WIP: Add private Secret Manager Plugins support to plugin platform (#49544)

* Add protobuf config and generated code, and client wrapper * wire up loading of secretsmanager plugin, using renderer plugin as a model * update kvstore provider to check if we should use the grpc plugin. return false always in OSS * add OSS remote plugin check * refactor wire gen file * log which secrets manager is being used * Fix argument types for remote checker * Turns out if err != nil, then the result is always nil. Return empty values if there is an error. * remove duplicate import * Update pkg/services/secrets/kvstore/kvstore.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Update pkg/services/secrets/kvstore/kvstore.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * refactor RemotePluginCheck interface to just return the Plugin client directly * rename struct to something less silly * Update pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.proto Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2022-06-09 13:19:27 -04:00 · 2022-06-09 13:19:27 -04:00 · f376c33903
commit f376c33903
parent ef401f5d62
17 changed files with 1460 additions and 23 deletions
--- a/pkg/plugins/backendplugin/grpcplugin/client.go
+++ b/pkg/plugins/backendplugin/grpcplugin/client.go
@ -7,6 +7,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 	goplugin "github.com/hashicorp/go-plugin"
 )
@ -41,23 +42,28 @@ func newClientConfig(executablePath string, env []string, logger log.Logger,
 // StartRendererFunc callback function called when a renderer plugin is started.
 type StartRendererFunc func(pluginID string, renderer pluginextensionv2.RendererPlugin, logger log.Logger) error
 // StartSecretsManagerFunc callback function called when a secrets manager plugin is started.
 type StartSecretsManagerFunc func(pluginID string, secretsmanager secretsmanagerplugin.SecretsManagerPlugin, logger log.Logger) error
 // PluginDescriptor is a descriptor used for registering backend plugins.
 type PluginDescriptor struct {
-	pluginID         string
+	pluginID              string
-	executablePath   string
+	executablePath        string
-	managed          bool
+	managed               bool
-	versionedPlugins map[int]goplugin.PluginSet
+	versionedPlugins      map[int]goplugin.PluginSet
-	startRendererFn  StartRendererFunc
+	startRendererFn       StartRendererFunc
 	startSecretsManagerFn StartSecretsManagerFunc
 }
 // getV2PluginSet returns list of plugins supported on v2.
 func getV2PluginSet() goplugin.PluginSet {
 	return goplugin.PluginSet{
-		"diagnostics": &grpcplugin.DiagnosticsGRPCPlugin{},
+		"diagnostics":    &grpcplugin.DiagnosticsGRPCPlugin{},
-		"resource":    &grpcplugin.ResourceGRPCPlugin{},
+		"resource":       &grpcplugin.ResourceGRPCPlugin{},
-		"data":        &grpcplugin.DataGRPCPlugin{},
+		"data":           &grpcplugin.DataGRPCPlugin{},
-		"stream":      &grpcplugin.StreamGRPCPlugin{},
+		"stream":         &grpcplugin.StreamGRPCPlugin{},
-		"renderer":    &pluginextensionv2.RendererGRPCPlugin{},
+		"renderer":       &pluginextensionv2.RendererGRPCPlugin{},
 		"secretsmanager": &secretsmanagerplugin.SecretsManagerGRPCPlugin{},
 	}
 }
@ -85,3 +91,16 @@ func NewRendererPlugin(pluginID, executablePath string, startFn StartRendererFun
 		startRendererFn: startFn,
 	})
 }
 // NewSecetsManagerPlugin creates a new secrets manager plugin factory used for registering a backend secrets manager plugin.
 func NewSecretsManagerPlugin(pluginID, executablePath string, startFn StartSecretsManagerFunc) backendplugin.PluginFactoryFunc {
 	return newPlugin(PluginDescriptor{
 		pluginID:       pluginID,
 		executablePath: executablePath,
 		managed:        false,
 		versionedPlugins: map[int]goplugin.PluginSet{
 			grpcplugin.ProtocolVersion: getV2PluginSet(),
 		},
 		startSecretsManagerFn: startFn,
 	})
 }
--- a/pkg/plugins/backendplugin/grpcplugin/client_v2.go
+++ b/pkg/plugins/backendplugin/grpcplugin/client_v2.go
@ -12,6 +12,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 	"github.com/hashicorp/go-plugin"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@ -23,6 +24,7 @@ type ClientV2 struct {
 	grpcplugin.DataClient
 	grpcplugin.StreamClient
 	pluginextensionv2.RendererPlugin
 	secretsmanagerplugin.SecretsManagerPlugin
 }
 func newClientV2(descriptor PluginDescriptor, logger log.Logger, rpcClient plugin.ClientProtocol) (pluginClient, error) {
@ -51,6 +53,11 @@ func newClientV2(descriptor PluginDescriptor, logger log.Logger, rpcClient plugi
 		return nil, err
 	}
 	rawSecretsManager, err := rpcClient.Dispense("secretsmanager")
 	if err != nil {
 		return nil, err
 	}
 	c := ClientV2{}
 	if rawDiagnostics != nil {
 		if diagnosticsClient, ok := rawDiagnostics.(grpcplugin.DiagnosticsClient); ok {
@ -82,12 +89,24 @@ func newClientV2(descriptor PluginDescriptor, logger log.Logger, rpcClient plugi
 		}
 	}
 	if rawSecretsManager != nil {
 		if secretsManagerPlugin, ok := rawSecretsManager.(secretsmanagerplugin.SecretsManagerPlugin); ok {
 			c.SecretsManagerPlugin = secretsManagerPlugin
 		}
 	}
 	if descriptor.startRendererFn != nil {
 		if err := descriptor.startRendererFn(descriptor.pluginID, c.RendererPlugin, logger); err != nil {
 			return nil, err
 		}
 	}
 	if descriptor.startSecretsManagerFn != nil {
 		if err := descriptor.startSecretsManagerFn(descriptor.pluginID, c.SecretsManagerPlugin, logger); err != nil {
 			return nil, err
 		}
 	}
 	return &c, nil
 }
--- a/pkg/plugins/backendplugin/provider/provider.go
+++ b/pkg/plugins/backendplugin/provider/provider.go
@ -13,6 +13,7 @@ import (
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/grpcplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 )
 // PluginBackendProvider is a function type for initializing a Plugin backend.
