Configure credential storage backends (OS keychain, Azure Key Vault, AWS Secrets Manager, GCP Secret Manager).
## Overview The Credential Storage page allows administrators to configure the backend system that DeltaForge uses to persist and retrieve sensitive credentials such as database passwords, API keys, and storage account keys. Supported backends are the operating system keychain (Windows Credential Manager or macOS Keychain) for local development and three cloud providers for shared deployments: Azure (Key Vault, authenticated via Azure AD), AWS (Secrets Manager, authenticated via IAM or access keys), and GCP (Secret Manager, authenticated via Application Default Credentials or a service account). By centralizing backend selection here, all other pages that require credentials (connections, vault entries, pipelines) automatically resolve secrets from the chosen store. This page is typically configured once during initial platform setup and revisited when the organization migrates to a different secrets management solution or needs to verify backend health after infrastructure changes. ## Key Features - **Backend selection and configuration.** Choose from the OS keychain for local development, or one of the supported cloud providers: Azure (Key Vault, Storage, ADLS), AWS (Secrets Manager, S3), or GCP (Secret Manager, Storage). Each cloud provider presents its own configuration form with a provider-specific authentication method: Azure CLI login, Managed Identity, or Service Principal for Azure; Access Key or IAM Role for AWS; Application Default Credentials or Service Account JSON for GCP. - **Backend connectivity testing.** Validate that the control plane can reach the selected backend, authenticate successfully, and perform basic read and write operations. Diagnostic messages surface authentication failures, network issues, or permission problems. - **External secret listing.** Browse secrets already stored in the configured backend without exposing their values. This allows administrators to confirm that expected credential profiles exist and to audit secret inventory before linking them to connections or vault entries. ## Workflow 1. Navigate to the Credential Storage page from the Configuration sidebar. 2. Select the desired backend type: Azure, AWS, or GCP, from the available options. 3. Fill in the backend-specific configuration fields (vault name, region, authentication method, and similar) and, if required, complete the interactive sign-in flow (e.g. Azure CLI browser login). 4. Run the connectivity test to verify that the control plane can communicate with the backend. 5. Review the external secret listing to confirm that expected credential profiles are present. 6. Save the configuration. All credential-dependent features across the platform now resolve secrets from the selected backend.