Skip to main content
MeshAgent secrets use a user-owned and service-account-owned model. Secret APIs are scoped to:
  • the authenticated user, for credentials the user owns and manages
  • a service account, for credentials used by services that run as that account
Secrets can carry metadata and annotations for search and credential context. Runtime services should use service-account identity (container.run_as) and service-account permissions rather than project-level secret references.

Runtime Use

Services that need secrets should run as a service account. Secret access is authorized through that service account and, for proxy-only credentials, through per-secret proxy grants. Credentials that should not be retrieved directly can be used through HTTP/MCP proxy flows.