@ -24,7 +25,7 @@ type Service struct {
 func New(providers ...PluginBackendProvider) *Service {
 	if len(providers) == 0 {
-		return New(RendererProvider, DefaultProvider)
+		return New(RendererProvider, SecretsManagerProvider, DefaultProvider)
 	}
 	return &Service{
 		providerChain: providers,
@ -32,7 +33,7 @@ func New(providers ...PluginBackendProvider) *Service {
 }
 func ProvideService(coreRegistry *coreplugin.Registry) *Service {
-	return New(coreRegistry.BackendFactoryProvider(), RendererProvider, DefaultProvider)
+	return New(coreRegistry.BackendFactoryProvider(), RendererProvider, SecretsManagerProvider, DefaultProvider)
 }
 func (s *Service) BackendFactory(ctx context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
@ -56,6 +57,18 @@ var RendererProvider PluginBackendProvider = func(_ context.Context, p *plugins.
 	)
 }
 var SecretsManagerProvider PluginBackendProvider = func(_ context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
 	if !p.IsSecretsManager() {
 		return nil
 	}
 	return grpcplugin.NewSecretsManagerPlugin(p.ID, filepath.Join(p.PluginDir, secretsManagerStartCmd()),
 		func(pluginID string, secretsmanager secretsmanagerplugin.SecretsManagerPlugin, logger log.Logger) error {
 			p.SecretsManager = secretsmanager
 			return nil
 		},
 	)
 }
 var DefaultProvider PluginBackendProvider = func(_ context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
 	// TODO check for executable
 	return grpcplugin.NewBackendPlugin(p.ID, filepath.Join(p.PluginDir, pluginStartCmd(p.Executable)))
@ -84,3 +97,15 @@ func rendererStartCmd() string {
 	return fmt.Sprintf("%s_%s_%s%s", "plugin_start", os, strings.ToLower(arch), extension)
 }
 func secretsManagerStartCmd() string {
 	os := strings.ToLower(runtime.GOOS)
 	arch := runtime.GOARCH
 	extension := ""
 	if os == "windows" {
 		extension = ".exe"
 	}
 	return fmt.Sprintf("%s_%s_%s%s", "secrets_plugin_start", os, strings.ToLower(arch), extension)
 }
--- a/pkg/plugins/backendplugin/secretsmanagerplugin/generate.sh
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/generate.sh
@ -0,0 +1,3 @@
 protoc --go_out=. --go_opt=paths=source_relative \
    --go-grpc_out=. --go-grpc_opt=paths=source_relative \
    secretsmanager.proto   
--- a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.pb.go
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.pb.go
@ -0,0 +1,786 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.28.0
 // 	protoc        v3.19.4
 // source: secretsmanager.proto
 package secretsmanagerplugin
 import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
 )
 const (
 	// Verify that this generated code is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
 	// Verify that runtime/protoimpl is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 type SecretsGetRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	KeyDescriptor *Key `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
 }
 func (x *SecretsGetRequest) Reset() {
 	*x = SecretsGetRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[0]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsGetRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsGetRequest) ProtoMessage() {}
 func (x *SecretsGetRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[0]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsGetRequest.ProtoReflect.Descriptor instead.
 func (*SecretsGetRequest) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{0}
 }
 func (x *SecretsGetRequest) GetKeyDescriptor() *Key {
 	if x != nil {
 		return x.KeyDescriptor
 	}
 	return nil
 }
 type SecretsSetRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	KeyDescriptor *Key   `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
 	Value         string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
 }
 func (x *SecretsSetRequest) Reset() {
 	*x = SecretsSetRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsSetRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsSetRequest) ProtoMessage() {}
 func (x *SecretsSetRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsSetRequest.ProtoReflect.Descriptor instead.
 func (*SecretsSetRequest) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{1}
 }
 func (x *SecretsSetRequest) GetKeyDescriptor() *Key {
 	if x != nil {
 		return x.KeyDescriptor
 	}
 	return nil
 }
 func (x *SecretsSetRequest) GetValue() string {
 	if x != nil {
 		return x.Value
 	}
 	return ""
 }
 type SecretsDelRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	KeyDescriptor *Key `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
 }
 func (x *SecretsDelRequest) Reset() {
 	*x = SecretsDelRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsDelRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsDelRequest) ProtoMessage() {}
 func (x *SecretsDelRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsDelRequest.ProtoReflect.Descriptor instead.
 func (*SecretsDelRequest) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{2}
 }
 func (x *SecretsDelRequest) GetKeyDescriptor() *Key {
 	if x != nil {
 		return x.KeyDescriptor
 	}
 	return nil
 }
 type SecretsKeysRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	KeyDescriptor    *Key `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
 	AllOrganizations bool `protobuf:"varint,2,opt,name=allOrganizations,proto3" json:"allOrganizations,omitempty"`
 }
 func (x *SecretsKeysRequest) Reset() {
 	*x = SecretsKeysRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsKeysRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsKeysRequest) ProtoMessage() {}
 func (x *SecretsKeysRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsKeysRequest.ProtoReflect.Descriptor instead.
 func (*SecretsKeysRequest) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{3}
 }
 func (x *SecretsKeysRequest) GetKeyDescriptor() *Key {
 	if x != nil {
 		return x.KeyDescriptor
 	}
 	return nil
 }
 func (x *SecretsKeysRequest) GetAllOrganizations() bool {
 	if x != nil {
 		return x.AllOrganizations
 	}
 	return false
 }
 type SecretsRenameRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	KeyDescriptor *Key   `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
 	NewNamespace  string `protobuf:"bytes,4,opt,name=newNamespace,proto3" json:"newNamespace,omitempty"`
 }
 func (x *SecretsRenameRequest) Reset() {
 	*x = SecretsRenameRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsRenameRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsRenameRequest) ProtoMessage() {}
 func (x *SecretsRenameRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsRenameRequest.ProtoReflect.Descriptor instead.
