netdata
diff --git a/‎integrations/gen_doc_secrets_page.py‎
Lines changed: 37 additions & 0 deletions b/‎integrations/gen_doc_secrets_page.py‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎integrations/schemas/secretstore.json‎
Lines changed: 1 addition & 1 deletion b/‎integrations/schemas/secretstore.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎integrations/templates/collector_configs.md‎
Lines changed: 1 addition & 1 deletion b/‎integrations/templates/collector_configs.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎integrations/templates/secrets.md‎
Lines changed: 16 additions & 0 deletions b/‎integrations/templates/secrets.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/collectors/SECRETS.md‎
Lines changed: 37 additions & 1 deletion b/‎src/collectors/SECRETS.md‎
Lines changed: 37 additions & 1 deletion
diff --git a/‎src/go/plugin/agent/secrets/secretstore/backends/aws/integrations/aws-sm.md‎
Lines changed: 29 additions & 20 deletions b/‎src/go/plugin/agent/secrets/secretstore/backends/aws/integrations/aws-sm.md‎
Lines changed: 29 additions & 20 deletions
@@ -27,6 +27,7 @@
     ],
     "jump_to": [
         {"label": "Resolver Quick Reference", "anchor": "resolver-quick-reference"},
+        {"label": "Choosing a Resolver", "anchor": "choosing-a-resolver"},
         {"label": "Environment Variables", "anchor": "environment-variables"},
         {"label": "Files", "anchor": "files"},
         {"label": "Commands", "anchor": "commands"},
@@ -61,6 +62,12 @@
             "notes": "Configure the secretstore first, then reference it from collector configs.",
         },
     ],
+    "choosing_a_resolver": [
+        "Use `${env:...}` or `${file:...}` for simple setups where secrets are already available locally on the Netdata host.",
+        "Use `${cmd:...}` when you need dynamic secret retrieval via a trusted local command, such as 1Password CLI or a custom script.",
+        "Use `${store:...}` when your organization manages secrets centrally in a cloud provider or Vault and you want Netdata to pull from that source directly.",
+        "You can use different resolver types across different collectors, different jobs within the same collector, or even within the same configuration value. See [Mixing resolver types](#mixing-resolver-types).",
+    ],
     "sections": {
         "env": {
             "heading": "## Environment Variables",
@@ -87,6 +94,8 @@
                 "The file path must be absolute.",
                 "Netdata trims leading and trailing whitespace from the file contents.",
                 "The file must exist on the Netdata host and be readable by the `netdata` user.",
+                "**Docker Secrets**: Docker mounts secrets as files under `/run/secrets/` inside the container. Use `${file:/run/secrets/<secret-name>}` to read them.",
+                "**Kubernetes Secrets**: If you mount Kubernetes Secrets as volume files in the Netdata pod, reference them with `${file:/path/to/mounted/secret}`.",
             ],
         },
         "cmd": {
@@ -130,6 +139,32 @@
         ],
         "file_intro": "Each secretstore backend has its own file under `/etc/netdata/go.d/ss/`:",
         "file_note": "File-based secretstores are loaded at agent startup. If you edit these files, restart the Netdata Agent to apply the changes.",
+        "file_directory": (
+            "If the `/etc/netdata/go.d/ss/` directory does not exist, create it:\n\n"
+            "```bash\n"
+            "sudo mkdir -p /etc/netdata/go.d/ss\n"
+            "sudo chown netdata:netdata /etc/netdata/go.d/ss\n"
+            "sudo chmod 0750 /etc/netdata/go.d/ss\n"
+            "```\n\n"
+            "Secretstore configuration files may contain sensitive values such as tokens or client secrets. "
+            "Restrict directory and file permissions to the `netdata` user."
+        ),
+        "mixing": (
+            "You can mix different resolver types in the same configuration value or the same config file. "
+            "For example, you might read the username from an environment variable and the password from a secretstore:\n\n"
+            "```yaml\n"
+            "jobs:\n"
+            "  - name: mysql_prod\n"
+            '    dsn: "${env:MYSQL_USER}:${store:vault:vault_prod:secret/data/netdata/mysql#password}@tcp(127.0.0.1:3306)/"\n'
+            "```\n\n"
+            "Different jobs within the same collector config file can also use different resolver types."
