flipt-io · markphelps · Mar 6, 2026 · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026
@@ -512,7 +512,7 @@
     "dark": "/logo/dark-logo.svg"
   },
   "banner": {
-    "content": "🎉 **Flipt v2 is now available!** Experience the next generation of feature management with [Pro features](https://docs.flipt.io/v2/pro) and enhanced GitOps workflow.",
+    "content": "🎉 **New in Flipt Pro:** Integrated secrets management with HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault. [Learn more](https://docs.flipt.io/v2/pro).",
     "dismissible": true
   },
   "api": {

@@ -448,7 +448,7 @@ Credentials configuration manages authentication details for accessing remote Gi
 
 ### Secrets
 
-Secrets configuration enables integration with external secret management systems like Vault for secure credential storage.
+Secrets configuration enables integration with external secret management systems for secure credential storage. See the [Secrets](/v2/configuration/secrets) documentation for detailed provider setup and usage.
 
 | Property                       | Description                            | Default | Since  |
 | ------------------------------ | -------------------------------------- | ------- | ------ |
@@ -471,6 +471,26 @@ Secrets configuration enables integration with external secret management system
 | secrets.providers.vault.mount       | Vault mount path for secrets                     | secret  | v2.0.0 |
 | secrets.providers.vault.namespace   | Vault namespace for enterprise Vault deployments |         | v2.0.0 |
 
+#### Secrets Provider: AWS Secrets Manager
+
+| Property                           | Description                                                     | Default | Since  |
+| ---------------------------------- | --------------------------------------------------------------- | ------- | ------ |
+| secrets.providers.aws.endpoint_url | Custom endpoint URL (for LocalStack or AWS-compatible services) |         | v2.8.0 |
+
+#### Secrets Provider: GCP Secret Manager
+
+| Property                          | Description                                   | Default | Since  |
+| --------------------------------- | --------------------------------------------- | ------- | ------ |
+| secrets.providers.gcp.project     | GCP project ID                                |         | v2.8.0 |
+| secrets.providers.gcp.location    | GCP region for regional secrets               |         | v2.8.0 |
+| secrets.providers.gcp.credentials | Path to service account credentials JSON file |         | v2.8.0 |
+
+#### Secrets Provider: Azure Key Vault
+
+| Property                          | Description                                                     | Default | Since  |
+| --------------------------------- | --------------------------------------------------------------- | ------- | ------ |
+| secrets.providers.azure.vault_url | Azure Key Vault URL (e.g., `https://my-vault.vault.azure.net/`) |         | v2.8.0 |
+
 ## Observability & Operations
 
 ### Logging

@@ -21,19 +21,36 @@ Instead of storing sensitive values directly in Flipt configuration files, exter
 
 Flipt supports multiple secret providers to fit different deployment scenarios:
 
-<Tip>
-  We're working on adding support for more secret providers, including AWS
-  Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.
-</Tip>
-
 <CardGroup cols={2}>
-  <Card title="File Provider" icon="folder">
+  <Card title="File Provider" icon="folder" href="#file-provider">
     Store secrets in local files - ideal for development and simple deployments
   </Card>
-  <Card title="HashiCorp Vault" icon="vault">
+  <Card title="HashiCorp Vault" icon="vault" href="#hashicorp-vault-provider">
     Enterprise-grade secret management with advanced authentication and access
     controls
   </Card>
+  <Card
+    title="AWS Secrets Manager"
+    icon="aws"
+    href="#aws-secrets-manager-provider"
+  >
+    Retrieve secrets from AWS Secrets Manager using standard AWS credentials
+  </Card>
+  <Card
+    title="GCP Secret Manager"
+    icon="google"
+    href="#gcp-secret-manager-provider"
+  >
+    Retrieve secrets from Google Cloud Secret Manager with Application Default
+    Credentials or service account keys
+  </Card>
+  <Card
+    title="Azure Key Vault"
+    icon="microsoft"
+    href="#azure-key-vault-provider"
+  >
+    Retrieve secrets from Azure Key Vault using Azure identity credentials
+  </Card>
 </CardGroup>
 
 ## Configuration Overview
@@ -51,6 +68,14 @@ secrets:
       enabled: true
       address: "https://vault.company.com"
       auth_method: "token"
+    aws:
+      enabled: true
+    gcp:
+      enabled: true
+      project: "my-gcp-project"
+    azure:
+      enabled: true
+      vault_url: "https://my-vault.vault.azure.net/"
 ```
 
 ## File Provider
@@ -151,6 +176,166 @@ export FLIPT_SECRETS_PROVIDERS_VAULT_ROLE_ID="your_role_id"
 export FLIPT_SECRETS_PROVIDERS_VAULT_SECRET_ID="your_secret_id"
 ```
 
