Skip to main content
Version: 3.0.0

Vault

Ascend provides a secure and flexible secrets management system through Vaults. You can use the built-in Ascend Managed Vaults or integrate with existing vault services from major cloud providers. This enables your applications to access credentials and sensitive information securely without exposing secrets in your codebase.

Vaults in Ascend​

Ascend offers Vaults at three different levels:

1. Ascend Instance Vault​

  • Pre-provisioned and managed by Ascend
  • Uses AWS Secrets Manager behind the scenes
  • Stores instance-wide secrets like OPENAI_API_KEY
  • Available to all projects and environments within your Ascend instance
  • Referenced via vaults.instance.<secret-name>
  • Scope: Entire Ascend Instance

2. Ascend Environment Vault​

  • Pre-provisioned for each environment
  • Uses AWS Secrets Manager behind the scenes
  • Stores environment-specific secrets (database credentials, API keys, etc.)
  • Available to all projects deployed to that environment
  • Referenced via vaults.environment.<secret-name>
  • Scope: Single Environment

3. Project Vault​

  • Custom vaults defined in your project's vaults/ directory
  • Can connect to AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager
  • Scoped to specific projects
  • Referenced via vaults.<vault-name>.<secret-name>
  • Scope: Single Project

Best practices​

For most customers, we recommend the following strategy:

  • For getting started or smaller teams: Use the default Ascend Managed Vaults (Instance and Environment)
  • For project-specific secrets: Create Project Vaults and grant the corresponding environment access
  • For custom environment needs: Override the Ascend-managed Environment Vault with your own cloud provider
  • For custom instance needs: Override the Ascend-managed Instance Vault with your own cloud provider

Benefits​

  • Default Vaults: Simplify secret management without additional configuration files
  • Consistent references: Use vaults.environment.<secret-name> syntax consistently across examples
  • Instance Store: Centrally manage instance-wide secrets like an OPENAI_API_KEY
  • Customization: Bring your own cloud provider when needed for compliance or existing infrastructure

Supported cloud providers​

Ascend supports integration with multiple secret management services. For provider-specific setup instructions, refer to the following guides:

Last updated on