+        ),
+        "multiple_stores": (
+            "Each secretstore config file can contain multiple `jobs` entries, each with a unique store name. "
+            "You can use different secretstore backends simultaneously. "
+            "For example, you might configure a Vault store for database credentials and an AWS Secrets Manager store for API keys, "
+            "then reference each one using its `${store:<kind>:<name>:<operand>}` syntax in the relevant collector configs."
+        ),
     },
     "secretstores": {
         "heading": "## Supported Secretstore Backends",
@@ -145,6 +180,7 @@
     "security_notes": [
         "Prefer secret references over plain-text credentials in collector configs.",
         "Prefer platform-native identity modes for production when a backend supports them, such as instance roles, managed identities, or metadata-based credentials.",
+        "Secretstore configuration values (such as tokens and client secrets) also support `${env:...}`, `${file:...}`, and `${cmd:...}` resolvers. Use them to avoid storing backend credentials in plain text. Note that `${store:...}` references are not supported inside secretstore configurations.",
         "Keep local secret material readable only by the `netdata` user, including token files, service account files, and any files used with `${file:...}`.",
         "Use `${cmd:...}` only with trusted local commands and absolute paths.",
     ],
@@ -288,6 +324,7 @@ def build_page_context() -> Dict[str, Any]:
             f'[{jump["label"]}](#{jump["anchor"]})' for jump in SECRETS_PAGE["jump_to"]
         ),
         "quick_reference": SECRETS_PAGE["quick_reference"],
+        "choosing_a_resolver": SECRETS_PAGE["choosing_a_resolver"],
         "sections": [
             SECRETS_PAGE["sections"]["env"],
             SECRETS_PAGE["sections"]["file"],
 
@@ -167,7 +167,7 @@
           "properties": {
             "list": {
               "type": "array",
-              "minLength": 1,
+              "minItems": 1,
               "items": {
                 "$ref": "#/$defs/collector_configs_example"
               }
 
@@ -20,7 +20,7 @@
 
 [[ example.description ]]
 
-```[[ example.language or 'text' ]]
+```[[ example.language or 'yaml' ]]
 [[ example.content ]]
 ```
 [% endfor %]
@@ -17,6 +17,12 @@
 | [[ item.resolver ]] | [[ item.syntax ]] | [[ item.best_for ]] | [[ item.notes ]] |
 [% endfor %]
 
+## Choosing a Resolver
+
+[% for item in page.choosing_a_resolver %]
+- [[ item ]]
+[% endfor %]
+
 [% for section in page.sections %]
 [[ section.heading ]]
 
@@ -75,6 +81,16 @@ Each file contains a `jobs` array. The backend kind is determined by the filenam
 
 :::
 
+[[ page.store.file_directory ]]
+
+### Multiple Secretstores
+
+[[ page.store.multiple_stores ]]
+
+### Mixing Resolver Types
+
+[[ page.store.mixing ]]
+
 [[ page.secretstores.heading ]]
 
 [[ page.secretstores.intro ]]
 
@@ -6,7 +6,7 @@ Netdata lets you reference secret values in collector configs instead of storing
 
 ### Jump To
 
-[Resolver Quick Reference](#resolver-quick-reference) • [Environment Variables](#environment-variables) • [Files](#files) • [Commands](#commands) • [Secretstores](#secretstores) • [Supported Secretstore Backends](#supported-secretstore-backends) • [How It Works](#how-it-works) • [Troubleshooting](#troubleshooting)
+[Resolver Quick Reference](#resolver-quick-reference) • [Choosing a Resolver](#choosing-a-resolver) • [Environment Variables](#environment-variables) • [Files](#files) • [Commands](#commands) • [Secretstores](#secretstores) • [Supported Secretstore Backends](#supported-secretstore-backends) • [How It Works](#how-it-works) • [Troubleshooting](#troubleshooting)
 
 
 ## Resolver Quick Reference
@@ -18,6 +18,13 @@ Netdata lets you reference secret values in collector configs instead of storing
 | Command | `${cmd:/absolute/path/to/command args}` | Secrets returned by a trusted local command | The command path must be absolute. Netdata uses a 10-second timeout. |
 | Secretstore | `${store:<kind>:<name>:<operand>}` | Secrets stored in remote backends such as Vault, AWS, Azure, or GCP | Configure the secretstore first, then reference it from collector configs. |
 
+## Choosing a Resolver
+
+- Use `${env:...}` or `${file:...}` for simple setups where secrets are already available locally on the Netdata host.
+- Use `${cmd:...}` when you need dynamic secret retrieval via a trusted local command, such as 1Password CLI or a custom script.
