Secrets Management Vault

---

Overview

This project is a Secret Management System designed to securely store, retrieve, and manage sensitive data such as:

• Database credentials
• API keys
• Service tokens

It follows a clean, modular architecture with backend abstraction, enabling support for multiple secret storage providers.

---

Why This Project Exists

Modern applications often suffer from:

• Hardcoded credentials
• No audit tracking
• Poor secret rotation practices
• Tight coupling to storage systems

This project introduces:

• Centralized secret storage
• Version-controlled updates
• Pluggable backend architecture
• Audit logging for traceability
• API-driven secret operations

---

Quick Start

Run with GitHub Codespaces (Recommended)

1. Click the Codespaces badge above
2. Wait for environment setup
3. Run:

python -m server.extender.src.system_extender

4. Open forwarded port 8000

---

Run Locally

git clone https://github.com/dasher06/secret-management-vault
cd secret-management-vault

python -m venv venv
venv\Scripts\Activate.ps1   # Windows

pip install -r requirements.txt

python -m server.extender.src.system_extender

Open:

http://127.0.0.1:8000

---

System Architecture

Frontend (index.html)
        ↓
API Routes (FastAPI)
        ↓
Service Layer (Business Logic)
        ↓
Backend Layer (Storage Abstraction)
        ↓
Utilities (Auth, Audit, Metrics, Rotation)

---

Project Structure

server/
│
├── extender/
│   ├── src/
│   │   ├── routes/
│   │   │   └── secrets.py
│   │   │
│   │   ├── services/
│   │   │   └── secret_store/
│   │   │       ├── client.py
│   │   │       ├── mock_backend.py
│   │   │       ├── env_backend.py
│   │   │       └── openbao_backend.py
│   │   │
│   │   ├── utils/
│   │   │   ├── auth.py
│   │   │   ├── audit.py
│   │   │   ├── metrics.py
│   │   │   └── rotation.py
│   │   │
│   │   ├── static/
│   │   │   └── index.html
│   │   │
│   │   └── system_extender.py
│   │
│   └── tests/
│       ├── test_secret_store_api.py
│       ├── test_secret_store_mock.py
│       └── test_secret_store_openbao.py

---

Core Features

• Create secrets (POST)
• Retrieve secrets (GET)
• Update secrets with versioning (PUT)
• List all stored secrets
• Audit logging of all operations
• Backend abstraction layer
• UI dashboard for interaction

---

Example Usage

Create Secret

Path:

database/postgres-main

Value:

{
  "db_host": "prod-1",
  "db_pass": "secure_env_01"
}

---

Update Secret

{
  "db_host": "prod-2",
  "db_pass": "secure_env_02"
}

Version automatically increments.

---

Retrieve Secret

GET /api/v1/secrets/service/database/postgres-main

---

Backend Design

Client Layer

Handles backend selection and request routing.

Backends

• mock_backend.py → In-memory storage
• env_backend.py → Environment-based storage
• openbao_backend.py → External vault integration (extensible)

---

Utilities

• auth.py → authentication placeholder
• audit.py → request logging
• metrics.py → performance tracking
• rotation.py → secret lifecycle logic

---

Design Principles

• Separation of concerns
• Modular architecture
• Backend abstraction
• Scalability-focused design
• Clean API structure

---

Limitations (Current Scope)

• No real authentication enforcement
• No encryption at rest
• OpenBao not connected to live instance
• Local deployment only

---

Future Improvements

• JWT authentication layer
• Encryption of secrets
• Role-based access control (RBAC)
• Docker deployment
• Real OpenBao/Vault integration

---

License

This project is licensed under the MIT License.