 func (*SecretsRenameRequest) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{4}
 }
 func (x *SecretsRenameRequest) GetKeyDescriptor() *Key {
 	if x != nil {
 		return x.KeyDescriptor
 	}
 	return nil
 }
 func (x *SecretsRenameRequest) GetNewNamespace() string {
 	if x != nil {
 		return x.NewNamespace
 	}
 	return ""
 }
 type Key struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	OrgId     int64  `protobuf:"varint,1,opt,name=orgId,proto3" json:"orgId,omitempty"`
 	Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
 	Type      string `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"`
 }
 func (x *Key) Reset() {
 	*x = Key{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *Key) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*Key) ProtoMessage() {}
 func (x *Key) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use Key.ProtoReflect.Descriptor instead.
 func (*Key) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{5}
 }
 func (x *Key) GetOrgId() int64 {
 	if x != nil {
 		return x.OrgId
 	}
 	return 0
 }
 func (x *Key) GetNamespace() string {
 	if x != nil {
 		return x.Namespace
 	}
 	return ""
 }
 func (x *Key) GetType() string {
 	if x != nil {
 		return x.Type
 	}
 	return ""
 }
 type SecretsErrorResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
 }
 func (x *SecretsErrorResponse) Reset() {
 	*x = SecretsErrorResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsErrorResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsErrorResponse) ProtoMessage() {}
 func (x *SecretsErrorResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsErrorResponse.ProtoReflect.Descriptor instead.
 func (*SecretsErrorResponse) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{6}
 }
 func (x *SecretsErrorResponse) GetError() string {
 	if x != nil {
 		return x.Error
 	}
 	return ""
 }
 type SecretsGetResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Error          string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
 	DecryptedValue string `protobuf:"bytes,2,opt,name=decryptedValue,proto3" json:"decryptedValue,omitempty"`
 	Exists         bool   `protobuf:"varint,3,opt,name=exists,proto3" json:"exists,omitempty"`
 }
 func (x *SecretsGetResponse) Reset() {
 	*x = SecretsGetResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsGetResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsGetResponse) ProtoMessage() {}
 func (x *SecretsGetResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsGetResponse.ProtoReflect.Descriptor instead.
 func (*SecretsGetResponse) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{7}
 }
 func (x *SecretsGetResponse) GetError() string {
 	if x != nil {
 		return x.Error
 	}
 	return ""
 }
 func (x *SecretsGetResponse) GetDecryptedValue() string {
 	if x != nil {
 		return x.DecryptedValue
 	}
 	return ""
 }
 func (x *SecretsGetResponse) GetExists() bool {
 	if x != nil {
 		return x.Exists
 	}
 	return false
 }
 type SecretsKeysResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
 	Keys  []*Key `protobuf:"bytes,2,rep,name=keys,proto3" json:"keys,omitempty"`
 }
 func (x *SecretsKeysResponse) Reset() {
 	*x = SecretsKeysResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_secretsmanager_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SecretsKeysResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SecretsKeysResponse) ProtoMessage() {}
 func (x *SecretsKeysResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_secretsmanager_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SecretsKeysResponse.ProtoReflect.Descriptor instead.
 func (*SecretsKeysResponse) Descriptor() ([]byte, []int) {
 	return file_secretsmanager_proto_rawDescGZIP(), []int{8}
 }
 func (x *SecretsKeysResponse) GetError() string {
 	if x != nil {
 		return x.Error
 	}
 	return ""
 }
 func (x *SecretsKeysResponse) GetKeys() []*Key {
 	if x != nil {
 		return x.Keys
 	}
 	return nil
 }
 var File_secretsmanager_proto protoreflect.FileDescriptor
 var file_secretsmanager_proto_rawDesc = []byte{
 	0x0a, 0x14, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
 	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d,
 	0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x22, 0x54, 0x0a, 0x11,
 	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x47, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
 	0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
 	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65,
 	0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e,
 	0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
 	0x6f, 0x72, 0x22, 0x6a, 0x0a, 0x11, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x65, 0x74,
 	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65,
 	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19,
 	0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70,
 	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65,
 	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
 	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x54,
 	0x0a, 0x11, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x44, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69,
 	0x70, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63,
 	0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69,
 	0x6e, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69,
 	0x70, 0x74, 0x6f, 0x72, 0x22, 0x81, 0x01, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
 	0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b,
 	0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01,
 	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61,
 	0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b,
 	0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x12, 0x2a, 0x0a, 0x10,
 	0x61, 0x6c, 0x6c, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73,
 	0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x61, 0x6c, 0x6c, 0x4f, 0x72, 0x67, 0x61, 0x6e,
 	0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x7b, 0x0a, 0x14, 0x53, 0x65, 0x63, 0x72,
 	0x65, 0x74, 0x73, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
 	0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f,
 	0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74,
 	0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x4b,
 	0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f,
 	0x72, 0x12, 0x22, 0x0a, 0x0c, 0x6e, 0x65, 0x77, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
 	0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6e, 0x65, 0x77, 0x4e, 0x61, 0x6d, 0x65,
 	0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x4d, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
 	0x6f, 0x72, 0x67, 0x49, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x6f, 0x72, 0x67,
 	0x49, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18,
 	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65,
 	0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
 	0x74, 0x79, 0x70, 0x65, 0x22, 0x2c, 0x0a, 0x14, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45,
