Contact Us 1-800-664-9073

On Saturday April 1, 2023, from 9 AM to 2 PM (PDT), content will be unavailable due to scheduled maintenance.

Secrets Manager

Anypoint Security secrets manager uses secure vault technology to store and control access to private keys, passwords, certificates, and other secrets.

If you cannot access the secrets manager or you receive an error saying Cannot Create Secret Groups, you must add the correct permissions in access management:

  • If you need access only to the secrets manager and do not manage instances of Anypoint Runtime Fabric, add the appropriate user permissions in the Access Management > Permissions > Secrets Manager tab.

  • If you manage instances of Runtime Fabric, you need to add only the Manage Runtime Fabric permission (you don’t need to add the Secrets Manager permission separately).

Use secrets manager to write and manage your secrets, keys, and Transport Layer Security (TLS) artifacts. You can read the metadata of the secrets, but the actual secrets can be consumed only by authorized platform services on your behalf.

Secrets manager is designed to store and manage secrets for supported Anypoint Platform services. It is not a general-purpose storage for secrets. Only trusted services within Anypoint Platform have access to the contents of the secret.

Secrets manager supports the management of TLS context for the following services:

  • Runtime Fabric ingress
    You can store TLS artifacts in secrets manager and then configure Anypoint Runtime Fabric ingress with the secret reference.

  • API Manager on Anypoint Platform
    You can store the TLS artifacts in secrets manager and then configure Anypoint API Manager with the secret reference.
    See Building an HTTPS API Proxy.

Anypoint Platform’s secrets manager enables you to store secrets in secrets groups, which are vaults associated with your environment and business group. Each secrets group has unique encryption keys, which are generated and managed only by secrets manager.

You can configure the supported Anypoint Platform services to request secrets stored in secrets manager, and you can control which supported services are authorized to access them. This task is handled by two microservices:

  • Secrets manager
    This is a publicly exposed service that handles the uploading and storing of your secrets. Every time you upload a secret to your vault, the secrets manager establishes a reference to it, so it can be shared or read without revealing its contents. You can read the secrets metadata but not the secret itself.

  • Secrets Provider
    This is an internal service that handles the secrets for consumption by supported platform services. This is the only service that can read the actual secrets an due to its nature, it is not accessible from the public network.

Diagram showing how secrets manager interacts with the secrets provider service and Anypoint Platform services.

Supported Secret Types

Secrets manager can store and manage the following secret types:

  • TLS Context
    SSL Security Parameters (ciphers to use, TLS version, and so on).

  • Keystore
    A repository of security certificates (either authorization certificates or public key certificates), along with their corresponding private keys.

  • Truststore
    A repository of security certificates from either other parties with which you expect to communicate, or Certificate Authorities that you trust to identify other parties.

  • Certificates
    Public X.509 certificates, which are electronic documents that bind a public key with an identity (hostname, organization, or individual).

  • Certificate Pin Set
    A repository of security certificates from other parties that associate a client or host with their expected X.509 certificate or public key.

  • CRL Distributor
    An entity that creates and maintains a list of CA certificates that are no longer trusted because their associated private keys, or a signing CA, were compromised.


Shared secrets are used for symmetric encryption and decryption, where the secret is known by both the message sender and the message recipient.

The following shared secret types are defined, however at this time, they can’t be consumed by Anypoint Platform services:

  • Passwords
    A password used by the sender and recipient to encode and decode the message.

  • Symmetric Keys
    A public key cryptography used by the sender and recipient to encode and decode the message.

  • S3 Credentials
    A pair of security keys to access AWS S3 buckets.

  • Blob
    A free-form and application-specific secret stored through an API call. Blobs are base64 encoded data used by specific applications. For example, a blob could store a base64-encoded JSON object.

View on GitHub