+- Use `${store:...}` when your organization manages secrets centrally in a cloud provider or Vault and you want Netdata to pull from that source directly.
+- You can use different resolver types across different collectors, different jobs within the same collector, or even within the same configuration value. See [Mixing resolver types](#mixing-resolver-types).
+
 ## Environment Variables
 
 Use `${env:VARIABLE_NAME}` to read a secret from the Netdata process environment.
@@ -44,6 +51,8 @@ jobs:
 - The file path must be absolute.
 - Netdata trims leading and trailing whitespace from the file contents.
 - The file must exist on the Netdata host and be readable by the `netdata` user.
+- **Docker Secrets**: Docker mounts secrets as files under `/run/secrets/` inside the container. Use `${file:/run/secrets/<secret-name>}` to read them.
+- **Kubernetes Secrets**: If you mount Kubernetes Secrets as volume files in the Netdata pod, reference them with `${file:/path/to/mounted/secret}`.
 
 ## Commands
 
@@ -114,6 +123,32 @@ File-based secretstores are loaded at agent startup. If you edit these files, re
 
 :::
 
+If the `/etc/netdata/go.d/ss/` directory does not exist, create it:
+
+```bash
+sudo mkdir -p /etc/netdata/go.d/ss
+sudo chown netdata:netdata /etc/netdata/go.d/ss
+sudo chmod 0750 /etc/netdata/go.d/ss
+```
+
+Secretstore configuration files may contain sensitive values such as tokens or client secrets. Restrict directory and file permissions to the `netdata` user.
+
+### Multiple Secretstores
+
+Each secretstore config file can contain multiple `jobs` entries, each with a unique store name. You can use different secretstore backends simultaneously. For example, you might configure a Vault store for database credentials and an AWS Secrets Manager store for API keys, then reference each one using its `${store:<kind>:<name>:<operand>}` syntax in the relevant collector configs.
+
+### Mixing Resolver Types
+
+You can mix different resolver types in the same configuration value or the same config file. For example, you might read the username from an environment variable and the password from a secretstore:
+
+```yaml
+jobs:
+  - name: mysql_prod
+    dsn: "${env:MYSQL_USER}:${store:vault:vault_prod:secret/data/netdata/mysql#password}@tcp(127.0.0.1:3306)/"
+```
+
+Different jobs within the same collector config file can also use different resolver types.
+
 ## Supported Secretstore Backends
 
 Use the backend README for provider-specific authentication, operand rules, configuration examples, and troubleshooting.
@@ -137,6 +172,7 @@ Use the backend README for provider-specific authentication, operand rules, conf
 
 - Prefer secret references over plain-text credentials in collector configs.
 - Prefer platform-native identity modes for production when a backend supports them, such as instance roles, managed identities, or metadata-based credentials.
+- Secretstore configuration values (such as tokens and client secrets) also support `${env:...}`, `${file:...}`, and `${cmd:...}` resolvers. Use them to avoid storing backend credentials in plain text. Note that `${store:...}` references are not supported inside secretstore configurations.
 - Keep local secret material readable only by the `netdata` user, including token files, service account files, and any files used with `${file:...}`.
 - Use `${cmd:...}` only with trusted local commands and absolute paths.
 
 
@@ -20,9 +20,9 @@ Kind: aws-sm
 
 ## Overview
 
-Use AWS Secrets Manager as a secretstore backend when you want Netdata collectors to read secrets from AWS at runtime instead of storing them in plain text in collector configuration files.
+Netdata can pull collector credentials directly from AWS Secrets Manager at runtime, so you never store passwords or tokens in plain-text configuration files.
 
-This page covers AWS Secrets Manager specific setup. For the shared resolver workflow and syntax, see [Secrets Management](https://github.com/netdata/netdata/blob/master/src/collectors/SECRETS.md).
+This page covers AWS Secrets Manager specific setup. For the full resolver overview and syntax reference, including simpler alternatives like `${env:...}`, `${file:...}`, and `${cmd:...}`, see [Secrets Management](https://github.com/netdata/netdata/blob/master/src/collectors/SECRETS.md).
 
 
 ### Limitations
@@ -54,7 +54,7 @@ For production on AWS, prefer `ecs` or `imds` over `env` so credentials are supp
 
 #### Allow access to Secrets Manager
 
-The AWS identity used by this secretstore must be allowed to read the secrets you reference in collector configs in the configured `region`.