 	0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05,
 	0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72,
 	0x6f, 0x72, 0x22, 0x6a, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x47, 0x65, 0x74,
 	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f,
 	0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x26,
 	0x0a, 0x0e, 0x64, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x56, 0x61, 0x6c, 0x75, 0x65,
 	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x64, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
 	0x64, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, 0x73,
 	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x5a,
 	0x0a, 0x13, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73,
 	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x2d, 0x0a, 0x04, 0x6b,
 	0x65, 0x79, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72,
 	0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
 	0x2e, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x32, 0xe7, 0x03, 0x0a, 0x14, 0x52,
 	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4d, 0x61, 0x6e, 0x61,
 	0x67, 0x65, 0x72, 0x12, 0x58, 0x0a, 0x03, 0x47, 0x65, 0x74, 0x12, 0x27, 0x2e, 0x73, 0x65, 0x63,
 	0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69,
 	0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x47, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e,
 	0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65,
 	0x74, 0x73, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a,
 	0x03, 0x53, 0x65, 0x74, 0x12, 0x27, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61,
 	0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72,
 	0x65, 0x74, 0x73, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e,
 	0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c,
 	0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45, 0x72, 0x72, 0x6f,
 	0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x03, 0x44, 0x65, 0x6c,
 	0x12, 0x27, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
 	0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x44,
 	0x65, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x73, 0x65, 0x63, 0x72,
 	0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
 	0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x73,
 	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5b, 0x0a, 0x04, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x28, 0x2e,
 	0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c,
 	0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4b, 0x65, 0x79, 0x73,
 	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74,
 	0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53,
 	0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
 	0x73, 0x65, 0x12, 0x60, 0x0a, 0x06, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2a, 0x2e, 0x73,
 	0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75,
 	0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x52, 0x65, 0x6e, 0x61, 0x6d,
 	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65,
 	0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e,
 	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70,
 	0x6f, 0x6e, 0x73, 0x65, 0x42, 0x19, 0x5a, 0x17, 0x2e, 0x2f, 0x3b, 0x73, 0x65, 0x63, 0x72, 0x65,
 	0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
 	file_secretsmanager_proto_rawDescOnce sync.Once
 	file_secretsmanager_proto_rawDescData = file_secretsmanager_proto_rawDesc
 )
 func file_secretsmanager_proto_rawDescGZIP() []byte {
 	file_secretsmanager_proto_rawDescOnce.Do(func() {
 		file_secretsmanager_proto_rawDescData = protoimpl.X.CompressGZIP(file_secretsmanager_proto_rawDescData)
 	})
 	return file_secretsmanager_proto_rawDescData
 }
 var file_secretsmanager_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_secretsmanager_proto_goTypes = []interface{}{
 	(*SecretsGetRequest)(nil),    // 0: secretsmanagerplugin.SecretsGetRequest
 	(*SecretsSetRequest)(nil),    // 1: secretsmanagerplugin.SecretsSetRequest
 	(*SecretsDelRequest)(nil),    // 2: secretsmanagerplugin.SecretsDelRequest
 	(*SecretsKeysRequest)(nil),   // 3: secretsmanagerplugin.SecretsKeysRequest
 	(*SecretsRenameRequest)(nil), // 4: secretsmanagerplugin.SecretsRenameRequest
 	(*Key)(nil),                  // 5: secretsmanagerplugin.Key
 	(*SecretsErrorResponse)(nil), // 6: secretsmanagerplugin.SecretsErrorResponse
 	(*SecretsGetResponse)(nil),   // 7: secretsmanagerplugin.SecretsGetResponse
 	(*SecretsKeysResponse)(nil),  // 8: secretsmanagerplugin.SecretsKeysResponse
 }
 var file_secretsmanager_proto_depIdxs = []int32{
 	5,  // 0: secretsmanagerplugin.SecretsGetRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
 	5,  // 1: secretsmanagerplugin.SecretsSetRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
 	5,  // 2: secretsmanagerplugin.SecretsDelRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
 	5,  // 3: secretsmanagerplugin.SecretsKeysRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
 	5,  // 4: secretsmanagerplugin.SecretsRenameRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
 	5,  // 5: secretsmanagerplugin.SecretsKeysResponse.keys:type_name -> secretsmanagerplugin.Key
 	0,  // 6: secretsmanagerplugin.RemoteSecretsManager.Get:input_type -> secretsmanagerplugin.SecretsGetRequest
 	1,  // 7: secretsmanagerplugin.RemoteSecretsManager.Set:input_type -> secretsmanagerplugin.SecretsSetRequest
 	2,  // 8: secretsmanagerplugin.RemoteSecretsManager.Del:input_type -> secretsmanagerplugin.SecretsDelRequest
 	3,  // 9: secretsmanagerplugin.RemoteSecretsManager.Keys:input_type -> secretsmanagerplugin.SecretsKeysRequest
 	4,  // 10: secretsmanagerplugin.RemoteSecretsManager.Rename:input_type -> secretsmanagerplugin.SecretsRenameRequest
 	7,  // 11: secretsmanagerplugin.RemoteSecretsManager.Get:output_type -> secretsmanagerplugin.SecretsGetResponse
 	6,  // 12: secretsmanagerplugin.RemoteSecretsManager.Set:output_type -> secretsmanagerplugin.SecretsErrorResponse
 	6,  // 13: secretsmanagerplugin.RemoteSecretsManager.Del:output_type -> secretsmanagerplugin.SecretsErrorResponse
 	8,  // 14: secretsmanagerplugin.RemoteSecretsManager.Keys:output_type -> secretsmanagerplugin.SecretsKeysResponse
 	6,  // 15: secretsmanagerplugin.RemoteSecretsManager.Rename:output_type -> secretsmanagerplugin.SecretsErrorResponse
 	11, // [11:16] is the sub-list for method output_type
 	6,  // [6:11] is the sub-list for method input_type
 	6,  // [6:6] is the sub-list for extension type_name
 	6,  // [6:6] is the sub-list for extension extendee
 	0,  // [0:6] is the sub-list for field type_name
 }
 func init() { file_secretsmanager_proto_init() }
 func file_secretsmanager_proto_init() {
 	if File_secretsmanager_proto != nil {
 		return