+## AWS Secrets Manager Provider
+
+The AWS Secrets Manager provider retrieves secrets stored in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). It uses the AWS SDK for Go v2, which automatically resolves credentials from the standard AWS credential chain.
+
+### Configuration
+
+```yaml
+secrets:
+  providers:
+    aws:
+      enabled: true
+```
+
+| Field          | Type   | Required | Default   | Description                                                                      |
+| -------------- | ------ | -------- | --------- | -------------------------------------------------------------------------------- |
+| `enabled`      | bool   | No       | `false`   | Enables the AWS Secrets Manager provider                                         |
+| `endpoint_url` | string | No       | _(empty)_ | Custom endpoint URL (useful for [LocalStack](https://localstack.cloud/) testing) |
+
+### Authentication
+
+The AWS provider relies on the [default AWS credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html). You can authenticate using any of the following methods:
+
+- Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and optionally `AWS_SESSION_TOKEN` for temporary credentials)
+- Shared credentials file (`~/.aws/credentials`)
+- IAM roles for Amazon EC2 or ECS
+- IAM Roles Anywhere
+- SSO credentials
+
+Set the AWS region using the `AWS_DEFAULT_REGION` or `AWS_REGION` environment variable.
+
+### Environment Variables
+
+```bash
+export AWS_DEFAULT_REGION="us-east-1"
+export AWS_ACCESS_KEY_ID="your_access_key"
+export AWS_SECRET_ACCESS_KEY="your_secret_key"
+export AWS_SESSION_TOKEN="your_session_token" # Only needed for temporary credentials (STS, assumed roles)
+```
+
+You can also configure the provider itself through environment variables:
+
+```bash
+export FLIPT_SECRETS_PROVIDERS_AWS_ENABLED=true
+export FLIPT_SECRETS_PROVIDERS_AWS_ENDPOINT_URL="http://localhost:4566"
+```
+
+### Custom Endpoint
+
+For local development with LocalStack or other AWS-compatible services, specify a custom endpoint:
+
+```yaml
+secrets:
+  providers:
+    aws:
+      enabled: true
+      endpoint_url: "http://localhost:4566"
+```
+
+## GCP Secret Manager Provider
+
+The GCP Secret Manager provider retrieves secrets stored in [Google Cloud Secret Manager](https://cloud.google.com/secret-manager). It supports both global and regional secrets.
+
+### Configuration
+
+```yaml
+secrets:
+  providers:
+    gcp:
+      enabled: true
+      project: "my-gcp-project"
+```
+
+| Field         | Type   | Required           | Default   | Description                                                                                            |
+| ------------- | ------ | ------------------ | --------- | ------------------------------------------------------------------------------------------------------ |
+| `enabled`     | bool   | No                 | `false`   | Enables the GCP Secret Manager provider                                                                |
+| `project`     | string | Yes (when enabled) | _(none)_  | GCP project ID                                                                                         |
+| `location`    | string | No                 | _(empty)_ | GCP region for [regional secrets](https://cloud.google.com/secret-manager/docs/create-secret-regional) |
+| `credentials` | string | No                 | _(empty)_ | Path to a service account credentials JSON file                                                        |
+
+### Authentication
+
+The GCP provider supports two authentication methods:
+
+- **Application Default Credentials (ADC)**: Automatically used when no `credentials` path is specified. This works with GCE metadata, GKE workload identity, and `gcloud auth application-default login`.
+- **Service account key file**: Specify an explicit path to a service account JSON credentials file.
+
+```yaml
+secrets:
+  providers:
+    gcp:
+      enabled: true
+      project: "my-gcp-project"
+      credentials: "/path/to/service-account.json"
+```
+
+### Regional Secrets
+
+By default, the provider accesses global secrets. To use [regional secrets](https://cloud.google.com/secret-manager/docs/create-secret-regional), specify the `location` field:
+
+```yaml
+secrets:
+  providers:
+    gcp:
+      enabled: true
+      project: "my-gcp-project"
+      location: "us-central1"
+```
+
+### Environment Variables
+
+```bash
+export FLIPT_SECRETS_PROVIDERS_GCP_ENABLED=true
+export FLIPT_SECRETS_PROVIDERS_GCP_PROJECT="my-gcp-project"
+export FLIPT_SECRETS_PROVIDERS_GCP_LOCATION="us-central1"
+export FLIPT_SECRETS_PROVIDERS_GCP_CREDENTIALS="/path/to/credentials.json"
+```
+
+## Azure Key Vault Provider
+
+The Azure Key Vault provider retrieves secrets stored in [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault). It uses the Azure SDK for Go with `DefaultAzureCredential`, which supports multiple authentication methods.
+
+### Configuration
+
+```yaml
+secrets:
+  providers:
+    azure:
+      enabled: true
+      vault_url: "https://my-vault.vault.azure.net/"
+```
+
+| Field       | Type   | Required           | Default  | Description                                                            |
+| ----------- | ------ | ------------------ | -------- | ---------------------------------------------------------------------- |
+| `enabled`   | bool   | No                 | `false`  | Enables the Azure Key Vault provider                                   |
+| `vault_url` | string | Yes (when enabled) | _(none)_ | Azure Key Vault URL (for example, `https://my-vault.vault.azure.net/`) |
+
+### Authentication
+
+The Azure provider uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication), which tries multiple authentication methods in order:
+
+- Environment variables (`AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`)
+- Workload identity (for Kubernetes)
+- Managed identity (for Azure VMs, App Service, and other Azure services)
+- Azure CLI credentials
+
+### Environment Variables
+
+```bash
+export AZURE_CLIENT_ID="your_client_id"
+export AZURE_TENANT_ID="your_tenant_id"
+export AZURE_CLIENT_SECRET="your_client_secret"
+```
+
+You can also configure the provider itself through environment variables:
+
+```bash
+export FLIPT_SECRETS_PROVIDERS_AZURE_ENABLED=true
+export FLIPT_SECRETS_PROVIDERS_AZURE_VAULT_URL="https://my-vault.vault.azure.net/"
+```
+
 ## Using Secrets in Configuration
 
