NHI Secrets

In Veza, an NHI secret is a piece of private data that grants access to resources, systems, and services. Non-human identities (like applications, functions, and other workloads) use secrets to authenticate and establish their permissions. Secrets typically have a fixed lifespan and are used at scale for programmatic access, with examples including:

• Database connection strings and passwords

• API keys for service-to-service communication

• Service account credentials providing access to cloud resources

• Cloud provider access keys that authorize infrastructure changes

• SSH and TLS private keys for system access

• Infrastructure automation tokens

• Webhook signing secrets

Veza discovers and provides metadata about secrets across your cloud and application environments, enabling comprehensive visibility into security and compliance posture, including which non-human identities can access secrets, and how they are protected.

Supported Secrets

Secrets are represented in the Veza Graph as distinct entity types. When creating queries, you can select individual entity types or use top-level groupings to search for all entities of that category. For example, searching for Keys will include both AWS KMS Customer Master Keys and Azure Key Vault Keys in the results.

Secrets

Application-level secrets including credentials and sensitive configuration:

• AWS Secrets Manager Secrets

• Azure Key Vault Secrets

• HashiCorp Vault Secrets Engine Resources

Keys

Cryptographic keys used for data encryption:

• AWS KMS Customer Master Keys

• Azure Key Vault Keys

• Google Cloud KMS Keys

Access Credentials

Long-lived authentication tokens and certificates:

• Azure Key Vault Certificates

• GitHub Personal Access Tokens