# NHI Secrets

In Veza, an NHI secret is a piece of private data that grants access to resources, systems, and services. Non-human identities (like applications, functions, and other workloads) use secrets to authenticate and establish their permissions. Secrets typically have a fixed lifespan and are used at scale for programmatic access, with examples including:

* Database connection strings and passwords
* API keys for service-to-service communication
* Service account credentials providing access to cloud resources
* Cloud provider access keys that authorize infrastructure changes
* SSH and TLS private keys for system access
* Infrastructure automation tokens
* Webhook signing secrets

Veza discovers and provides metadata about secrets across your cloud and application environments, enabling comprehensive visibility into security and compliance posture, including which non-human identities can access secrets, and how they are protected.

### Supported Secrets

Secrets are represented in the Veza Graph as distinct entity types. When creating queries, you can select individual entity types or use top-level groupings to search for all entities of that category. For example, searching for *Keys* will include both *AWS KMS Customer Master Keys* and *Azure Key Vault Keys* in the results.

#### Secrets

Application-level secrets including credentials and sensitive configuration:

* AWS Secrets Manager Secrets
* AWS Systems Manager Parameters
* Azure Key Vault Secrets
* GitHub Secrets
* Google Cloud Secret Manager Secrets
* HashiCorp Vault Secrets Engine Resources (including KV2 Subkeys when key extraction is enabled)
* Kubernetes Secrets
* Snowflake Secrets

#### Keys

Cryptographic keys used for data encryption:

* AWS KMS Customer Master Keys
* Azure Key Vault Keys
* Google Cloud KMS Keys
* Okta Auth Server Keys

#### Access Credentials

Long-lived authentication tokens and certificates:

* AWS Certificate Manager Certificates
* AWS IAM Access Keys
* Azure AD App Credentials
* Azure Key Vault Certificates
* Azure Storage Account Access Keys
* CockroachDB Cloud API Keys
* Custom Access Credentials (Open Authorization API)
* Databricks Account Service Principal Secrets
* Databricks Personal Access Tokens
* GitHub Deploy Keys
* GitHub Personal Access Tokens
* GitLab Access Credentials
* Google Cloud Service Account Keys
* Okta API Tokens
* Okta OAuth Application Credentials:
  * Okta Application Key Credentials
  * Okta OAuth Application Client Secrets
  * Okta OAuth Refresh Tokens

### Credential Lifecycle Management

Veza tracks metadata for secrets and credentials to help understand when keys were last used or last rotated:

#### Usage Tracking

The following credential types support `last_used_at` tracking to identify stale or unused credentials:

* AWS IAM Access Keys
* AWS KMS Customer Master Keys
* Azure Key Vault Keys (with audit logging via Log Analytics workspace)
* Azure Key Vault Secrets (with audit logging via Log Analytics workspace)
* Azure Storage Account Access Keys
* GitHub Deploy Keys
* GitHub Personal Access Tokens
* GitHub Secrets
* Google Cloud KMS Keys
* Google Cloud Service Account Keys
* HashiCorp Vault Secrets Engine Resources
* Snowflake Secrets
* Snowflake Users (with API/service access)

**Activity Monitoring** (via `Last Activity With Resource At`):

* Okta OAuth Application Client Secrets (requires audit log extraction)
* Okta OAuth Refresh Tokens (requires audit log extraction)

{% hint style="info" %}
Okta OAuth credential activity requires both "Gather Credentials" and "Audit Logs" enabled in Okta integration settings. See [Activity Monitoring](/4yItIzMvkpAvMVFAamTf/features/activity-monitoring.md) for details.
{% endhint %}

#### Rotation Tracking

The following secret types support `last_rotated_at` tracking to ensure compliance with rotation policies:

* AWS KMS Customer Master Keys
* AWS Secrets Manager Secrets
* Azure Key Vault Keys
* Azure Key Vault Secrets
* GitHub Secrets
* Google Cloud KMS Keys
* HashiCorp Vault Secrets Engine Resources (including KV2 Subkeys)
* Okta OAuth Application Client Secrets
* Okta Application Key Credentials
* Snowflake Secrets

Use Query Builder to create queries that identify:

* Credentials that haven't been used in 90+ days
* Secrets that haven't been rotated according to policy
* Active credentials without recent usage
* Service accounts with multiple active keys


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/nhi/nhi-secrets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.