Vault

The instance vault is used to store instance level credentials which should not be available to Ascend environments, the environment vault is for storing credentials that are to be used by developers and data engineers to access external systems. In addition, different environments should not be able to access each other's secrets.

Azure Key Vault

The recommended approach for using Azure Key Vault (AKV) for your Ascend Vault is to create a standalone AKV for the instance and also one for each environment.

Access is provisioned by granting the Key Vault Secrets Officer role to the identity associated with the corresponding Ascend Instance or Environment, scoped to the appropriate AKV.

Google Secret Manager

There are 2 ways of separating Ascend Vaults in GCP,

1. Each instance and environment is granted access to a separate GCP project in which to store their secrets, the Secret Accessor and Lister role is then granted to the service account that is associated with their respective Ascend Instance or Environment. This is the recommended approach as it provides the most isolation between environments and instances.

2. Each instance and environment is granted the Secret Accessor role on the same project, but with a condition that limits the secrets that can be accessed based on the prefix of the secret name. Each environment and instance can list all the secrets in the project but can only access the secrets that match the prefix condition.