # Optional: required for temporary credentials (STS, assumed roles) ``` You can also configure the provider itself through environment variables: @@ -379,6 +392,8 @@ authentication: ### Cloud Provider Examples +For cloud providers (AWS, GCP, Azure), the `key` in the secret reference corresponds to the exact secret name as stored in the provider. Path separators and version specifiers are not supported in the key — use the secret's name directly. + ```yaml storage: default: From f7b648a30913cab380187eb2f7134833800f08d2 Mon Sep 17 00:00:00 2001 From: Mark Phelps <209477+markphelps@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:01:43 -0500 Subject: [PATCH 4/7] docs: add cloud secrets provider config options to overview page Add AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault configuration parameters to the configuration overview reference table. Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com> --- docs/v2/configuration/overview.mdx | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/docs/v2/configuration/overview.mdx b/docs/v2/configuration/overview.mdx index 4aada1f..907e7a6 100644 --- a/docs/v2/configuration/overview.mdx +++ b/docs/v2/configuration/overview.mdx @@ -448,7 +448,7 @@ Credentials configuration manages authentication details for accessing remote Gi ### Secrets -Secrets configuration enables integration with external secret management systems like Vault for secure credential storage. +Secrets configuration enables integration with external secret management systems for secure credential storage. See the [Secrets](/v2/configuration/secrets) documentation for detailed provider setup and usage. | Property | Description | Default | Since | | ------------------------------ | -------------------------------------- | ------- | ------ | @@ -471,6 +471,26 @@ Secrets configuration enables integration with external secret management system | secrets.providers.vault.mount | Vault mount path for secrets | secret | v2.0.0 | | secrets.providers.vault.namespace | Vault namespace for enterprise Vault deployments | | v2.0.0 | +#### Secrets Provider: AWS Secrets Manager + +| Property | Description | Default | Since | +| ---------------------------------- | --------------------------------------------------------------- | ------- | ------ | +| secrets.providers.aws.endpoint_url | Custom endpoint URL (for LocalStack or AWS-compatible services) | | v2.0.0 | + +#### Secrets Provider: GCP Secret Manager + +| Property | Description | Default | Since | +| --------------------------------- | --------------------------------------------- | ------- | ------ | +| secrets.providers.gcp.project | GCP project ID | | v2.0.0 | +| secrets.providers.gcp.location | GCP region for regional secrets | | v2.0.0 | +| secrets.providers.gcp.credentials | Path to service account credentials JSON file | | v2.0.0 | + +#### Secrets Provider: Azure Key Vault + +| Property | Description | Default | Since | +| --------------------------------- | --------------------------------------------------------------- | ------- | ------ | +| secrets.providers.azure.vault_url | Azure Key Vault URL (e.g., `https://my-vault.vault.azure.net/`) | | v2.0.0 | + ## Observability & Operations ### Logging From cdae850a83ccc128a72675ce262ee7e157890475 Mon Sep 17 00:00:00 2001 From: Mark Phelps <209477+markphelps@users.noreply.github.com> Date: Sun, 1 Mar 2026 19:35:43 -0500 Subject: [PATCH 5/7] chore: fmt Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com> --- docs/package-lock.json | 3 +++ docs/v1/authorization/overview.mdx | 2 ++ 2 files changed, 5 insertions(+) diff --git a/docs/package-lock.json b/docs/package-lock.json index 3641feb..2f6f681 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -468,6 +468,7 @@ "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", "dev": true, "license": "MIT", + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -854,6 +855,7 @@ "deprecated": "This version is no longer supported. Please see https://eslint.org/version-support for other options.", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", @@ -3212,6 +3214,7 @@ "integrity": "sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q==", "dev": true, "license": "MIT", + "peer": true, "bin": { "prettier": "bin-prettier.js" }, diff --git a/docs/v1/authorization/overview.mdx b/docs/v1/authorization/overview.mdx index 7c9c1ec..d5c38d1 100644 --- a/docs/v1/authorization/overview.mdx +++ b/docs/v1/authorization/overview.mdx @@ -187,12 +187,14 @@ The `input.request` field contains information about the incoming request. This - `namespace`: The [namespace](/v1/concepts#namespaces) in Flipt of the resource being accessed. If no namespace is provided, the default namespace is used, or it is not applicable as the resource is not namespace scoped (e.g. authentication) - `resource`: The resource being accessed. This can be one of: + - `namespace`: Access to [namespace](/v1/concepts#namespaces) resources (e.g., listing or creating namespaces). - `flag`: Access to [flag](/v1/concepts#flags) resources and sub-resources (e.g., listing or creating flags, variants, rules or rollouts). - `segment`: Access to [segment](/v1/concepts#segments) resources