E2E Secrets Management
E2E Secrets Management provides a secure, dedicated secret store instance per customer team or application. All sensitive data is encrypted at rest and in transit. The system ensures safe lifecycle management of critical secrets including API keys, passwords, database credentials, certificates, and encryption keys.
Users interact with E2E Secrets using a Vault-compatible CLI and client libraries. The platform abstracts cluster infrastructure, high-availability configuration, automated replication, and upgrades while providing customers complete control over their own secret paths.
Provisioning & Accessing Your Secret Store
Creating a Secret Store
Follow these steps to create your secret store:
- Log in to the E2E Cloud Console
- Go to Secrets Management
- Click Create New Secret
- Select a plan and Click on Create Secret
- You will receive an email with the details of your secrets.
| Attribute | Example |
|---|---|
| Vault Endpoint URL | https://openbao-<ID>.e2enetworks.net |
| Root Token | s.XXXXXXXXXXXXXXXX |
Store these credentials securely. The vault credentials will be sent to your email, and the credential link will expire within 7 days. Please ensure you save the credentials for future use.
Secret Store Lifecycle
Upgrading Capacity
-
Click the Upgrade icon next to the secret you wish to upgrade
-
Click Upgrade
-
Choose a desired plan and click the Upgrade Secrets button
-
Your secret will be successfully upgraded
NotesUpgrades do not affect stored secrets.
Deleting a Secret Store
- Click the Delete icon for the secret you want to remove.
- Confirm the action by clicking the Delete button.
This is irreversible and permanently deletes all secrets.
Accessing Your Secret Store
There are two ways to access the Secret Management:
- CLI Access - If you want to access using CLI, click here
- Programmatic Access - If you want to access using Programmatic methods, click here
CLI Access
Before using the CLI, you need to install the bao CLI tool.
Installing bao
You can refer to these docs for installing OpenBao: official OpenBao installation guide.
Refer to the official bao CLI documentation for a complete list of available commands and usage examples.
Environment Setup
Set up your environment variables to connect to your secret store:
export VAULT_ADDR="https://openbao-<ID>.e2enetworks.net"
export VAULT_TOKEN="YOUR_ROOT_TOKEN"
Verify login:
bao login $VAULT_TOKEN
Check authentication:
bao token lookup
Secrets Engine
Secrets engines are components that store, generate, or encrypt data. They function as pluggable backends that perform specific operations on data and return results. Secrets engines are enabled at defined paths and behave like a virtual filesystem, supporting standard operations such as read, write, and delete.
E2E Secrets Management supports multiple secrets engines. Among all available secrets engines, the KV (Key-Value) secrets engine is the most popular and widely used for storing static secrets. Below, we provide examples of how to enable and use the KV secrets engine.
For more information, refer to the Secret Engines documentation.
Check Enabled Engines
bao secrets list
KV Secrets Engine
The KV (Key-Value) secrets engine is used to store arbitrary secrets within the configured physical storage for your secret store.
Enable KV v2 Engine
Enable KV v2 engine at required path (optional if already enabled):
bao secrets enable -path=secret kv-v2
Write a Secret
bao kv put secret/app key="value123"
Read a Secret
bao kv get secret/app
Update a Secret
bao kv put secret/app key="updated-value"
List Secrets Under a Location
bao kv list secret/
Soft Delete (Latest Version Only)
bao kv delete secret/app
Permanently Delete Metadata and All Versions
bao kv metadata delete secret/app
Token & Access Management
Create a New Token for Apps
bao token create -ttl=24h
Revoke a Token
bao token revoke <token>
Role-Based Access Control (RBAC)
Policies restrict what a token can access. The root token has unrestricted access and should only be used for initial setup. For applications, create dedicated tokens with narrowly scoped policies to limit blast radius if a token is compromised.
Create a Policy File
Example: allow read-only access to a path
Create a file named policy.hcl:
path "secret/data/app*" {
capabilities = ["read", "list"]
}
Load Policy
bao policy write readonly policy.hcl
List Policies
bao policy list
Issue a Token with That Policy
bao token create -policy=readonly
Monitoring
Checking Cluster Status
bao status
Common states:
- unsealed
- standby
- leader
E2E Secrets Management is deployed in a high-availability configuration with 3 replicas. Your secret store is ready to use as soon as you receive your credentials.
Last Token Usage Details
bao token lookup <token>
Audit logs are retained securely within platform infrastructure.
Programmatic Access for Applications
Overview
E2E Secrets Management is fully compatible with Vault client APIs. Users can securely access and manage secrets from applications using widely adopted, production-grade libraries.
Recommended Client Libraries
| Language | Library | Notes |
|---|---|---|
| Python | HVAC | Lightweight and feature-rich KV v2/Token/RBAC support |
| Java | vault-java-driver | Strong integration for enterprise applications |
| Go | Official Vault API SDK | Preferred for cloud-native workloads |
| Node.js | node-vault | Fast and easy integration in JavaScript runtimes |
All libraries require:
- Your E2E Vault Endpoint (VAULT_ADDR)
- A valid access token (VAULT_TOKEN)
Python Integration (Recommended)
Below are fully-tested example workflows using the HVAC library.
Install HVAC
pip install hvac
A. Basic Connection and Secret Operations
#!/usr/bin/env python3
import os
import hvac
client = hvac.Client(
url=os.environ["VAULT_ADDR"],
token=os.environ["VAULT_TOKEN"]
)
print("Authenticated:", client.is_authenticated())
client.secrets.kv.v2.create_or_update_secret(
mount_point="secret",
path="app",
secret={"db_password": "StrongP@ss"}
)
data = client.secrets.kv.v2.read_secret_version(
mount_point="secret",
path="app"
)
print("Secret:", data["data"]["data"])
B. Complete Secret Lifecycle Example
This example includes: enabling engine, write, read, update, and delete operations.
#!/usr/bin/env python3
import os
import hvac
client = hvac.Client(
url=os.environ["VAULT_ADDR"],
token=os.environ["VAULT_TOKEN"]
)
print("Authenticated:", client.is_authenticated())
# 1. Enable KV v2
try:
client.sys.enable_secrets_engine(
backend_type="kv",
path="secret1",
options={"version": "2"}
)
print("KV v2 enabled at 'secret1/'")
except Exception:
print("KV v2 already enabled or access denied")
# 2. Write
client.secrets.kv.v2.create_or_update_secret(
mount_point="secret1",
path="demo",
secret={"key": "value123"}
)
print("Write success")
# 3. Read
secret = client.secrets.kv.v2.read_secret_version(
mount_point="secret1",
path="demo"
)
print("Read:", secret["data"]["data"])
# 4. Update
client.secrets.kv.v2.create_or_update_secret(
mount_point="secret1",
path="demo",
secret={"key": "updated-value"}
)
print("Update success")
# 5. Soft delete
client.secrets.kv.v2.delete_latest_version_of_secret(
mount_point="secret1",
path="demo"
)
print("Soft delete success")
This represents the complete end-to-end lifecycle for KV v2 secrets.
Integration Notes
mount_pointrefers to the secrets engine path assigned to your instance- Application tokens should be created using RBAC and scoped permissions (not root token)
- Secrets should be rotated with operational frequency policies
Best Practices
- Create separate tokens per environment
- Enforce TTLs on all application tokens
- Regularly rotate secrets stored under paths
- Use policies instead of sharing root-token
- Limit access to metadata deletion operations