Skip to content

Secret inventory

Registry of all secrets stored in kv-hcs-vault-01. No values are documented here — only names, purposes, and metadata.

Vault: kv-hcs-vault-01 Subscription: be069ae1-fc96-4a07-9f8e-5994d83a817d


How to add a new secret

  1. Create the secret in Key Vault:
    az keyvault secret set `
        --vault-name kv-hcs-vault-01 `
        --name your-secret-name `
        --value 'the-value'
    
  2. Add a row to the registry table below. Fill in all columns.
  3. If the secret feeds a pipeline, also register it in ado-variable-groups.md.
  4. If the secret needs to be available in local sessions, add it to scripts/Load-HCSEnvironment.ps1.
  5. Commit this file with message: docs(identity): register secret <secret-name>

Secret naming convention: lowercase-kebab-case. Example: hcs-github-org-pat, anthropic-api-key.


Registry

Secret name Purpose Used by Rotation schedule Last rotated Notes
hcs-github-org-pat GitHub classic PAT for all HCS GitHub orgs. Wired through gh auth login. GitHub CLI (gh), GitHub Actions via Variable Group platform-prd-secrets, any pipeline that pushes to or reads from HCS GitHub repos 90 days 2026-05-08 Classic PAT. Covers all HCS orgs. See github-pats.md for full scope documentation.
anthropic-api-key Anthropic API key for Claude Code and any HCS tooling that calls the Claude API directly Claude Code (loaded via Load-HCSEnvironment.ps1 as ANTHROPIC_API_KEY), any project using the Anthropic SDK 180 days or on compromise 2026-05-08 Do not share with pipelines. Local use only via env var.
cloudflare-api-token Cloudflare API token for DNS management (CNAME records, zone updates). Required for automating custom domain setup on Azure Static Web Apps. AB#1 docs deploy pipeline (platform.hybridsolutions.cloud CNAME), any future pipeline that manages DNS via Cloudflare API 90 days or on compromise 2026-05-08 User API token (cfut_ prefix). Scope should be limited to DNS zone edit for hybridsolutions.cloud only. Verify token permissions in Cloudflare dashboard.
azure-subscription-id Primary HCS Azure subscription ID. Stored in KV so it can be loaded into local sessions without hardcoding. Load-HCSEnvironment.ps1 (as AZURE_SUBSCRIPTION_ID), any script that needs the subscription ID On subscription change 2026-05-08 Value: be069ae1-fc96-4a07-9f8e-5994d83a817d (this is the only place in this repo where the sub ID is noted — not a sensitive value but kept here for consistency)

Expired or revoked secrets

Move entries here when a secret has been deleted from Key Vault or permanently revoked. Keep for audit trail.

Secret name Purpose Deleted / revoked on Reason
(none)

Secret access — who can read from this vault

Access to kv-hcs-vault-01 is controlled by Azure RBAC. To check current access:

az role assignment list `
    --scope "/subscriptions/be069ae1-fc96-4a07-9f8e-5994d83a817d/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/kv-hcs-vault-01" `
    --output table

Minimum role for reading secrets: Key Vault Secrets User. Required role for creating/updating secrets: Key Vault Secrets Officer.