NHI Secrets

In Veza, an NHI secret is a piece of private data that grants access to resources, systems, and services. Non-human identities (like applications, functions, and other workloads) use secrets to authenticate and establish their permissions. Secrets typically have a fixed lifespan and are used at scale for programmatic access, with examples including:

• Database connection strings and passwords

• API keys for service-to-service communication

• Service account credentials providing access to cloud resources

• Cloud provider access keys that authorize infrastructure changes

• SSH and TLS private keys for system access

• Infrastructure automation tokens

• Webhook signing secrets

Veza discovers and provides metadata about secrets across your cloud and application environments, enabling comprehensive visibility into security and compliance posture, including which non-human identities can access secrets, and how they are protected.

Supported Secrets

Secrets are represented in the Veza Graph as distinct entity types. When creating queries, you can select individual entity types or use top-level groupings to search for all entities of that category. For example, searching for Keys will include both AWS KMS Customer Master Keys and Azure Key Vault Keys in the results.

Secrets

Application-level secrets including credentials and sensitive configuration:

• AWS Secrets Manager Secrets

• Azure Key Vault Secrets

• GitHub Secrets

• HashiCorp Vault Secrets Engine Resources

• Snowflake Secrets

Keys

Cryptographic keys used for data encryption:

• AWS KMS Customer Master Keys

• Azure Key Vault Keys

• Google Cloud KMS Keys

Access Credentials

Long-lived authentication tokens and certificates:

• AWS IAM Access Keys

• Azure Key Vault Certificates

• Azure Storage Account Access Keys

• Custom Access Credentials (Open Authorization API)

• GitHub Deploy Keys

• GitHub Personal Access Tokens

• Google Cloud Service Account Keys

Credential Lifecycle Management

Veza tracks metadata for secrets and credentials to help understand when keys were last used or last rotated:

Usage Tracking

The following credential types support last_used_at tracking to identify stale or unused credentials:

• AWS IAM Access Keys

• AWS KMS Customer Master Keys

• Azure Key Vault Keys

• Azure Key Vault Secrets

• Azure Storage Account Access Keys

• GitHub Deploy Keys

• GitHub Personal Access Tokens

• GitHub Secrets

• Google Cloud KMS Keys

• Google Cloud Service Account Keys

• HashiCorp Vault Secrets Engine Resources

• Snowflake Secrets

• Snowflake Users (with API/service access)

Rotation Tracking

The following secret types support last_rotated_at tracking to ensure compliance with rotation policies:

• AWS KMS Customer Master Keys

• AWS Secrets Manager Secrets

• Azure Key Vault Keys

• Azure Key Vault Secrets

• GitHub Secrets

• Google Cloud KMS Keys

• HashiCorp Vault Secrets Engine Resources

• Snowflake Secrets

Use Query Builder to create queries that identify:

• Credentials that haven't been used in 90+ days

• Secrets that haven't been rotated according to policy

• Active credentials without recent usage

• Service accounts with multiple active keys