From c8a52484cae63746247f9b3e17e3495cdb71ee18 Mon Sep 17 00:00:00 2001 From: Onur Date: Tue, 9 Jun 2026 09:48:43 +0200 Subject: [PATCH] telemetry-export: explain why infrastructure access is required MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a short, plain-language explanation to the authentication section of why the vault needs an infrastructure access grant: the collector reads the secret once to set up the export, the access is granted to the platform's identity (not to people or host logins), and it stays read-only within the tenant's own cloud account — so the secret is not exposed to others, including Vespa operators. --- en/operations/telemetry-export.html | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/en/operations/telemetry-export.html b/en/operations/telemetry-export.html index b738b41bea..ce354222b9 100644 --- a/en/operations/telemetry-export.html +++ b/en/operations/telemetry-export.html @@ -54,7 +54,11 @@

How it works

Vespa secret store vault and are referenced from services.xml by name only — never embedded in the application package. They are resolved securely and used solely to authenticate the collector to your backend. To enable this, grant - infrastructure access to the vault once for your Enclave cloud account. + infrastructure access to the vault once for your Enclave cloud account: the collector reads your + secret once to set up the export, so the Vespa infrastructure needs read access to it. This access is given + to the platform's identity, not to people — having access to a host does not let anyone read your + secret. It stays within your own cloud account, is read-only, and is used only to set up the collector, so + your secret is never exposed to others, including Vespa operators.