 Secrets can be referenced throughout your Flipt v2 configuration using the secret reference syntax. Secret references must always include the provider specification.
@@ -159,7 +344,7 @@ Secrets can be referenced throughout your Flipt v2 configuration using the secre
 
 Secret references use the format `${secret:provider:key}` where:
 
-- `provider` is the name of the configured secrets provider (e.g., `file`, `vault`)
+- `provider` is the name of the configured secrets provider (e.g., `file`, `vault`, `aws`, `gcp`, `azure`)
 - `key` is the name of the secret to retrieve
 
 ### File Provider Examples
@@ -205,6 +390,27 @@ authentication:
             credential: "${secret:vault:flipt/tokens:ci-token}"
 ```
 
+### Cloud Provider Examples
+
+For cloud providers (AWS, GCP, Azure), the `key` in the secret reference corresponds to the exact secret name as stored in the provider. Path separators and version specifiers are not supported in the key — use the secret's name directly.
+
+```yaml
+storage:
+  default:
+    git:
+      authentication:
+        token: "${secret:gcp:git-token}" # GCP Secret Manager
+        password: "${secret:aws:git-password}" # AWS Secrets Manager
+
+authentication:
+  methods:
+    oidc:
+      providers:
+        azure_ad:
+          client_id: "${secret:azure:oidc-client-id}" # Azure Key Vault
+          client_secret: "${secret:azure:oidc-client-secret}" # Azure Key Vault
+```
+
 ### Combined with Environment Variables
 
 You can combine secret references with environment variables in the same configuration:

@@ -17,8 +17,8 @@ mode: "wide"
 
 <Card title="Integrated Secrets Management" icon="key">
   Secure storage for sensitive configuration data including GPG keys, API keys,
-  tokens, and certificates with HashiCorp Vault integration and secrets
-  references.
+  tokens, and certificates with HashiCorp Vault, AWS Secrets Manager, GCP Secret
+  Manager, and Azure Key Vault.
 </Card>
 
 <Card title="Air-Gapped Environment Support" icon="shield">
@@ -51,8 +51,8 @@ Flipt Pro provides native integration with popular source control management (SC
 Securely manage sensitive data with built-in secrets management:
 
 - **Comprehensive Secrets Support**: Store GPG keys, API keys, tokens, and certificates securely
-- **Multiple Providers**: HashiCorp Vault integration with secrets references throughout configuration
-- **Cloud Provider Support**: AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault support coming soon
+- **Multiple Providers**: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault, with secrets references throughout configuration
+- **Cloud Provider Support**: AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault
 
 ### Air-Gapped Environment Support