Managing Lockers and Secrets¶
This page covers the day-to-day management of Lockers and Secrets through the Zaita web portal. For an overview of the data model and delivery options, see Introduction to Secrets Management.
Role required: The Secrets Management section of the portal is accessible to users with the Secrets Administrator or Super Administrator role.
Navigating to Secrets Management¶
The Secrets Management product is accessed via the product selector in the sidebar. If your account has the Secrets Administrator role, you will see a Secrets option in the product dropdown. Selecting it switches the portal to the Secrets Management context, displaying the Vault inventory and navigation.
Managing Lockers¶
Viewing the Locker Inventory¶
The Secrets → Inventory page displays all Lockers in your Vault. Each entry shows the Locker name and its UUID. From this page you can create new Lockers, navigate to an existing Locker, and delete Lockers.
Use the search field to filter Lockers by name.
Creating a Locker¶
- Navigate to Secrets → Inventory.
- Click Create Locker.
- Enter a Name for the Locker. Choose a name that clearly identifies the group of secrets it will contain (for example,
production-api-keysordatabase-credentials). - Click Create.
The Locker is created immediately and appears in the inventory. Its UUID is assigned automatically and is used as the stable identifier when granting access or configuring Couriers and Bridges.
Deleting a Locker¶
Warning: Deleting a Locker permanently removes all secrets it contains and revokes all access grants. This action cannot be undone.
- Navigate to Secrets → Inventory.
- Locate the Locker you want to delete.
- Click the Delete button on the Locker's row.
- Confirm the deletion in the dialog.
All associated access records for Couriers, Bridges, and Workloads are removed as part of the deletion.
Managing Secrets¶
Viewing Secrets in a Locker¶
- Navigate to Secrets → Inventory.
- Click the Locker name to open the Locker view.
The Locker view has four tabs: Secrets, Courier Access, Bridge Cache, and Workload Access.
The Secrets tab lists all secrets in the Locker by name and description. Secret values are never displayed in the portal — they are stored encrypted and can only be retrieved via the delivery APIs.
Use the search field to filter secrets by name.
Adding a Secret¶
- Open the Locker view and select the Secrets tab.
- Click Add Secret.
- Enter a Name for the secret. Secret names must be unique within the Locker. Use names that clearly identify the value (for example,
DB_PASSWORD,STRIPE_API_KEY). - Optionally enter a Description to explain the secret's purpose or rotation schedule.
- Enter the Value — the plaintext secret. This is encrypted before being sent to the platform and is never stored or logged in plaintext.
- Click Add.
The secret is encrypted with the tenant's key in the Secured Back Control Plane and stored as ciphertext.
Deleting a Secret¶
- Open the Locker view and select the Secrets tab.
- Locate the secret you want to remove.
- Click the Delete icon on the secret's row.
- Confirm the deletion.
Deletion is immediate and irreversible. Any Courier, Bridge, or Workload that next downloads the Locker will receive the updated set of secrets without the deleted entry.
Managing Locker Access¶
Access to a Locker is controlled independently for each consumer type. By default, no Couriers, Bridges, or Workloads have access to a newly created Locker — access must be explicitly granted.
Courier Access¶
The Courier Access tab controls which registered Couriers can download this Locker.
Granting a Courier access:
- Open the Locker view and select the Courier Access tab.
- Click Grant Access.
- Select the Courier from the dropdown list.
- Click Grant.
Revoking a Courier's access:
- On the Courier Access tab, locate the Courier.
- Click Revoke on the Courier's row.
- Confirm revocation.
After revocation, the Courier will receive an authorisation error on its next download attempt.
Bridge Cache¶
The Bridge Cache tab controls which Bridges are assigned to cache this Locker in memory.
Assigning a Bridge:
- Open the Locker view and select the Bridge Cache tab.
- Click Assign Bridge.
- Select the Bridge from the dropdown list.
- Click Assign.
On the Bridge's next heartbeat cycle, it will receive the updated Locker list and sync the Locker into its in-memory cache.
Removing a Bridge assignment:
- On the Bridge Cache tab, locate the Bridge.
- Click Remove on the Bridge's row.
The Bridge will stop receiving updates for this Locker on its next sync cycle.
Workload Access¶
The Workload Access tab controls which registered Workloads can access this Locker directly via the Workload API.
Granting a Workload access:
- Open the Locker view and select the Workload Access tab.
- Click Grant Access.
- Select the Workload from the dropdown list.
- Click Grant.
Revoking a Workload's access:
- On the Workload Access tab, locate the Workload.
- Click Revoke on the Workload's row.
Audit Events¶
All Locker and Secret operations generate audit log entries. Key events include:
| Event | Description |
|---|---|
locker.created |
A new Locker was created |
locker.deleted |
A Locker and all its contents were deleted |
secret.created |
A new Secret was added to a Locker |
secret.deleted |
A Secret was deleted from a Locker |
locker.courier_access.granted |
A Courier was granted access to a Locker |
locker.courier_access.revoked |
A Courier's access to a Locker was revoked |
locker.bridge_cache.assigned |
A Locker was assigned to a Bridge cache |
locker.bridge_cache.removed |
A Locker was removed from a Bridge cache |
locker.workload_access.granted |
A Workload was granted access to a Locker |
locker.workload_access.revoked |
A Workload's access to a Locker was revoked |
All audit events are viewable under Admin → Audit Log.
Next Steps¶
- Workloads — register applications for direct secret access.
- Delivering Secrets with Couriers — configure a Courier to pull secrets from a Locker.
- Caching Secrets on Bridges — assign Lockers to a Bridge for in-memory caching.
- Best Practices — recommended Locker organisation and access patterns.