Skip to main content
DataRaven’s Bring Your Own Vault (BYOV) architecture ensures your cloud credentials never touch our infrastructure. Connect your existing secrets manager, map fields to vault references, and DataRaven resolves credentials in-memory at transfer time — then immediately discards them.
BYOV is optional. DataRaven also provides built-in secret storage powered by AWS SSM Parameter Store SecureString. You can store credentials securely without connecting an external vault.
Self-hosted vaults are not supported at this time. Only managed/cloud-hosted instances of 1Password, Doppler, and Infisical are supported.

How It Works

1

Connect your vault

Go to Settings → Vault Connections → Add Connection, select your provider, and provide a scoped access token. DataRaven encrypts the token and stores it in AWS SSM Parameter Store — it’s never returned in API responses.
2

Create secrets with field mappings

Create a secret that maps DataRaven field names (like access_key_id) to references in your vault (like op://DevOps/AWS-Prod/access_key_id). Each mapping tells DataRaven where to find the credential at runtime.
3

Reference secrets in locations

When configuring a storage location, select your vault-backed secret instead of entering credentials directly. The location will resolve credentials from your vault every time it’s used.
4

Zero-knowledge resolution

At execution time, DataRaven authenticates to your vault, resolves the mapped credentials into memory, performs the transfer operation, and immediately discards them. Nothing is cached or persisted.

Supported Providers

Authentication

1Password connections use a Service Account Token (starts with ops_).
FieldRequiredDescription
access_tokenService account token (ops_...)

Setup

  1. Open 1PasswordSettingsDeveloperService Accounts
  2. Click New Service Account
  3. Give it a descriptive name (e.g., “DataRaven Production”)
  4. Grant read access to the vaults containing your cloud credentials
  5. Copy the generated token — it’s only shown once
No additional configuration is needed beyond the token.

Field Mapping Format

1Password uses the op:// URI format to reference individual fields:
op://vault-name/item-name/field-name
Example — S3 credentials:
{
  "field_mappings": [
    {"field_name": "access_key_id", "reference": "op://DevOps/AWS-Prod/access_key_id"},
    {"field_name": "secret_access_key", "reference": "op://DevOps/AWS-Prod/secret_access_key"}
  ]
}
Use descriptive vault and item names in 1Password so your op:// references are self-documenting.

Token Management

Once a vault connection is created, you can manage it from the connection detail page.

Test Connection

Click Test Connection to verify that DataRaven can authenticate with your vault. A successful test returns:
  • 1Password: Number of accessible vaults
  • Doppler / Infisical: Number of accessible secrets
Testing also updates the verification status timestamp, so you can track when a connection was last confirmed working.

Rotate Token

Click Rotate Token from the connection detail page. Enter the new token and DataRaven will replace the encrypted token in storage. All secrets using this connection will immediately use the new token — no other changes needed.

Security

Encrypted at rest

Vault tokens are encrypted and stored in AWS SSM Parameter Store SecureString parameters. They are never stored in DataRaven’s database.

Never exposed

Tokens and credentials are never returned in API responses. The API only surfaces a vault reference ID.

In-memory only

Cloud credentials are resolved in-memory at execution time and immediately discarded after the operation completes.

Audit logged

All vault operations — connections, tests, rotations, and secret resolutions — are logged for audit purposes.
Follow the principle of minimum privilege when creating vault tokens. Grant read-only access to only the specific vaults, projects, or environments that DataRaven needs.

Tier Limits

PlanVault Connections
Free1
Pro10
Need more? Upgrade your plan from the billing page.