Secrets Vault
Arda’s OAM uses 1Password as the secure vault for all OAM-related secrets. This includes credentials, API keys, certificates, and other sensitive operational material.
Vault Layout
Section titled “Vault Layout”Vaults are organised by scope of use, not by uniqueness of value: each environment that uses a credential gets its own vault entry, even when the value is currently shared across environments. This lets any environment rotate or diverge later with no infrastructure change.
Partition vaults — Arda-{Env}OAM
Section titled “Partition vaults — Arda-{Env}OAM”One vault per partition, holding the runtime credentials read by amm.sh (and equivalent deploy paths) for that environment.
| Vault | Partition |
|---|---|
Arda-DevOAM | Alpha002 / dev |
Arda-StageOAM | Alpha002 / stage |
Arda-DemoOAM | Alpha001 / demo |
Arda-ProdOAM | Alpha001 / prod |
Deploy pipelines read entries via op://Arda-{Env}OAM/<item>/<field>. New partition-scoped credentials must be populated in all four partition vaults — even if the value is identical today.
Workspace-wide vault — Arda-SystemsOAM
Section titled “Workspace-wide vault — Arda-SystemsOAM”System-level secrets that are not partition-scoped. Examples:
- 1Password service account token used by CI to read partition vaults
- Workspace-wide AWS account credentials and access keys
- Root CA private keys and other cross-environment material
- Third-party service registrations whose credentials are not partition-bound
Do not put partition-scoped runtime credentials in this vault.
Vault Details
Section titled “Vault Details”| Field | Value |
|---|---|
| Tool | 1Password |
| Access Contact | miguel@arda.cards |
Related
Section titled “Related”For how secrets travel from these vaults into AWS Secrets Manager at deploy time (the op → amm.sh → CFN NoEcho parameter → SM-secret flow), see Secret Delivery Pattern.
For AWS runtime secrets (database passwords, Cognito client secrets in deployed environments), see AWS Secrets Manager in the respective environment. The convention for those secrets is:
<infrastructure>-<partition>-API-WebSecretName— Cognito Web Client secret name<infrastructure>-<partition>-API-M2MSecretName— Cognito M2M Client secret name{Environment}/Arda/RootCA— mTLS Root CA (OAM account){Environment}/NextJs/MtlsKeys— mTLS client certificate (OAM account)
For mTLS specifics, see mTLS.
Copyright: © Arda Systems 2025-2026, All rights reserved