Skip to content

Managing Lockers and Secrets

This page covers the day-to-day management of Lockers and Secrets through the Zaita web portal. For an overview of the data model and delivery options, see Introduction to Secrets Management.

Role required: The Secrets Management section of the portal is accessible to users with the Secrets Administrator or Super Administrator role.


The Secrets Management product is accessed via the product selector in the sidebar. If your account has the Secrets Administrator role, you will see a Secrets option in the product dropdown. Selecting it switches the portal to the Secrets Management context, displaying the Vault inventory and navigation.


Managing Lockers

Viewing the Locker Inventory

The Secrets → Inventory page displays all Lockers in your Vault. Each entry shows the Locker name and its UUID. From this page you can create new Lockers, navigate to an existing Locker, and delete Lockers.

Use the search field to filter Lockers by name.

Creating a Locker

  1. Navigate to Secrets → Inventory.
  2. Click Create Locker.
  3. Enter a Name for the Locker. Choose a name that clearly identifies the group of secrets it will contain (for example, production-api-keys or database-credentials).
  4. Click Create.

The Locker is created immediately and appears in the inventory. Its UUID is assigned automatically and is used as the stable identifier when granting access or configuring Couriers and Bridges.

Deleting a Locker

Warning: Deleting a Locker permanently removes all secrets it contains and revokes all access grants. This action cannot be undone.

  1. Navigate to Secrets → Inventory.
  2. Locate the Locker you want to delete.
  3. Click the Delete button on the Locker's row.
  4. Confirm the deletion in the dialog.

All associated access records for Couriers, Bridges, and Workloads are removed as part of the deletion.


Managing Secrets

Viewing Secrets in a Locker

  1. Navigate to Secrets → Inventory.
  2. Click the Locker name to open the Locker view.

The Locker view has four tabs: Secrets, Courier Access, Bridge Cache, and Workload Access.

The Secrets tab lists all secrets in the Locker by name and description. Secret values are never displayed in the portal — they are stored encrypted and can only be retrieved via the delivery APIs.

Use the search field to filter secrets by name.

Adding a Secret

  1. Open the Locker view and select the Secrets tab.
  2. Click Add Secret.
  3. Enter a Name for the secret. Secret names must be unique within the Locker. Use names that clearly identify the value (for example, DB_PASSWORD, STRIPE_API_KEY).
  4. Optionally enter a Description to explain the secret's purpose or rotation schedule.
  5. Enter the Value — the plaintext secret. This is encrypted before being sent to the platform and is never stored or logged in plaintext.
  6. Click Add.

The secret is encrypted with the tenant's key in the Secured Back Control Plane and stored as ciphertext.

Deleting a Secret

  1. Open the Locker view and select the Secrets tab.
  2. Locate the secret you want to remove.
  3. Click the Delete icon on the secret's row.
  4. Confirm the deletion.

Deletion is immediate and irreversible. Any Courier, Bridge, or Workload that next downloads the Locker will receive the updated set of secrets without the deleted entry.


Managing Locker Access

Access to a Locker is controlled independently for each consumer type. By default, no Couriers, Bridges, or Workloads have access to a newly created Locker — access must be explicitly granted.

Courier Access

The Courier Access tab controls which registered Couriers can download this Locker.

Granting a Courier access:

  1. Open the Locker view and select the Courier Access tab.
  2. Click Grant Access.
  3. Select the Courier from the dropdown list.
  4. Click Grant.

Revoking a Courier's access:

  1. On the Courier Access tab, locate the Courier.
  2. Click Revoke on the Courier's row.
  3. Confirm revocation.

After revocation, the Courier will receive an authorisation error on its next download attempt.

Bridge Cache

The Bridge Cache tab controls which Bridges are assigned to cache this Locker in memory.

Assigning a Bridge:

  1. Open the Locker view and select the Bridge Cache tab.
  2. Click Assign Bridge.
  3. Select the Bridge from the dropdown list.
  4. Click Assign.

On the Bridge's next heartbeat cycle, it will receive the updated Locker list and sync the Locker into its in-memory cache.

Removing a Bridge assignment:

  1. On the Bridge Cache tab, locate the Bridge.
  2. Click Remove on the Bridge's row.

The Bridge will stop receiving updates for this Locker on its next sync cycle.

Workload Access

The Workload Access tab controls which registered Workloads can access this Locker directly via the Workload API.

Granting a Workload access:

  1. Open the Locker view and select the Workload Access tab.
  2. Click Grant Access.
  3. Select the Workload from the dropdown list.
  4. Click Grant.

Revoking a Workload's access:

  1. On the Workload Access tab, locate the Workload.
  2. Click Revoke on the Workload's row.

Audit Events

All Locker and Secret operations generate audit log entries. Key events include:

Event Description
locker.created A new Locker was created
locker.deleted A Locker and all its contents were deleted
secret.created A new Secret was added to a Locker
secret.deleted A Secret was deleted from a Locker
locker.courier_access.granted A Courier was granted access to a Locker
locker.courier_access.revoked A Courier's access to a Locker was revoked
locker.bridge_cache.assigned A Locker was assigned to a Bridge cache
locker.bridge_cache.removed A Locker was removed from a Bridge cache
locker.workload_access.granted A Workload was granted access to a Locker
locker.workload_access.revoked A Workload's access to a Locker was revoked

All audit events are viewable under Admin → Audit Log.


Next Steps