Architect

Credential Vault

The Credential Vault securely stores your cloud provider API keys and secrets using AES-256 encryption. Never expose sensitive credentials in your code or environment files again.

  • AES-256 encryption protects credentials at rest on your machine
  • 8 cloud providers supported including AWS, Azure, GCP, and Hetzner
  • Automatic injection of credentials during Terraform deployment
  • Cloud sync optionally shares encrypted credentials across machines

Opening the Vault

Navigate to the Vault tab in the Architect panel:

VS Code / Cursor / Antigravity
Click the AIVory Architect icon in the Activity Bar, then select the Vault tab
JetBrains IDEs
Open the AIVory Architect tool window, then click the Vault tab

Adding Credentials

  1. Click Add Credential
  2. Select the credential type from the dropdown
  3. Enter your credentials
  4. Click Save

Supported Credential Types

AWS
Access Key ID, Secret Access Key
Azure
Tenant ID, Client ID, Client Secret
GCP
Service Account JSON (file upload or paste)
Hetzner
API Token
RunPod GPU
API Key
DeepInfra AI
API Key
Cloudflare
API Token, Account ID
Generic
Custom key-value pairs

Naming Credentials

Give each credential set a descriptive name:

  • aws-production
  • hetzner-staging
  • gcp-ml-project
Note Use a consistent naming pattern like provider-environment to make credential selection easy during deployment.

Using Stored Credentials

During Deployment

When deploying infrastructure, Architect prompts you to select credentials:

  1. Click Deploy in the designer
  2. A credential selection dialog appears
  3. Choose the appropriate credentials from the vault
  4. Credentials are used securely during deployment
Note Credentials from the vault are injected as environment variables during Terraform execution and are never hardcoded in generated files.

Environment Variable Injection

Provider Environment Variables
AWS AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
Hetzner HCLOUD_TOKEN
Azure ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
GCP GOOGLE_APPLICATION_CREDENTIALS (path to temp file)

Generated Code

Credentials are never hardcoded in generated Terraform files. Instead, variables reference environment:

variable "hcloud_token" {
  description = "Hetzner Cloud API token"
  type        = string
  sensitive   = true
}

provider "hcloud" {
  token = var.hcloud_token
}

Managing Credentials

View
Values are masked by default. Click the eye icon to reveal (auto-hides after 10 seconds).
Edit
Click the credential, then Edit to update values.
Delete
Select the credential and click Delete to remove.
Warning Deleted credentials cannot be recovered. Make sure you have backup copies of important credentials before removing them.

Security

Encryption

  • Credentials are encrypted with AES-256-GCM
  • Encryption key is derived from your AIVory account
  • Credentials are encrypted at rest on your machine
  • Never transmitted in plaintext

Local Storage

Encrypted credentials are stored in:

  • macOS/Linux: ~/.aivory/vault/
  • Windows: %APPDATA%\aivory\vault\

Cloud Sync

Success Cloud sync is available with AIVory Architect Premium plans.

With cloud sync enabled:

  • Only encrypted credential data is synced
  • Your encryption key never leaves your device
  • Sync allows credentials across multiple machines
  • Disable sync to keep credentials local-only

Best Practices

Do: Separate by Environment
Use different credentials for dev, staging, and production
Do: Rotate Regularly
Update credentials periodically for security
Do: Least Privilege
Use minimal permissions needed for each credential
Do: Enable 2FA
Protect your cloud accounts with two-factor auth
Warning Never reuse production credentials in development, share vault files with others, store root/admin credentials, or commit .aivory/vault/ to git.

Multiple Credentials

Store multiple credential sets for different purposes:

Organize by Environment
  • aws-dev - Development account
  • aws-staging - Staging account
  • aws-prod - Production account

This keeps credentials isolated and prevents accidental production changes during development.

Organize by Project
  • projecta-hetzner - Project A infrastructure
  • projectb-aws - Project B infrastructure

Useful when working on multiple projects with different cloud accounts.

Organize by Team
  • team-shared - Shared resources
  • personal-sandbox - Personal testing

Helps separate team resources from personal experimentation.


Troubleshooting

Credential decryption failed
  • Sign out and sign back in to refresh your account key
  • If the issue persists, delete and re-add the credential
Credential not found during deployment
  • Verify the credential exists in the vault
  • Check the credential name matches what’s expected
  • Ensure you’re signed in to AIVory
Permission denied during deployment
  • Verify the credentials have appropriate permissions
  • Check the credential hasn’t expired or been revoked
  • Ensure the cloud provider account is active
Migrating credentials to a new machine
  1. Sign in to AIVory on the new machine
  2. If cloud sync is enabled, credentials appear automatically
  3. If sync is disabled, re-add credentials manually

Alternative: Environment Files

If you prefer .env files over the vault:

# .env (add to .gitignore!)
HCLOUD_TOKEN=your-token-here
AWS_ACCESS_KEY_ID=your-key
AWS_SECRET_ACCESS_KEY=your-secret

Architect detects and uses .env files automatically.

Note The vault is recommended over .env files for better security. Environment files can accidentally be committed to version control.

Next Steps