DROP CREDENTIAL STORAGE

Removes a credential-storage backend. Fails if any vault entries still reference it unless those entries are linked-external (metadata-only) pointers.

Syntax

DROP CREDENTIAL STORAGE [IF EXISTS] <name>

Description

## Overview DROP CREDENTIAL STORAGE removes a backend row from vault_backends. The Control Plane verifies that no active vault entries still resolve their material through this backend before the row is deleted. ## Behavior - The HTTP adapter resolves the display_name to a backend id via GET /vault/backends, then calls DELETE /vault/backends/{id}. A 404 response combined with IF EXISTS returns a clean no-op; a 404 without IF EXISTS raises an error. - Vault entries whose storage_backend_id points to this backend must either be dropped first or relocated. The default OS Keychain ('OS Keychain') cannot be dropped and returns a server-side error if attempted. - Dropping a backend does not roll back the secret material that was written to it. The control plane attempts a best-effort delete_profile on the backend for each dependent vault entry, but external backends (Azure Key Vault, AWS Secrets Manager, GCP Secret Manager) may retain the secret in their own recycle-bin mechanism per the backend's own retention policy. - The statement is atomic for the DeltaForge catalog row. There is no partial state where the backend is 'half dropped'. ## Access Control Requires the admin role. The Control Plane enforces vault:write on DELETE /vault/backends/{id}. ## Compatibility DeltaForge extension. No standard SQL equivalent.

Parameters

Name	Type	Description
name		Specifies the display_name of the backend to remove.
if_exists		When true, returns successfully without action if the backend does not exist. Without IF EXISTS, a missing backend raises an error.

Examples

-- Drop an unused backend
DROP CREDENTIAL STORAGE prod_azure_kv;

-- Idempotent cleanup (no error if already gone)
DROP CREDENTIAL STORAGE IF EXISTS staging_aws;

-- Combine with IF EXISTS across several cleanup targets
DROP CREDENTIAL STORAGE IF EXISTS scratch_kv_1;
DROP CREDENTIAL STORAGE IF EXISTS scratch_kv_2;
DROP CREDENTIAL STORAGE IF EXISTS scratch_kv_3;

Pitfalls

• Dropping a backend does not automatically drop the vault entries that reference it. Pre-existing entries still attempt to resolve material from the dropped backend and fail at read time. Drop or rotate dependent vault entries first.
• Linked-external entries (created via LINKED EXTERNAL SECRET) that reference this backend are not automatically cleaned up. After dropping the backend, those entries become unresolvable pointers. Enumerate them via SHOW VAULTS LIKE and drop individually before dropping the backend.
• The default 'OS Keychain' backend cannot be dropped. Attempts return a server-side error. This is intentional because the OS Keychain is a load-bearing singleton.
• DROP does not wait for external backend deletions to fully propagate. Secret material in Azure/AWS/GCP may persist in the backend's recycle bin per its own retention policy, even though the DeltaForge catalog row is gone.

See Also

• CREATE_CREDENTIAL_STORAGE
• ALTER_CREDENTIAL_STORAGE
• SHOW_CREDENTIAL_STORAGES
• DROP_VAULT