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_secretsmanager_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsGetRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsSetRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsDelRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsKeysRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsRenameRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Key); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsErrorResponse); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsGetResponse); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_secretsmanager_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SecretsKeysResponse); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_secretsmanager_proto_rawDesc,
 			NumEnums:      0,
 			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
 		GoTypes:           file_secretsmanager_proto_goTypes,
 		DependencyIndexes: file_secretsmanager_proto_depIdxs,
 		MessageInfos:      file_secretsmanager_proto_msgTypes,
 	}.Build()
 	File_secretsmanager_proto = out.File
 	file_secretsmanager_proto_rawDesc = nil
 	file_secretsmanager_proto_goTypes = nil
 	file_secretsmanager_proto_depIdxs = nil
 }
--- a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.proto
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.proto
@ -0,0 +1,56 @@
 syntax = "proto3";
 package secretsmanagerplugin;
 option go_package = "./;secretsmanagerplugin";
 message SecretsGetRequest {
    Key keyDescriptor = 1;
 }
 message SecretsSetRequest {
    Key keyDescriptor = 1;
    string value = 2;
 }
 message SecretsDelRequest {
    Key keyDescriptor = 1;
 }
 message SecretsKeysRequest {
    Key keyDescriptor = 1;
    bool allOrganizations = 2;
 }
 message SecretsRenameRequest {
    Key keyDescriptor = 1;
    string newNamespace = 2;
 }
 message Key {
    int64 orgId = 1;
    string namespace = 2;
    string type = 3;
 }
 message SecretsErrorResponse {
    string error = 1;
 }
 message SecretsGetResponse {
    string error = 1;
    string decryptedValue = 2;
    bool exists = 3;  
 }
 message SecretsKeysResponse {
    string error = 1;
    repeated Key keys = 2;
 }
 service RemoteSecretsManager {
    rpc Get(SecretsGetRequest) returns (SecretsGetResponse);
    rpc Set(SecretsSetRequest) returns (SecretsErrorResponse);
    rpc Del(SecretsDelRequest) returns (SecretsErrorResponse);
    rpc Keys(SecretsKeysRequest) returns (SecretsKeysResponse);
    rpc Rename(SecretsRenameRequest) returns (SecretsErrorResponse);
 }
--- a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grcp_plugin.go
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grcp_plugin.go
@ -0,0 +1,56 @@
 package secretsmanagerplugin
 import (
 	"context"
 	"github.com/hashicorp/go-plugin"
 	"google.golang.org/grpc"
 )
 type SecretsManagerPlugin interface {
 	RemoteSecretsManagerClient
 }
 type SecretsManagerGRPCPlugin struct {
 	plugin.NetRPCUnsupportedPlugin
 }
 func (p *SecretsManagerGRPCPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) error {
 	return nil
 }
 func (p *SecretsManagerGRPCPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
 	return &SecretsManagerGRPCClient{NewRemoteSecretsManagerClient(c)}, nil
 }
 type SecretsManagerGRPCClient struct {
 	RemoteSecretsManagerClient
 }
 // Get an item from the store
 func (sm *SecretsManagerGRPCClient) Get(ctx context.Context, req *SecretsGetRequest, opts ...grpc.CallOption) (*SecretsGetResponse, error) {
 	return sm.RemoteSecretsManagerClient.Get(ctx, req)
 }
 // Set an item in the store
 func (sm *SecretsManagerGRPCClient) Set(ctx context.Context, req *SecretsSetRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
 	return sm.RemoteSecretsManagerClient.Set(ctx, req)
 }
 // Del deletes an item from the store.
 func (sm *SecretsManagerGRPCClient) Del(ctx context.Context, req *SecretsDelRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
 	return sm.RemoteSecretsManagerClient.Del(ctx, req)
 }
 // Keys get all keys for a given namespace.
 func (sm *SecretsManagerGRPCClient) Keys(ctx context.Context, req *SecretsKeysRequest, opts ...grpc.CallOption) (*SecretsKeysResponse, error) {
 	return sm.RemoteSecretsManagerClient.Keys(ctx, req)
 }
 // Rename an item in the store
 func (sm *SecretsManagerGRPCClient) Rename(ctx context.Context, req *SecretsRenameRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
 	return sm.RemoteSecretsManagerClient.Rename(ctx, req)
 }
 var _ RemoteSecretsManagerClient = &SecretsManagerGRPCClient{}
 var _ plugin.GRPCPlugin = &SecretsManagerGRPCPlugin{}
--- a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grpc.pb.go
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grpc.pb.go
@ -0,0 +1,249 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.2.0
 // - protoc             v3.19.4
 // source: secretsmanager.proto
 package secretsmanagerplugin
 import (
 	context "context"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
 )
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 // RemoteSecretsManagerClient is the client API for RemoteSecretsManager service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type RemoteSecretsManagerClient interface {
 	Get(ctx context.Context, in *SecretsGetRequest, opts ...grpc.CallOption) (*SecretsGetResponse, error)
 	Set(ctx context.Context, in *SecretsSetRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error)
 	Del(ctx context.Context, in *SecretsDelRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error)
 	Keys(ctx context.Context, in *SecretsKeysRequest, opts ...grpc.CallOption) (*SecretsKeysResponse, error)
 	Rename(ctx context.Context, in *SecretsRenameRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error)
 }
 type remoteSecretsManagerClient struct {
 	cc grpc.ClientConnInterface
 }
 func NewRemoteSecretsManagerClient(cc grpc.ClientConnInterface) RemoteSecretsManagerClient {
 	return &remoteSecretsManagerClient{cc}
 }
 func (c *remoteSecretsManagerClient) Get(ctx context.Context, in *SecretsGetRequest, opts ...grpc.CallOption) (*SecretsGetResponse, error) {
 	out := new(SecretsGetResponse)
 	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Get", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *remoteSecretsManagerClient) Set(ctx context.Context, in *SecretsSetRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
 	out := new(SecretsErrorResponse)
 	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Set", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *remoteSecretsManagerClient) Del(ctx context.Context, in *SecretsDelRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
 	out := new(SecretsErrorResponse)
 	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Del", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *remoteSecretsManagerClient) Keys(ctx context.Context, in *SecretsKeysRequest, opts ...grpc.CallOption) (*SecretsKeysResponse, error) {
 	out := new(SecretsKeysResponse)
 	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Keys", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *remoteSecretsManagerClient) Rename(ctx context.Context, in *SecretsRenameRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
 	out := new(SecretsErrorResponse)
 	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Rename", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 // RemoteSecretsManagerServer is the server API for RemoteSecretsManager service.
