Manage Secrets

Sensu’s secrets management eliminates the need to expose secrets like usernames, passwords, and access keys in your Sensu configuration. Secrets management is available for Sensu handler, mutator, and check resources.

Use secrets management in Sensu explains how to use Sensu’s secrets provider (Env), CyberArk Conjur, or HashiCorp Vault as your external secrets provider and authenticate without exposing your secrets. Follow this guide to set up your PagerDuty Integration Key as a secret and create a PagerDuty handler definition that requires the secret. Your Sensu backend will be able to execute the handler with any check.


Secrets are configured with Sensu’s Secret resources. A secret resource definition refers to the secrets provider and an ID (the named secret to fetch from the secrets provider).

The secrets reference includes the specification, sensuctl configuration subcommands, and examples for secrets resources.

Secrets providers

The Sensu Go commercial distribution includes a secrets provider, Env, that exposes secrets from environment variables on your Sensu backend nodes. You can also use the CyberArkProvider type to authenticate via CyberArk Conjur or VaultProvider to authenticate via HashiCorp Vault.

Read the secrets providers reference for Sensu resource specifications, instructions for retrieving your secrets providers configuration via the Sensu API, and examples.