E2E Secrets Management

E2E Secrets Management provides a secure, dedicated secret store instance per customer team or application. All sensitive data is encrypted at rest and in transit. The system ensures safe lifecycle management of critical secrets including API keys, passwords, database credentials, certificates, and encryption keys.

Users interact with E2E Secrets using a Vault-compatible CLI and client libraries. The platform abstracts cluster infrastructure, high-availability configuration, automated replication, and upgrades while providing customers complete control over their own secret paths.

1. Provisioning & Accessing Your Secret Store

Creating a Secret Store

Log in to the E2E Cloud Console
Go to Secrets Management
Click Create New Secret
Select a plan and Click on Create Secret
After provisioning, the portal will display:

Attribute	Example
Vault Endpoint URL	`openbao-171.e2enetworks.net`
Root Token	`s.XXXXXXXXXXXXXXXX`
Unseal Keys	Shown once on creation or Sent via mail

info

Store these credentials securely. They are shown only once at the time of creation.

2. CLI Access

Environment Setup

Set up your environment variables to connect to your secret store:

export VAULT_ADDR="https://secret-abc123.api.e2enetworks.com"
export VAULT_TOKEN="YOUR_ROOT_TOKEN"

Verify login:

bao login $VAULT_TOKEN

Check authentication:

bao token lookup

Refer to the official bao CLI documentation for a complete list of available commands and usage examples.

3. KV Secrets Engine

Enable KV v2 engine at required path (optional if already enabled):

bao secrets enable -path=secret kv-v2

Write a Secret

bao kv put secret/app key="value123"

Read a Secret

bao kv get secret/app

Update a Secret

bao kv put secret/app key="updated-value"

List Secrets Under a Location

bao kv list secret/

Soft Delete (Latest Version Only)

bao kv delete secret/app

Permanently Delete Metadata and All Versions

bao kv metadata delete secret/app

Check Enabled Engines

bao secrets list

4. Programmatic Access for Applications

4.1 Overview

E2E Secrets Management is fully compatible with Vault client APIs. Users can securely access and manage secrets from applications using widely adopted, production-grade libraries.

Recommended Client Libraries

Language	Library	Notes
Python	HVAC	Lightweight and feature-rich KV v2/Token/RBAC support
Java	vault-java-driver	Strong integration for enterprise applications
Go	Official Vault API SDK	Preferred for cloud-native workloads
Node.js	node-vault	Fast and easy integration in JavaScript runtimes

All libraries require:

Your E2E Vault Endpoint (VAULT_ADDR)
A valid access token (VAULT_TOKEN)

4.2 Python Integration (Recommended)

Below are fully-tested example workflows using the HVAC library.

Install HVAC

pip install hvac

A. Basic Connection and Secret Operations

#!/usr/bin/env python3
import hvac

client = hvac.Client(
    url="VAULT_ADDR",
    token="VAULT_TOKEN"
)

print("Authenticated:", client.is_authenticated())

client.secrets.kv.v2.create_or_update_secret(
    mount_point="secret",
    path="app",
    secret={"db_password": "StrongP@ss"}
)

data = client.secrets.kv.v2.read_secret_version(
    mount_point="secret",
    path="app"
)

print("Secret:", data["data"]["data"])

B. Complete Secret Lifecycle Example

This example includes: enabling engine, write, read, update, delete, and engine list operations.

#!/usr/bin/env python3
import hvac

client = hvac.Client(
    url="VAULT_ADDR",
    token="VAULT_TOKEN"
)

print("Authenticated:", client.is_authenticated())

# 1. Enable KV v2
try:
    client.sys.enable_secrets_engine(
        backend_type="kv",
        path="secret1",
        options={"version": "2"}
    )
    print("KV v2 enabled at 'secret1/'")
except Exception:
    print("KV v2 already enabled or access denied")

# 2. Write
client.secrets.kv.v2.create_or_update_secret(
    mount_point="secret1",
    path="demo",
    secret={"key": "value123"}
)
print("Write success")

# 3. Read
secret = client.secrets.kv.v2.read_secret_version(
    mount_point="secret1",
    path="demo"
)
print("Read:", secret["data"]["data"])

# 4. Update
client.secrets.kv.v2.create_or_update_secret(
    mount_point="secret1",
    path="demo",
    secret={"key": "updated-value"}
)
print("Update success")

# 5. Soft delete
client.secrets.kv.v2.delete_latest_version_of_secret(
    mount_point="secret1",
    path="demo"
)
print("Soft delete success")

This represents the complete end-to-end lifecycle for KV v2 secrets.

4.3 Integration Notes

mount_point refers to the secrets engine path assigned to your instance
Application tokens should be created using RBAC and scoped permissions (not root token)
Secrets should be rotated with operational frequency policies

5. Token & Access Management

Create a New Token for Apps

bao token create -ttl=24h

Revoke a Token

bao token revoke <token>

6. Role-Based Access Control (RBAC)

Policies restrict what a token can access.

Create a Policy File

Example: allow read-only access to a path

Create a file named policy.hcl:

path "secret/data/app*" {
    capabilities = ["read", "list"]
}

Load Policy

bao policy write readonly policy.hcl

List Policies

bao policy list

Issue a Token with That Policy

bao token create -policy=readonly

7. Operational Requirements

Checking Status

bao status

Common states:

sealed
unsealed
standby
leader

Unseal (General)

Unseal keys are provided once to the admin on instance creation. Each node must reach the unseal threshold:

bao operator unseal <UNSEAL_KEY_1>
bao operator unseal <UNSEAL_KEY_2>
bao operator unseal <UNSEAL_KEY_3>

Check status again:

bao status

info

Keep unseal keys offline and secure.

8. Monitoring and Audits

List Active Audit Devices

bao audit list

Last Token Usage Details

bao token lookup <token>

Audit logs are retained securely within platform infrastructure.

9. Secret Store Lifecycle

Upgrading Capacity

Click the Upgrade icon next to the secret you wish to upgrade
Click Upgrade
Choose a desired plan and click the Upgrade Secrets button
Your secret will be successfully upgraded

Notes
Upgrades do not affect stored secrets.

Deleting a Secret Store

Click the Delete icon for the secret you want to remove.
Confirm the action by clicking the Delete button.

warning

This is irreversible and permanently deletes all secrets.

10. Best Practices

Create separate tokens per environment
Enforce TTLs on all application tokens
Regularly rotate secrets stored under paths
Use policies instead of sharing root-token
Limit access to metadata deletion operations
Always secure unseal keys offline

1. Provisioning & Accessing Your Secret Store​

Creating a Secret Store​

2. CLI Access​

Environment Setup​

3. KV Secrets Engine​

Write a Secret​

Read a Secret​

Update a Secret​

List Secrets Under a Location​

Soft Delete (Latest Version Only)​

Permanently Delete Metadata and All Versions​

Check Enabled Engines​

4. Programmatic Access for Applications​

4.1 Overview​

Recommended Client Libraries​

4.2 Python Integration (Recommended)​

Install HVAC​

A. Basic Connection and Secret Operations​

B. Complete Secret Lifecycle Example​

4.3 Integration Notes​

5. Token & Access Management​

Create a New Token for Apps​

Revoke a Token​

6. Role-Based Access Control (RBAC)​

Create a Policy File​

Load Policy​

List Policies​

Issue a Token with That Policy​

7. Operational Requirements​

Checking Status​

Unseal (General)​

8. Monitoring and Audits​

List Active Audit Devices​

Last Token Usage Details​

9. Secret Store Lifecycle​

Upgrading Capacity​

Deleting a Secret Store​

10. Best Practices​