 // All implementations must embed UnimplementedRemoteSecretsManagerServer
 // for forward compatibility
 type RemoteSecretsManagerServer interface {
 	Get(context.Context, *SecretsGetRequest) (*SecretsGetResponse, error)
 	Set(context.Context, *SecretsSetRequest) (*SecretsErrorResponse, error)
 	Del(context.Context, *SecretsDelRequest) (*SecretsErrorResponse, error)
 	Keys(context.Context, *SecretsKeysRequest) (*SecretsKeysResponse, error)
 	Rename(context.Context, *SecretsRenameRequest) (*SecretsErrorResponse, error)
 	mustEmbedUnimplementedRemoteSecretsManagerServer()
 }
 // UnimplementedRemoteSecretsManagerServer must be embedded to have forward compatible implementations.
 type UnimplementedRemoteSecretsManagerServer struct {
 }
 func (UnimplementedRemoteSecretsManagerServer) Get(context.Context, *SecretsGetRequest) (*SecretsGetResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Get not implemented")
 }
 func (UnimplementedRemoteSecretsManagerServer) Set(context.Context, *SecretsSetRequest) (*SecretsErrorResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Set not implemented")
 }
 func (UnimplementedRemoteSecretsManagerServer) Del(context.Context, *SecretsDelRequest) (*SecretsErrorResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Del not implemented")
 }
 func (UnimplementedRemoteSecretsManagerServer) Keys(context.Context, *SecretsKeysRequest) (*SecretsKeysResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Keys not implemented")
 }
 func (UnimplementedRemoteSecretsManagerServer) Rename(context.Context, *SecretsRenameRequest) (*SecretsErrorResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Rename not implemented")
 }
 func (UnimplementedRemoteSecretsManagerServer) mustEmbedUnimplementedRemoteSecretsManagerServer() {}
 // UnsafeRemoteSecretsManagerServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to RemoteSecretsManagerServer will
 // result in compilation errors.
 type UnsafeRemoteSecretsManagerServer interface {
 	mustEmbedUnimplementedRemoteSecretsManagerServer()
 }
 func RegisterRemoteSecretsManagerServer(s grpc.ServiceRegistrar, srv RemoteSecretsManagerServer) {
 	s.RegisterService(&RemoteSecretsManager_ServiceDesc, srv)
 }
 func _RemoteSecretsManager_Get_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SecretsGetRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(RemoteSecretsManagerServer).Get(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Get",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(RemoteSecretsManagerServer).Get(ctx, req.(*SecretsGetRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _RemoteSecretsManager_Set_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SecretsSetRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(RemoteSecretsManagerServer).Set(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Set",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(RemoteSecretsManagerServer).Set(ctx, req.(*SecretsSetRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _RemoteSecretsManager_Del_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SecretsDelRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(RemoteSecretsManagerServer).Del(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Del",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(RemoteSecretsManagerServer).Del(ctx, req.(*SecretsDelRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _RemoteSecretsManager_Keys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SecretsKeysRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(RemoteSecretsManagerServer).Keys(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Keys",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(RemoteSecretsManagerServer).Keys(ctx, req.(*SecretsKeysRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _RemoteSecretsManager_Rename_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SecretsRenameRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(RemoteSecretsManagerServer).Rename(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Rename",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(RemoteSecretsManagerServer).Rename(ctx, req.(*SecretsRenameRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 // RemoteSecretsManager_ServiceDesc is the grpc.ServiceDesc for RemoteSecretsManager service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
 var RemoteSecretsManager_ServiceDesc = grpc.ServiceDesc{
 	ServiceName: "secretsmanagerplugin.RemoteSecretsManager",
 	HandlerType: (*RemoteSecretsManagerServer)(nil),
 	Methods: []grpc.MethodDesc{
 		{
 			MethodName: "Get",
 			Handler:    _RemoteSecretsManager_Get_Handler,
 		},
 		{
 			MethodName: "Set",
 			Handler:    _RemoteSecretsManager_Set_Handler,
 		},
 		{
 			MethodName: "Del",
 			Handler:    _RemoteSecretsManager_Del_Handler,
 		},
 		{
 			MethodName: "Keys",
 			Handler:    _RemoteSecretsManager_Keys_Handler,
 		},
 		{
 			MethodName: "Rename",
 			Handler:    _RemoteSecretsManager_Rename_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "secretsmanager.proto",
 }
--- a/pkg/plugins/ifaces.go
+++ b/pkg/plugins/ifaces.go
@ -47,6 +47,11 @@ type RendererManager interface {
 	Renderer() *Plugin
 }
