Skip to main content
Bifrost’s vault support enables seamless integration with enterprise-grade secret management systems, allowing you to connect to existing vaults and automatically sync virtual keys and provider API keys directly onto the Bifrost platform.

Overview

The vault integration provides:
  • Automated Key Synchronization: Connect to your existing vault infrastructure and sync all API keys automatically
  • Periodic Key Management: Regular synchronization ensures deprecated and archived keys are properly managed
  • Multi-Vault Support: Compatible with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault
  • Zero-Downtime Operations: Keys are synced without interrupting your running services

Supported Vault Systems

HashiCorp Vault

Centralized secret management for self-hosted deployments.

AWS Secrets Manager

Cloud-native secret storage on AWS.

Google Secret Manager

Secure key storage on Google Cloud Platform.

Azure Key Vault

Key management for Microsoft Azure environments.

Key Synchronization

Automatic Sync Process

Bifrost automatically synchronizes keys from your vault at regular intervals:
  1. Discovery: Scans the configured vault paths for API keys and virtual keys
  2. Validation: Verifies key format and accessibility
  3. Sync: Updates Bifrost’s internal key store with new and modified keys
  4. Deprecation: Identifies and archives keys that have been removed from the vault
  5. Notification: Logs sync status and any issues encountered

Sync Configuration

Configure synchronization behavior to match your operational requirements: 
{
  "vault": {
    "sync_interval": "300s",
    "sync_paths": [
      "bifrost/provider-keys/*",
      "bifrost/virtual-keys/*"
    ],
    "auto_deprecate": true,
    "backup_deprecated_keys": true
  }
}

Configuration Options

OptionDescriptionDefault
sync_intervalTime between sync operations300s
sync_pathsVault paths to monitor for keys["bifrost/*"]
auto_deprecateAutomatically deprecate removed keystrue
backup_deprecated_keysBackup keys before deprecationtrue

Key Management Lifecycle

Key States

Keys in Bifrost can have the following states:
  • Active: Currently in use and available for requests
  • Deprecated: Marked for removal but still functional
  • Archived: Removed from active use but retained for audit purposes
  • Expired: Keys that have exceeded their validity period

Deprecation Process

When keys are removed from the vault:
  1. Detection: Next sync cycle identifies missing keys
  2. Grace Period: Keys enter deprecated state with configurable grace period
  3. Notification: Administrators are notified of pending deprecation
  4. Archive: Keys are moved to archived state after grace period expires
{
  "vault": {
    "deprecation": {
      "grace_period": "24h",
      "notify_admins": true,
      "retain_archived": "90d"
    }
  }
}

Security Considerations

Authentication

  • Vault Tokens: Use time-limited tokens with minimal required permissions
  • IAM Roles: Leverage cloud provider IAM roles for secure authentication
  • Certificate-based Auth: Support for mutual TLS authentication where available

Encryption

  • Transit Encryption: All communication with vault systems uses TLS
  • At-Rest Encryption: Keys are encrypted in Bifrost’s internal storage
  • Key Rotation: Automatic detection and handling of rotated vault credentials

Audit Trail

Complete audit logging for all vault operations: 
{
  "timestamp": "2024-01-15T10:30:00Z",
  "operation": "key_sync",
  "vault_type": "hashicorp",
  "keys_synced": 15,
  "keys_deprecated": 2,
  "status": "success"
}