Credential Vault
The Credential Vault securely stores your cloud provider API keys and secrets using AES-256 encryption. Never expose sensitive credentials in your code or environment files again.
- AES-256 encryption protects credentials at rest on your machine
- 8 cloud providers supported including AWS, Azure, GCP, and Hetzner
- Automatic injection of credentials during Terraform deployment
- Cloud sync optionally shares encrypted credentials across machines
Opening the Vault
Navigate to the Vault tab in the Architect panel:
Adding Credentials
- Click Add Credential
- Select the credential type from the dropdown
- Enter your credentials
- Click Save
Supported Credential Types
Naming Credentials
Give each credential set a descriptive name:
aws-productionhetzner-staginggcp-ml-project
provider-environment to make credential selection easy during deployment.
Using Stored Credentials
During Deployment
When deploying infrastructure, Architect prompts you to select credentials:
- Click Deploy in the designer
- A credential selection dialog appears
- Choose the appropriate credentials from the vault
- Credentials are used securely during deployment
Environment Variable Injection
| Provider | Environment Variables |
|---|---|
| AWS | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY |
| Hetzner | HCLOUD_TOKEN |
| Azure | ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET |
| GCP | GOOGLE_APPLICATION_CREDENTIALS (path to temp file) |
Generated Code
Credentials are never hardcoded in generated Terraform files. Instead, variables reference environment:
variable "hcloud_token" {
description = "Hetzner Cloud API token"
type = string
sensitive = true
}
provider "hcloud" {
token = var.hcloud_token
}
Managing Credentials
Security
Encryption
- Credentials are encrypted with AES-256-GCM
- Encryption key is derived from your AIVory account
- Credentials are encrypted at rest on your machine
- Never transmitted in plaintext
Local Storage
Encrypted credentials are stored in:
- macOS/Linux:
~/.aivory/vault/ - Windows:
%APPDATA%\aivory\vault\
Cloud Sync
With cloud sync enabled:
- Only encrypted credential data is synced
- Your encryption key never leaves your device
- Sync allows credentials across multiple machines
- Disable sync to keep credentials local-only
Best Practices
.aivory/vault/ to git.
Multiple Credentials
Store multiple credential sets for different purposes:
Organize by Environment
aws-dev- Development accountaws-staging- Staging accountaws-prod- Production account
This keeps credentials isolated and prevents accidental production changes during development.
Organize by Project
projecta-hetzner- Project A infrastructureprojectb-aws- Project B infrastructure
Useful when working on multiple projects with different cloud accounts.
Organize by Team
team-shared- Shared resourcespersonal-sandbox- Personal testing
Helps separate team resources from personal experimentation.
Troubleshooting
Credential decryption failed
- Sign out and sign back in to refresh your account key
- If the issue persists, delete and re-add the credential
Credential not found during deployment
- Verify the credential exists in the vault
- Check the credential name matches what’s expected
- Ensure you’re signed in to AIVory
Permission denied during deployment
- Verify the credentials have appropriate permissions
- Check the credential hasn’t expired or been revoked
- Ensure the cloud provider account is active
Migrating credentials to a new machine
- Sign in to AIVory on the new machine
- If cloud sync is enabled, credentials appear automatically
- If sync is disabled, re-add credentials manually
Alternative: Environment Files
If you prefer .env files over the vault:
# .env (add to .gitignore!)
HCLOUD_TOKEN=your-token-here
AWS_ACCESS_KEY_ID=your-key
AWS_SECRET_ACCESS_KEY=your-secret
Architect detects and uses .env files automatically.
.env files for better security. Environment files can accidentally be committed to version control.