Bucket A: HTTPS API migration
Bucket A handles migrations where your applications call a cloud secret store API (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, AWS SSM) directly over HTTPS. The KnoxCall agent intercepts these calls before they leave the host, rewrites the authentication header, and returns the secret from KnoxCall instead. Your application code does not change.How it works
Supported capture surfaces
Setting up intercept rules
Intercept rules tell the agent which outbound requests to intercept and how to rewrite them.Via admin UI
- Go to Infrastructure → Secret Store Migrations
- Open the migration → click the Intercept Rules tab
- Click Add rule
- Configure:
- Match host: e.g.
secretsmanager.us-east-1.amazonaws.com - Match path prefix: e.g.
/ - Rewrite: select the KnoxCall secret to substitute
- Match host: e.g.
- Save — the agent picks up new rules within 30 seconds
Example rule (AWS SM → KnoxCall)
response_format field tells the agent to return the value in the format the application expects (AWS SM JSON envelope, plain value, Azure KV JSON, etc.).
Zero-plaintext guarantee
- The secret value is never written to disk, logged, or stored in the
migration_intercept_rulestable - The agent holds the value in memory only for the lifespan of a single request
- If the agent process crashes mid-intercept, the application receives a connection error — not a partial or logged secret
Monitoring migration progress
Thesecret_consumers table tracks discovered workloads that are consuming each migrated secret:
Migration status progression
Cutover
When the verification dashboard shows all consumers green and all items have been approved:- In the admin UI, click Commit migration (or call
POST /admin/migrations/:id/commit) - Wait for the
completedstatus - You can now safely revoke cloud store credentials and remove secrets from the source provider
Cancelling a Bucket A migration
You can cancel a migration inpending, discovering, or awaiting_review state:
Bucket B: Database migration
For database credentials
Migration verification
DNS/TLS probes and safe-to-delete confirmation
Migrations API reference
Intercept rules and migration endpoints
Migrations overview
Back to overview