External Secret Managers Private Preview
You must have the Account Administrator role to manage External Secret Managers. To get access to this feature, contact your Fivetran account team.
Many organizations, particularly in regulated industries such as finance, healthcare, and government, are required to maintain direct control over their cryptographic keys and secrets. This is often mandated by compliance policies, but is also increasingly an enterprise security preference — especially for teams that need to enforce their own rotation schedules, audit trails, and data residency requirements.
The External Secret Managers (ESM) feature lets you store and manage your connection and destination credentials in your own external secret management service rather than in Fivetran. When ESM is enabled for a connection or destination, Fivetran reads the required credentials directly from your external service at sync time. This gives you:
- Direct control over secret rotation, expiry, and deletion
- Data residency compliance for credential encryption keys and secrets
- Simpler internal security audits — your team audits your own systems, not ours
- A more complete Hybrid Deployment security posture, where credentials no longer need to transit the Fivetran control plane
The External Secret Managers feature supports the following deployment models:
The deployment model of an External Secret Manager must match the deployment model of the connection or destination that uses it.
Fivetran supports the following External Secret Management services:
Supported connectors and destinations
Destinations
Connectors
- Workday RaaS
- Workday HCM
- SQL Server
- SQL Server on Azure
- SQL Server on Azure Managed Instance
- SQL Server on Amazon RDS
- SQL Server on Google Cloud SQL
How external secret managers work
- You add your connection and destination credentials to your chosen secret management service, which stores and manages them, including rotation.
- You configure your chosen secret management service to allow Fivetran to access it. See the setup guide for your provider:
- You create an External Secret Manager in Fivetran and link it to your secret management service.
- When setting up a new connection or destination (provided it supports this feature), you select the External Secret Manager you created, and Fivetran reads the required credentials from the external service.