Secret inventory¶
Registry of all secrets stored in kv-hcs-vault-01. No values are documented here — only names, purposes, and metadata.
Vault: kv-hcs-vault-01 Subscription: be069ae1-fc96-4a07-9f8e-5994d83a817d
How to add a new secret¶
- Create the secret in Key Vault:
- Add a row to the registry table below. Fill in all columns.
- If the secret feeds a pipeline, also register it in ado-variable-groups.md.
- If the secret needs to be available in local sessions, add it to
scripts/Load-HCSEnvironment.ps1. - Commit this file with message:
docs(identity): register secret <secret-name>
Secret naming convention: lowercase-kebab-case. Example: hcs-github-org-pat, anthropic-api-key.
Registry¶
| Secret name | Purpose | Used by | Rotation schedule | Last rotated | Notes |
|---|---|---|---|---|---|
hcs-github-org-pat |
GitHub classic PAT for all HCS GitHub orgs. Wired through gh auth login. |
GitHub CLI (gh), GitHub Actions via Variable Group platform-prd-secrets, any pipeline that pushes to or reads from HCS GitHub repos |
90 days | 2026-05-08 | Classic PAT. Covers all HCS orgs. See github-pats.md for full scope documentation. |
anthropic-api-key |
Anthropic API key for Claude Code and any HCS tooling that calls the Claude API directly | Claude Code (loaded via Load-HCSEnvironment.ps1 as ANTHROPIC_API_KEY), any project using the Anthropic SDK |
180 days or on compromise | 2026-05-08 | Do not share with pipelines. Local use only via env var. |
cloudflare-api-token |
Cloudflare API token for DNS management (CNAME records, zone updates). Required for automating custom domain setup on Azure Static Web Apps. | AB#1 docs deploy pipeline (platform.hybridsolutions.cloud CNAME), any future pipeline that manages DNS via Cloudflare API | 90 days or on compromise | 2026-05-08 | User API token (cfut_ prefix). Scope should be limited to DNS zone edit for hybridsolutions.cloud only. Verify token permissions in Cloudflare dashboard. |
azure-subscription-id |
Primary HCS Azure subscription ID. Stored in KV so it can be loaded into local sessions without hardcoding. | Load-HCSEnvironment.ps1 (as AZURE_SUBSCRIPTION_ID), any script that needs the subscription ID |
On subscription change | 2026-05-08 | Value: be069ae1-fc96-4a07-9f8e-5994d83a817d (this is the only place in this repo where the sub ID is noted — not a sensitive value but kept here for consistency) |
Expired or revoked secrets¶
Move entries here when a secret has been deleted from Key Vault or permanently revoked. Keep for audit trail.
| Secret name | Purpose | Deleted / revoked on | Reason |
|---|---|---|---|
| (none) |
Secret access — who can read from this vault¶
Access to kv-hcs-vault-01 is controlled by Azure RBAC. To check current access:
az role assignment list `
--scope "/subscriptions/be069ae1-fc96-4a07-9f8e-5994d83a817d/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/kv-hcs-vault-01" `
--output table
Minimum role for reading secrets: Key Vault Secrets User.
Required role for creating/updating secrets: Key Vault Secrets Officer.