 type SecretsPluginManager interface {
 	// SecretsManager returns a secretsmanager plugin
 	SecretsManager() *Plugin
 }
 type StaticRouteResolver interface {
 	Routes() []*StaticRoute
 }
--- a/pkg/plugins/manager/loader/initializer/initializer_test.go
+++ b/pkg/plugins/manager/loader/initializer/initializer_test.go
@ -79,6 +79,36 @@ func TestInitializer_Initialize(t *testing.T) {
 		assert.NotNil(t, c)
 	})
 	t.Run("secretsmanager", func(t *testing.T) {
 		p := &plugins.Plugin{
 			JSONData: plugins.JSONData{
 				ID:   "test",
 				Type: plugins.SecretsManager,
 				Dependencies: plugins.Dependencies{
 					GrafanaVersion: ">=8.x",
 				},
 				Backend: true,
 			},
 			PluginDir: absCurPath,
 			Class:     plugins.External,
 		}
 		i := &Initializer{
 			cfg: plugins.NewCfg(),
 			log: log.NewNopLogger(),
 			backendProvider: &fakeBackendProvider{
 				plugin: p,
 			},
 		}
 		err := i.Initialize(context.Background(), p)
 		assert.NoError(t, err)
 		c, exists := p.Client()
 		assert.True(t, exists)
 		assert.NotNil(t, c)
 	})
 	t.Run("non backend plugin app", func(t *testing.T) {
 		p := &plugins.Plugin{
 			JSONData: plugins.JSONData{
--- a/pkg/plugins/manager/manager.go
+++ b/pkg/plugins/manager/manager.go
@ -24,6 +24,7 @@ var _ plugins.Client = (*PluginManager)(nil)
 var _ plugins.Store = (*PluginManager)(nil)
 var _ plugins.StaticRouteResolver = (*PluginManager)(nil)
 var _ plugins.RendererManager = (*PluginManager)(nil)
 var _ plugins.SecretsPluginManager = (*PluginManager)(nil)
 type PluginManager struct {
 	cfg             *plugins.Cfg
@ -117,6 +118,16 @@ func (m *PluginManager) Renderer() *plugins.Plugin {
 	return nil
 }
 func (m *PluginManager) SecretsManager() *plugins.Plugin {
 	for _, p := range m.availablePlugins(context.TODO()) {
 		if p.IsSecretsManager() {
 			return p
 		}
 	}
 	return nil
 }
 func (m *PluginManager) Routes() []*plugins.StaticRoute {
 	staticRoutes := make([]*plugins.StaticRoute, 0)
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@ -10,6 +10,7 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 )
 type Plugin struct {
@ -36,9 +37,10 @@ type Plugin struct {
 	Module  string
 	BaseURL string
-	Renderer pluginextensionv2.RendererPlugin
+	Renderer       pluginextensionv2.RendererPlugin
-	client   backendplugin.Plugin
+	SecretsManager secretsmanagerplugin.SecretsManagerPlugin
-	log      log.Logger
+	client         backendplugin.Plugin
 	log            log.Logger
 }
 type PluginDTO struct {
@ -132,7 +134,7 @@ type JSONData struct {
 	Streaming    bool            `json:"streaming"`
 	SDK          bool            `json:"sdk,omitempty"`
-	// Backend (Datasource + Renderer)
+	// Backend (Datasource + Renderer + SecretsManager)
 	Executable string `json:"executable,omitempty"`
 }
@ -347,6 +349,10 @@ func (p *Plugin) IsRenderer() bool {
 	return p.Type == "renderer"
 }
 func (p *Plugin) IsSecretsManager() bool {
 	return p.Type == "secretsmanager"
 }
 func (p *Plugin) IsDataSource() bool {
 	return p.Type == "datasource"
 }
@ -384,20 +390,22 @@ var PluginTypes = []Type{
 	Panel,
 	App,
 	Renderer,
 	SecretsManager,
 }
 type Type string
 const (
-	DataSource Type = "datasource"
+	DataSource     Type = "datasource"
-	Panel      Type = "panel"
+	Panel          Type = "panel"
-	App        Type = "app"
+	App            Type = "app"
-	Renderer   Type = "renderer"
+	Renderer       Type = "renderer"
 	SecretsManager Type = "secretsmanager"
 )
 func (pt Type) IsValid() bool {
 	switch pt {
-	case DataSource, Panel, App, Renderer:
+	case DataSource, Panel, App, Renderer, SecretsManager:
 		return true
 	}
 	return false
--- a/pkg/server/wire.go
+++ b/pkg/server/wire.go
@ -149,6 +149,7 @@ var wireBasicSet = wire.NewSet(
 	wire.Bind(new(plugins.DashboardFileStore), new(*manager.PluginManager)),
 	wire.Bind(new(plugins.StaticRouteResolver), new(*manager.PluginManager)),
 	wire.Bind(new(plugins.RendererManager), new(*manager.PluginManager)),
 	wire.Bind(new(plugins.SecretsPluginManager), new(*manager.PluginManager)),
 	coreplugin.ProvideCoreRegistry,
 	loader.ProvideService,
 	wire.Bind(new(loader.Service), new(*loader.Loader)),
--- a/pkg/server/wireexts_oss.go
+++ b/pkg/server/wireexts_oss.go
@ -31,6 +31,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/provisioning"
 	"github.com/grafana/grafana/pkg/services/searchusers"
 	"github.com/grafana/grafana/pkg/services/searchusers/filters"
 	secretsStore "github.com/grafana/grafana/pkg/services/secrets/kvstore"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations"
 	"github.com/grafana/grafana/pkg/services/thumbs"
 	"github.com/grafana/grafana/pkg/services/validations"
@ -85,6 +86,8 @@ var wireExtsBasicSet = wire.NewSet(
 	wire.Bind(new(registry.UsageStatsProvidersRegistry), new(*usagestatssvcs.UsageStatsProvidersRegistry)),
 	ossaccesscontrol.ProvideDatasourcePermissionsService,
 	wire.Bind(new(accesscontrol.DatasourcePermissionsService), new(*ossaccesscontrol.DatasourcePermissionsService)),
 	secretsStore.ProvideRemotePluginCheck,
 	wire.Bind(new(secretsStore.UseRemoteSecretsPluginCheck), new(*secretsStore.OSSRemoteSecretsPluginCheck)),
 )
 var wireExtsSet = wire.NewSet(
--- a/pkg/services/secrets/kvstore/kvstore.go