and sub-resources (e.g., listing or creating segments, constraints or distributions). - `authentication`: Access to authentication resources (e.g., listing or creating client tokens). - `subject`: The (optional) nested subject of the request. This can be one of: + - `namespace`: Access to [namespace](/v1/concepts#namespaces) resources. - `flag`: Access to [flag](/v1/concepts#flags) resources. - `variant`: Access to flag [variant](/v1/concepts#variant-flags) resources. From 9b7df9109eb126232654b18bbfa3516f18ea8149 Mon Sep 17 00:00:00 2001 From: Mark Phelps <209477+markphelps@users.noreply.github.com> Date: Fri, 6 Mar 2026 09:16:28 -0500 Subject: [PATCH 6/7] chore: set correct version for secrets since Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com> --- docs/v2/configuration/overview.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/v2/configuration/overview.mdx b/docs/v2/configuration/overview.mdx index 907e7a6..5e03ea2 100644 --- a/docs/v2/configuration/overview.mdx +++ b/docs/v2/configuration/overview.mdx @@ -475,21 +475,21 @@ Secrets configuration enables integration with external secret management system | Property | Description | Default | Since | | ---------------------------------- | --------------------------------------------------------------- | ------- | ------ | -| secrets.providers.aws.endpoint_url | Custom endpoint URL (for LocalStack or AWS-compatible services) | | v2.0.0 | +| secrets.providers.aws.endpoint_url | Custom endpoint URL (for LocalStack or AWS-compatible services) | | v2.8.0 | #### Secrets Provider: GCP Secret Manager | Property | Description | Default | Since | | --------------------------------- | --------------------------------------------- | ------- | ------ | -| secrets.providers.gcp.project | GCP project ID | | v2.0.0 | -| secrets.providers.gcp.location | GCP region for regional secrets | | v2.0.0 | -| secrets.providers.gcp.credentials | Path to service account credentials JSON file | | v2.0.0 | +| secrets.providers.gcp.project | GCP project ID | | v2.8.0 | +| secrets.providers.gcp.location | GCP region for regional secrets | | v2.8.0 | +| secrets.providers.gcp.credentials | Path to service account credentials JSON file | | v2.8.0 | #### Secrets Provider: Azure Key Vault | Property | Description | Default | Since | | --------------------------------- | --------------------------------------------------------------- | ------- | ------ | -| secrets.providers.azure.vault_url | Azure Key Vault URL (e.g., `https://my-vault.vault.azure.net/`) | | v2.0.0 | +| secrets.providers.azure.vault_url | Azure Key Vault URL (e.g., `https://my-vault.vault.azure.net/`) | | v2.8.0 | ## Observability & Operations From ea206e11200d3592f81012d75f41464f2b1e2c48 Mon Sep 17 00:00:00 2001 From: Mark Phelps <209477+markphelps@users.noreply.github.com> Date: Fri, 6 Mar 2026 09:20:49 -0500 Subject: [PATCH 7/7] docs: update pro page and banner to reflect cloud secrets providers Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com> --- docs/docs.json | 2 +- docs/v2/configuration/secrets.mdx | 2 +- docs/v2/pro.mdx | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs.json b/docs/docs.json index f83d2de..ed72790 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -512,7 +512,7 @@ "dark": "/logo/dark-logo.svg" }, "banner": { - "content": "🎉 **Flipt v2 is now available!** Experience the next generation of feature management with [Pro features](https://docs.flipt.io/v2/pro) and enhanced GitOps workflow.", + "content": "🎉 **New in Flipt Pro:** Integrated secrets management with HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault. [Learn more](https://docs.flipt.io/v2/pro).", "dismissible": true }, "api": { diff --git a/docs/v2/configuration/secrets.mdx b/docs/v2/configuration/secrets.mdx index a918d45..2924f9e 100644 --- a/docs/v2/configuration/secrets.mdx +++ b/docs/v2/configuration/secrets.mdx @@ -212,7 +212,7 @@ Set the AWS region using the `AWS_DEFAULT_REGION` or `AWS_REGION` environment va export AWS_DEFAULT_REGION="us-east-1" export AWS_ACCESS_KEY_ID="your_access_key" export AWS_SECRET_ACCESS_KEY="your_secret_key" -export AWS_SESSION_TOKEN="your_session_token" # Optional: required for temporary credentials (STS, assumed roles) +export AWS_SESSION_TOKEN="your_session_token" # Only needed for temporary credentials (STS, assumed roles) ``` You can also configure the provider itself through environment variables: diff --git a/docs/v2/pro.mdx b/docs/v2/pro.mdx index 508a8e2..6b53d9c 100644 --- a/docs/v2/pro.mdx +++ b/docs/v2/pro.mdx @@ -51,7 +51,7 @@ Flipt Pro provides native integration with popular source control management (SC Securely manage sensitive data with built-in secrets management: - **Comprehensive Secrets Support**: Store GPG keys, API keys, tokens, and certificates securely -- **Multiple Providers**: HashiCorp Vault integration with secrets references throughout configuration +- **Multiple Providers**: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault, with secrets references throughout configuration - **Cloud Provider Support**: AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault ### Air-Gapped Environment Support