+The AWS identity used by this secretstore must have the `secretsmanager:GetSecretValue` permission on the secrets you reference in collector configs. Scope the IAM policy to only the secret ARNs Netdata needs.
 
 
 #### Plan for file-based changes
@@ -75,7 +75,7 @@ The following options can be defined for this secretstore backend.
 | Option | Description | Default | Required |
 |:-----|:------------|:--------|:---------:|
 | [auth_mode](#option-auth-mode) | How Netdata obtains AWS credentials. | env | yes |
-| region | AWS region used for Secrets Manager requests. |  | yes |
+| region | AWS region used for Secrets Manager requests. There is no automatic region detection — you must always set this explicitly. |  | yes |
 
 <a id="option-auth-mode"></a>
 ##### auth_mode
@@ -148,13 +148,13 @@ jobs:
 
 ## Use in collector configs
 
-Reference AWS Secrets Manager secrets from collector configs with the `aws-sm` secretstore kind.
+Use the `${store:aws-sm:...}` syntax to reference AWS Secrets Manager secrets in any string field of a collector configuration file.
 
 
 The operand is `secret-name` or `secret-name#key`.
 
-- Use `secret-name` to return the whole `SecretString`.
-- Use `secret-name#key` to read one top-level field from a JSON `SecretString`.
+- Use `secret-name` to return the whole `SecretString`, for example: `${store:aws-sm:aws_prod:netdata/mysql/password}`.
+- Use `secret-name#key` to read one top-level field from a JSON `SecretString`, for example: `${store:aws-sm:aws_prod:netdata/mysql#password}`.
 - If you use `#key`, Netdata parses the secret value as JSON. Secret resolution fails if the value is not valid JSON or if the key does not exist.
 - Nested paths such as `parent.child` are not interpreted as nested JSON lookups.
 
@@ -168,28 +168,37 @@ ${store:aws-sm:<store-name>:<secret-name[#key]>}
 - `<secret-name[#key]>`: The AWS Secrets Manager secret name, optionally followed by `#key` to read one field from a JSON `SecretString`.
 
 ### Examples
-#### Whole secret value
+#### MySQL collector with password from AWS Secrets Manager
 
-Return the full `SecretString` stored under the `netdata/mysql/password` secret.
+This example configures a MySQL collector job in `/etc/netdata/go.d/mysql.conf`.
+The password in the DSN connection string is not stored in plain text. Instead,
+`${store:aws-sm:aws_prod:netdata/mysql#password}` tells Netdata to fetch the secret
+named `netdata/mysql` from the `aws_prod` store, extract the `password` field from
+its JSON value, and substitute it into the DSN at runtime.
 
-```text
-${store:aws-sm:aws_prod:netdata/mysql/password}
-```
-#### JSON field from SecretString
 
-Read the `password` field from a JSON `SecretString`.
+```yaml
+# /etc/netdata/go.d/mysql.conf
+jobs:
+  - name: mysql_prod
+    dsn: "netdata:${store:aws-sm:aws_prod:netdata/mysql#password}@tcp(127.0.0.1:3306)/"
 
-```text
-${store:aws-sm:aws_prod:netdata/mysql#password}
 ```
-#### Collector config example
+#### Elasticsearch collector with HTTP basic auth
+
+This example configures an Elasticsearch collector job in `/etc/netdata/go.d/elasticsearch.conf`.
+The `password` field uses a secret reference instead of a plain-text password. Netdata fetches
+the secret named `netdata/elasticsearch/password` from the `aws_prod` store and substitutes
+its full value into the `password` field at runtime.
 
-Use an AWS-stored password in a collector DSN.
 
 ```yaml
+# /etc/netdata/go.d/elasticsearch.conf
 jobs:
-  - name: mysql_prod
-    dsn: "netdata:${store:aws-sm:aws_prod:netdata/mysql#password}@tcp(127.0.0.1:3306)/"
+  - name: es_prod
+    url: https://elasticsearch.example.com:9200
+    username: netdata
+    password: "${store:aws-sm:aws_prod:netdata/elasticsearch/password}"
 
 ```
Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@`
`167`	`167`	`"properties": {`
`168`	`168`	`"list": {`
`169`	`169`	`"type": "array",`
`170`		`- "minLength": 1,`
	`170`	`+ "minItems": 1,`
`171`	`171`	`"items": {`
`172`	`172`	`"$ref": "#/$defs/collector_configs_example"`
`173`	`173`	`}`