Cloud-storage credentials are a perennial source of incidents : access keys checked into source control, hard-coded keys that never rotate, shared keys across environments. The platform's previous integration model held credentials in the application's own configuration store, which inherited the application's deployment cadence — credential rotation meant a redeploy.
This release introduces a credentials-manager SPI that abstracts cloud-credential storage. The platform calls the SPI ; the SPI implementation fetches the live credential from the customer's secret-management system of choice — HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Google Secret Manager, IBM Cloud Secret Manager, or a custom store. Rotation happens in the secret manager ; the platform sees the new credential on its next lease.
- Four cloud-storage providers covered. Amazon S3, Azure Blob, IBM Cloud Object Storage, Google Cloud Storage — all reachable through the same application-side credential surface.
- Provider-agnostic application code. The same script that writes to S3 writes to Azure Blob ; only the credential's target provider changes, not the API.
- Audit and rotation belong to the platform. The secret manager owns the credential lifecycle ; the platform's activity log records each credential lease for forensic reconstruction.
- No keys in application configuration. Application configuration references the credential by ID, not by content ; a leaked configuration file does not leak the credential.