Core PlatformMoveworks On-Prem AgentOn-Prem Agent Configuration Guides

On-Prem Agent Secrets Management

View as Markdown

By default, the Moveworks On-Prem Agent stores service account credentials encrypted locally on the server (AES-256 encryption at rest).

The agent can also be configured to fetch credentials at runtime from an external secrets manager. This allows your organization to centralize credential management and rotate secrets without touching the agent config directly.

Supported platforms:

  • AWS Secrets Manager — configure IAM permissions and store secrets under the moveworks_agent/* path
  • Azure Key Vault — configure a managed identity on the agent VM and grant Key Vault Secrets User access