Every cloud. Every platform. Every language.
Zero .env files. Zero API keys. Identity is automatic.
Your application code never knows how it's authenticated. It just calls new ZeonVault() and gets secrets. Identity is detected automatically based on where your code is running.
IAM roles, service accounts, managed identities — the cloud verifies who you are
Container labels + ZeonVault agent — identity via Unix socket, no env vars
Service account tokens — auto-mounted JWT, verified against cluster OIDC
Machine identity + mTLS certificate — provisioned once, auto-rotates
App starts
new ZeonVault()
SDK detects environment
AWS? Docker? K8s? Local?
Identity verified
IAM role / SA token / mTLS
Secrets returned
Encrypted, decrypted locally
App runs
Auto-refresh, zero restarts
Click any platform to see detailed setup instructions, every managed service, and the security flow.
ZeonVault uses AWS IAM roles to verify identity. Your application never needs credentials — AWS automatically provides identity through instance metadata, task roles, or execution roles.
IAM Role → Instance Metadata Service (IMDS) / Task Role / Execution RoleCreate an IAM role that ZeonVault trusts. This role defines which secrets your service can access.
# Create the IAM trust policy
cat > trust-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
# Create the role
aws iam create-role \
--role-name my-app-zeonvault-role \
--assume-role-policy-document file://trust-policy.json
# No AWS permissions needed — ZeonVault handles authorizationIn ZeonVault dashboard, link this IAM role ARN to your project and specify which secrets it can access.
# Or use CLI zeonvault identity register \ --type aws-iam \ --arn arn:aws:iam::123456789:role/my-app-zeonvault-role \ --project my-app \ --environment production \ --permissions read
Attach the IAM role to your ECS task, EC2 instance, Lambda function, or EKS pod.
# That's it! Your app code is just:
const vault = new ZeonVault();
const dbUrl = await vault.get('DATABASE_URL');
# ZeonVault SDK automatically:
# 1. Detects it's running on AWS (via IMDS)
# 2. Reads the IAM role from instance metadata
# 3. Sends the role identity to ZeonVault API
# 4. ZeonVault verifies with AWS STS
# 5. Returns the authorized secretsClick any service to see the complete configuration.
App starts → SDK detects AWS environment (IMDS endpoint at 169.254.169.254)
SDK reads IAM role ARN from instance metadata / task metadata
SDK calls AWS STS GetCallerIdentity to get a signed identity token
SDK sends signed token to ZeonVault API over TLS 1.3
ZeonVault verifies the token with AWS STS (cross-account verification)
ZeonVault checks: Does this IAM role have access to this project's secrets?
If authorized → secrets returned encrypted, decrypted locally in SDK
Secrets cached in memory (never written to disk) with configurable TTL
Install the SDK. Call new ZeonVault(). Get secrets. Same pattern in every language — with framework-specific integrations for Django, Rails, Spring Boot, Laravel, ASP.NET, and more.
npm install @zeonvault/sdkconst { ZeonVault } = require('@zeonvault/sdk');
// Zero config — identity auto-detected
const vault = new ZeonVault();
// Get individual secrets
const dbUrl = await vault.get('DATABASE_URL');
const stripeKey = await vault.get('STRIPE_SECRET_KEY');
const redisUrl = await vault.get('REDIS_URL');
// Get all secrets at once
const config = await vault.getAll();
// Use in your Express/Fastify/NestJS app
const app = express();
app.listen(config.PORT, () => {
console.log(`Server running on port ${config.PORT}`);
});
// Auto-refresh — secrets update without restart
vault.enableAutoRefresh(300); // every 5 minutes
// Subscribe to changes
vault.on('secret:changed', (key, newValue) => {
console.log(`${key} was rotated`);
});
// Download certificate files
const cert = await vault.getFile('TLS_CERTIFICATE');
fs.writeFileSync('./cert.pem', cert);Middleware that injects secrets into req.config
ConfigModule replacement — @InjectVault() decorator
Server-side getServerSideProps with vault.getAll()
Every type of secret, key, credential, and configuration your application needs.
Already using another solution? Here's how to migrate in minutes.
# Import existing .env file
$ zeonvault import --file .env --project my-app --env production
✓ Imported 23 variables into my-app/production
# Before (old way):
const dbUrl = process.env.DATABASE_URL;
# After (ZeonVault):
const vault = new ZeonVault();
const dbUrl = await vault.get('DATABASE_URL');# Import from AWS Secrets Manager
$ zeonvault import --source aws-secrets-manager \
--region us-east-1 \
--project my-app \
--env production
✓ Imported 15 secrets from AWS Secrets Manager
# Before (AWS):
const client = new SecretsManagerClient({});
const response = await client.send(
new GetSecretValueCommand({ SecretId: 'my-app/db' })
);
# After (ZeonVault — way simpler):
const vault = new ZeonVault();
const dbUrl = await vault.get('DATABASE_URL');# Import from HashiCorp Vault
$ zeonvault import --source hashicorp-vault \
--addr https://vault.company.com \
--path secret/data/my-app \
--project my-app
✓ Imported 31 secrets from HashiCorp Vault
# Before (HashiCorp Vault):
const vault = require('node-vault')({
apiVersion: 'v1',
endpoint: process.env.VAULT_ADDR,
token: process.env.VAULT_TOKEN
});
const { data } = await vault.read('secret/data/my-app');
# After (ZeonVault — no server to manage):
const vault = new ZeonVault();
const dbUrl = await vault.get('DATABASE_URL');# Import from any JSON/YAML export
$ zeonvault import --file secrets.json \
--format json \
--project my-app \
--env production
✓ Imported 28 variables
# Or import from Doppler directly
$ zeonvault import --source doppler \
--token dp.xxx \
--project my-app
✓ Imported 42 secrets from Doppler projectEvery secret is protected with enterprise-grade security at every layer.
Every secret encrypted at rest with AES-256-GCM. Keys rotated automatically.
All communication uses TLS 1.3. Certificate pinning available for high-security environments.
ZeonVault cannot read your secrets. Encryption keys derived from your identity.
Every secret access logged with timestamp, IP, identity, and result. Immutable audit log.
Secrets never leave your VPC. Agent communicates via encrypted channel.
Real-time alerts if a secret is accessed from an unusual identity or location.
Configure secrets to auto-rotate on schedule. Apps auto-refresh — zero downtime.
Secrets exist only in memory. Never logged, never cached to disk, never in container layers.
Each service only accesses its own secrets. auth-service can't see payment-service secrets.
| Feature | ZeonVault | .env Files | AWS Secrets Manager | HashiCorp Vault |
|---|---|---|---|---|
| Zero config (no API key) | ||||
| Identity-based auth | ||||
| Works across all clouds | ||||
| No server to maintain | ||||
| 2-command developer setup | ||||
| Per-service isolation | ||||
| Auto-refresh (no restart) | ||||
| Audit trail | ||||
| Free tier | ||||
| 8 language SDKs | ||||
| CI/CD OIDC integration | ||||
| File/certificate storage |
Your app code stays the same everywhere — local, Docker, Kubernetes, AWS, GCP, Azure. Just new ZeonVault() and you're done.
# New developer onboarding $ zeonvault login ✓ Logged in as dev@company.com $ zeonvault link ✓ Linked to my-app/development $ npm run dev ✓ App running with 23 secrets loaded # Total time: 90 seconds