Behavior & Limits

Guarantees

On cloud platforms (AWS, GCP, Azure), Alien provisions and manages the vault backing service. These guarantees apply:

Encryption at Rest. All cloud platforms encrypt secrets with managed keys. AWS uses SSM's KMS encryption, GCP uses Google-managed encryption, Azure uses Key Vault's built-in encryption.

Encryption in Transit. All communication uses TLS.

Upsert Semantics. set() creates the secret if it doesn't exist, or updates it if it does.

Get Fails on Missing. get() throws an error if the secret does not exist. Use exists() to check first.

Limits

Limit	Value
Max secret value size	25 KB (Azure Key Vault limit; AWS/GCP support 64 KB)
Secret name charset	Alphanumeric, `-`, `_`

Platform Details

AWS (SSM Parameter Store)

SecureString parameters. No infrastructure created — Parameter Store is always available.
Naming: {stackPrefix}-{vaultName}-{secretName}.
Read: 10,000 GetParameter/second. Write: avoid sustained writes more than once per 10 minutes per parameter.
Max value: 64 KB.

GCP (Secret Manager)

Versioned secrets — each set() creates a new version.
Requires API enablement (handled during provisioning).
Read: 90,000 access requests/minute/project.
Max value: 64 KiB.

Azure (Key Vault)

Actual Azure resource provisioned by Alien.
Read: 4,000 GET/10 seconds. Write: 300 CREATE/10 seconds. Returns HTTP 429 when exceeded.
Max value: 25 KB — smallest of all platforms.

Local

Secrets stored as plaintext JSON files on disk. No encryption.
File-based with read-modify-write pattern.

Design Decisions

25 KB cross-platform limit. Azure Key Vault sets the floor. Alien documents this as the portable limit.

Simple CRUD API. Advanced features (versioning, rotation, audit) vary too much across providers. Use the native SDK via Direct Access for those.

Behavior & Limits

On this page