+++ b/pkg/services/secrets/kvstore/kvstore.go
@ -13,11 +13,26 @@ const (
 	AllOrganizations = -1
 )
-func ProvideService(sqlStore sqlstore.Store, secretsService secrets.Service) SecretsKVStore {
+func ProvideService(sqlStore sqlstore.Store, secretsService secrets.Service, remoteCheck UseRemoteSecretsPluginCheck) SecretsKVStore {
 	logger := log.New("secrets.kvstore")
 	if remoteCheck.ShouldUseRemoteSecretsPlugin() {
 		logger.Debug("secrets kvstore is using a remote plugin for secrets management")
 		secretsPlugin, err := remoteCheck.GetPlugin()
 		if err != nil {
 			logger.Error("plugin client was nil, falling back to SQL implementation")
 		} else {
 			return &secretsKVStorePlugin{
 				secretsPlugin:  secretsPlugin,
 				secretsService: secretsService,
 				log:            logger,
 			}
 		}
 	}
 	logger.Debug("secrets kvstore is using the default (SQL) implementation for secrets management")
 	return &secretsKVStoreSQL{
 		sqlStore:       sqlStore,
 		secretsService: secretsService,
-		log:            log.New("secrets.kvstore"),
+		log:            logger,
 		decryptionCache: decryptionCache{
 			cache: make(map[int64]cachedDecrypted),
 		},
--- a/pkg/services/secrets/kvstore/remote_plugin.go
+++ b/pkg/services/secrets/kvstore/remote_plugin.go
@ -0,0 +1,125 @@
 package kvstore
 import (
 	"context"
 	"fmt"
 	"github.com/grafana/grafana/pkg/infra/log"
 	smp "github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 	"github.com/grafana/grafana/pkg/services/secrets"
 )
 // secretsKVStorePlugin provides a key/value store backed by the Grafana plugin gRPC interface
 type secretsKVStorePlugin struct {
 	log            log.Logger
 	secretsPlugin  smp.SecretsManagerPlugin
 	secretsService secrets.Service
 }
 // Get an item from the store
 func (kv *secretsKVStorePlugin) Get(ctx context.Context, orgId int64, namespace string, typ string) (string, bool, error) {
 	req := &smp.SecretsGetRequest{
 		KeyDescriptor: &smp.Key{
 			OrgId:     orgId,
 			Namespace: namespace,
 			Type:      typ,
 		},
 	}
 	res, err := kv.secretsPlugin.Get(ctx, req)
 	if err != nil {
 		return "", false, err
 	} else if res.Error != "" {
 		err = fmt.Errorf(res.Error)
 	}
 	return res.DecryptedValue, res.Exists, err
 }
 // Set an item in the store
 func (kv *secretsKVStorePlugin) Set(ctx context.Context, orgId int64, namespace string, typ string, value string) error {
 	req := &smp.SecretsSetRequest{
 		KeyDescriptor: &smp.Key{
 			OrgId:     orgId,
 			Namespace: namespace,
 			Type:      typ,
 		},
 		Value: value,
 	}
 	res, err := kv.secretsPlugin.Set(ctx, req)
 	if err == nil && res.Error != "" {
 		err = fmt.Errorf(res.Error)
 	}
 	return err
 }
 // Del deletes an item from the store.
 func (kv *secretsKVStorePlugin) Del(ctx context.Context, orgId int64, namespace string, typ string) error {
 	req := &smp.SecretsDelRequest{
 		KeyDescriptor: &smp.Key{
 			OrgId:     orgId,
 			Namespace: namespace,
 			Type:      typ,
 		},
 	}
 	res, err := kv.secretsPlugin.Del(ctx, req)
 	if err == nil && res.Error != "" {
 		err = fmt.Errorf(res.Error)
 	}
 	return err
 }
 // Keys get all keys for a given namespace. To query for all
 // organizations the constant 'kvstore.AllOrganizations' can be passed as orgId.
 func (kv *secretsKVStorePlugin) Keys(ctx context.Context, orgId int64, namespace string, typ string) ([]Key, error) {
 	req := &smp.SecretsKeysRequest{
 		KeyDescriptor: &smp.Key{
 			OrgId:     orgId,
 			Namespace: namespace,
 			Type:      typ,
 		},
 		AllOrganizations: orgId == AllOrganizations,
 	}
 	res, err := kv.secretsPlugin.Keys(ctx, req)
 	if err != nil {
 		return nil, err
 	} else if res.Error != "" {
 		err = fmt.Errorf(res.Error)
 	}
 	return parseKeys(res.Keys), err
 }
 // Rename an item in the store
 func (kv *secretsKVStorePlugin) Rename(ctx context.Context, orgId int64, namespace string, typ string, newNamespace string) error {
 	req := &smp.SecretsRenameRequest{
 		KeyDescriptor: &smp.Key{
 			OrgId:     orgId,
 			Namespace: namespace,
 			Type:      typ,
 		},
 		NewNamespace: newNamespace,
 	}
 	res, err := kv.secretsPlugin.Rename(ctx, req)
 	if err == nil && res.Error != "" {
 		err = fmt.Errorf(res.Error)
 	}
 	return err
 }
 func parseKeys(keys []*smp.Key) []Key {
 	var newKeys []Key
 	for _, k := range keys {
 		newKey := Key{OrgId: k.OrgId, Namespace: k.Namespace, Type: k.Type}
 		newKeys = append(newKeys, newKey)
 	}
 	return newKeys
 }
--- a/pkg/services/secrets/kvstore/remote_plugin_check.go
+++ b/pkg/services/secrets/kvstore/remote_plugin_check.go
@ -0,0 +1,26 @@
 package kvstore
 import (
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 )
 type UseRemoteSecretsPluginCheck interface {
 	ShouldUseRemoteSecretsPlugin() bool
 	GetPlugin() (secretsmanagerplugin.SecretsManagerPlugin, error)
 }
 type OSSRemoteSecretsPluginCheck struct {
 	UseRemoteSecretsPluginCheck
 }
 func ProvideRemotePluginCheck() *OSSRemoteSecretsPluginCheck {
 	return &OSSRemoteSecretsPluginCheck{}
 }
 func (c *OSSRemoteSecretsPluginCheck) ShouldUseRemoteSecretsPlugin() bool {
 	return false
 }
 func (c *OSSRemoteSecretsPluginCheck) GetPlugin() (secretsmanagerplugin.SecretsManagerPlugin, error) {
 	return nil, nil
 }