Secret Store Migrations overview
If your secrets currently live in AWS Secrets Manager, AWS SSM Parameter Store, Azure Key Vault, or GCP Secret Manager, the Secret Store Migration feature lets you move them into KnoxCall — without changing application code and without any secrets ever touching disk during the migration. The goal: KnoxCall becomes the single place your team manages, audits, and rotates credentials, regardless of which cloud provider currently holds them.How it works
The KnoxCall agent runs alongside your applications. During a migration, the agent acts as an intermediary:- Bucket A (HTTPS APIs): the agent intercepts API calls your application makes to the cloud secret store, rewrites the authentication, and forwards the secret from KnoxCall instead. No code change in your app.
- Bucket B (Databases): the agent binds a local TCP port on
127.0.0.1. Your application connects to127.0.0.1:{port}instead of the database host directly. The agent handles all authentication to the real database and pipes the connection through.
Migration phases
Every migration moves through this lifecycle:
You can cancel a migration in the
pending, discovering, or awaiting_review phase. Once completed, the migration is terminal.
Source stores supported
Quick start
Via admin UI
- Go to Infrastructure → Secret Store Migrations
- Click New Migration
- Choose your source provider and bucket type
- Follow the setup wizard
Via API
aws_sm, aws_ssm, azure_kv, gcp_sm. Mode values: pull, capture, both. Static credentials (access_key_id, client_secret, etc.) are rejected — use IAM role assumption or WIF. See the Migrations API reference for full field documentation per provider.
Bucket A: HTTPS API migration
Zero-plaintext cutover for HTTP/HTTPS secret store consumers
Bucket B: Database migration
Localhost TCP proxy for database credential migration
Agent database proxy protocols
Technical reference for PostgreSQL, MySQL, MongoDB, Redis wire protocols
Migration verification
DNS/TLS probes, operator confirmation, and safe-to-delete status
Migrations API reference
Full endpoint reference
KnoxCall agent
Install and configure the self-hosted proxy agent