Bring your own key (BYOK)

The Secrets Broker is the one place AxioRank custodies a credential that belongs to you. BYOK puts the encryption key in your AWS account: every broker secret is encrypted under your KMS key before it is stored, and reading it requires a live kms:Decrypt in your account. Revoke the grant and AxioRank can no longer read the credential, by construction.

BYOK is an Enterprise feature and is configured by a workspace owner under Broker Secrets → Bring your own key.

How it works

1. You create a symmetric KMS key in your account and a cross-account IAM role that AxioRank assumes (scoped by an external id you choose).
2. AxioRank assumes that role, calls kms:Encrypt on each new or rotated broker secret, and stores the ciphertext as the broker blob.
3. At injection time AxioRank assumes the role again, calls kms:Decrypt, and uses the plaintext for the single upstream request, exactly as before.
4. Each ciphertext is bound to its workspace and secret name with a KMS EncryptionContext, so a blob can never be decrypted out of context.

AWS setup

Create a symmetric encryption key, then a role AxioRank can assume. The role's trust policy allows AxioRank's AWS principal with your external id:

{
  "Effect": "Allow",
  "Principal": { "AWS": "arn:aws:iam::<axiorank-account>:root" },
  "Action": "sts:AssumeRole",
  "Condition": { "StringEquals": { "sts:ExternalId": "<your-external-id>" } }
}

The key policy grants that role exactly the two operations BYOK needs:

{
  "Effect": "Allow",
  "Principal": { "AWS": "arn:aws:iam::<your-account>:role/AxioRankBroker" },
  "Action": ["kms:Encrypt", "kms:Decrypt"],
  "Resource": "*"
}

Contact us for AxioRank's exact AWS account id to use in the trust policy.

Revoking access

Remove the role from the key policy (or disable the key). AxioRank's next kms:Decrypt fails, so it can no longer inject those secrets, and the plaintext is unrecoverable to us. The broker metadata remains so you can see which secrets are affected and re-provision them.