Skip to main content

Secret Store Migrations overview

If your secrets currently live in AWS Secrets Manager, AWS SSM Parameter Store, Azure Key Vault, or GCP Secret Manager, the Secret Store Migration feature lets you move them into KnoxCall — without changing application code and without any secrets ever touching disk during the migration. The goal: KnoxCall becomes the single place your team manages, audits, and rotates credentials, regardless of which cloud provider currently holds them.

How it works

The KnoxCall agent runs alongside your applications. During a migration, the agent acts as an intermediary:
  • Bucket A (HTTPS APIs): the agent intercepts API calls your application makes to the cloud secret store, rewrites the authentication, and forwards the secret from KnoxCall instead. No code change in your app.
  • Bucket B (Databases): the agent binds a local TCP port on 127.0.0.1. Your application connects to 127.0.0.1:{port} instead of the database host directly. The agent handles all authentication to the real database and pipes the connection through.

Migration phases

Every migration moves through this lifecycle:
You can cancel a migration in the pending, discovering, or awaiting_review phase. Once completed, the migration is terminal.

Source stores supported

Quick start

Via admin UI

  1. Go to Infrastructure → Secret Store Migrations
  2. Click New Migration
  3. Choose your source provider and bucket type
  4. Follow the setup wizard

Via API

Provider values: aws_sm, aws_ssm, azure_kv, gcp_sm. Mode values: pull, capture, both. Static credentials (access_key_id, client_secret, etc.) are rejected — use IAM role assumption or WIF. See the Migrations API reference for full field documentation per provider.

Bucket A: HTTPS API migration

Zero-plaintext cutover for HTTP/HTTPS secret store consumers

Bucket B: Database migration

Localhost TCP proxy for database credential migration

Agent database proxy protocols

Technical reference for PostgreSQL, MySQL, MongoDB, Redis wire protocols

Migration verification

DNS/TLS probes, operator confirmation, and safe-to-delete status

Migrations API reference

Full endpoint reference

KnoxCall agent

Install and configure the self-hosted proxy agent