Skip to main content

Introduction

Arcan is an open-source secrets management platform. It stores static secrets (key-value), generates dynamic credentials on demand via plugins, and provides policy-based access control with full audit trails.

A single Go binary ships the core. All dynamic credential engines are installable plugins.

Key Features

  • 24 dynamic credential engines -- PostgreSQL, MySQL, MongoDB, Redis, AWS IAM, Azure, GCP, Kubernetes, RabbitMQ, SSH CA, PKI, and more via the plugin registry
  • SSO (OIDC/SAML/LDAP) -- built-in, free. Google, Okta, Azure AD, Active Directory, Keycloak, and more
  • 10 SIEM integrations -- Splunk, Sentinel, Elastic, CrowdStrike, Datadog, Chronicle, Cortex, Syslog, Webhook, File
  • Kubernetes ESO -- webhook provider for External Secrets Operator, plus sidecar injection
  • Docker Compose + Swarm -- .env file generation and native Swarm secret sync
  • VS Code extension -- browse, peek, and manage secrets from your editor
  • GitHub Actions -- inject secrets into CI/CD workflows
  • Ansible collection -- lookup plugin and modules for playbooks
  • SDKs (Go, Python, Node.js) -- zero-dependency client libraries
  • MCP server -- Model Context Protocol for AI assistant integration (Claude Desktop, Cursor, Windsurf)
  • Single binary, Apache 2.0 -- no containers required, open source
  • 3 minutes to first secret -- install, start, store

Quick Start

# Install
curl -fsSL https://getarcan.dev/install.sh | sh

# Start the server
arcan server

# Store a secret
arcan kv set DATABASE_URL "postgres://user:pass@db:5432/myapp"

# Retrieve it
arcan kv get DATABASE_URL

See the Installation guide for all install methods and the Quick Start for a full walkthrough.

How It Works

Arcan separates static secrets (key-value store) from dynamic credentials (plugin engines). The core handles encryption, authentication, authorization, and audit logging. Plugins handle credential generation and revocation for specific backends.

                  ARCAN CORE
    ┌──────────────────────────────────┐
    │  KV Engine  │  Auth  │  Policy   │
    │  Audit      │ Crypto │  Plugins  │
    │  Store (SQLite/PG)   │  TLS      │
    └──────────────┬───────────────────┘

          Plugin Registry
    ┌──────────────┴──────────────┐
    │  postgres, mysql, aws-iam   │
    │  azure, gcp, ssh, pki ...   │
    └─────────────────────────────┘

License

Apache 2.0. See the GitHub repository for full license text.