zcloud-ws
diff --git a/‎CLAUDE.md‎
Lines changed: 10 additions & 3 deletions b/‎CLAUDE.md‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 28 additions & 1 deletion b/‎README.md‎
Lines changed: 28 additions & 1 deletion
diff --git a/‎go.mod‎
Lines changed: 10 additions & 6 deletions b/‎go.mod‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎go.sum‎
Lines changed: 21 additions & 9 deletions b/‎go.sum‎
Lines changed: 21 additions & 9 deletions
diff --git a/‎pkg/config/config.go‎
Lines changed: 19 additions & 0 deletions b/‎pkg/config/config.go‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎pkg/connectors/connector.go‎
Lines changed: 2 additions & 0 deletions b/‎pkg/connectors/connector.go‎
Lines changed: 2 additions & 0 deletions
@@ -19,6 +19,7 @@ pkg/
     connector.go            # Connector interface (Init, Secret, WriteKey, WriteKeys, Finalize, ConnectorType)
     vault.go                # HashiCorp Vault KVv2 connector
     local-file.go           # Local file connector with RSA encryption (OAEP + SHA256)
+    oci-vault.go            # OCI Vault connector (Oracle Cloud Infrastructure)
     no-connector.go         # No-op connector (used when no config is provided)
     print-keys.go           # Collects template key references (for --print-keys flag)
   envs/envs.go              # Environment variable name constants
@@ -32,9 +33,9 @@ pkg/
 ## Key Concepts
 
 - **Connector interface**: All secret engines implement `connectors.Connector`. Factory: `connectors.NewConnector()`.
-- **Secret engines**: `vault`, `local-file`, `no` (no-op), `print-keys` (introspection).
+- **Secret engines**: `vault`, `local-file`, `oci-vault`, `no` (no-op), `print-keys` (introspection).
 - **Template functions**: `secret "name" "key"`, `env "VAR_NAME"`, all [sprig](https://masterminds.github.io/sprig/) functions.
-- **Config file**: JSON with `secret_engine`, `vault_config`, `local_file_config`, and `options` fields.
+- **Config file**: JSON with `secret_engine`, `vault_config`, `local_file_config`, `oci_vault_config`, and `options` fields.
 
 ## Commands
 
@@ -58,6 +59,11 @@ pkg/
 | `VAULT_NS` | Vault namespace |
 | `LOCAL_SECRET_PRIVATE_KEY` | Base64-encoded RSA private key |
 | `LOCAL_SECRET_PRIVATE_KEY_PASSPHRASE` | Passphrase for RSA key |
+| `OCI_CONFIG_FILE` | Path to OCI config file (default: `~/.oci/config`) |
+| `OCI_CONFIG_PROFILE` | OCI config profile (default: `DEFAULT`) |
+| `OCI_VAULT_OCID` | OCI Vault OCID |
+| `OCI_COMPARTMENT_OCID` | OCI Compartment OCID (required for write operations) |
+| `OCI_KEY_OCID` | OCI Master Encryption Key OCID (required for write operations) |
 
 ## Build & Run
 
@@ -112,4 +118,5 @@ goreleaser release --clean
 | `Masterminds/sprig/v3` | Template function library |
 | `joho/godotenv` | .env file parsing |
 | `go-jose/go-jose/v3` | JSON serialization (used in local-file connector) |
-| `sirupsen/logrus` | Structured logging |
+| `sirupsen/logrus` | Structured logging |
+| `oracle/oci-go-sdk/v65` | OCI SDK (Vault, Secrets clients) |
@@ -9,7 +9,7 @@ A CLI tool that renders [Go templates](https://pkg.go.dev/text/template) with se
 ## Features
 
 - Render any text file using Go template syntax with secret injection
-- Pluggable secret engines: HashiCorp Vault, local encrypted file, or no-op
+- Pluggable secret engines: HashiCorp Vault, OCI Vault, local encrypted file, or no-op
 - Built-in [sprig](https://masterminds.github.io/sprig/) template functions (100+ utility functions)
 - Custom template delimiters to avoid conflicts with Helm, Jinja, etc.
 - Environment variable support in templates and config values
@@ -187,6 +187,28 @@ Uses the [Vault KVv2](https://www.vaultproject.io/) secret engine.
 
 For local development, a Docker Compose setup is available in [`dev/vault/`](dev/vault/README.md).
 
+### OCI Vault
+
+Uses [Oracle Cloud Infrastructure Vault](https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm) as the secret engine. Each OCI secret stores a single value (native key-value model).
+
+In templates, the first parameter is the **vault name** and the second is the **secret name**:
+
+```
+{{ secret "my-vault" "db_password" }}
+```
+
+This allows accessing secrets from multiple vaults in a single template. The vault is resolved by display name within the configured compartment.
+
+For single-arg calls (`{{ secret "db_password" }}`), the default vault OCID from config/env is used.
+
+| Env var | Description |
+|---------|-------------|
+| `OCI_CONFIG_FILE` | Path to OCI config file (default: `~/.oci/config`) |
+| `OCI_CONFIG_PROFILE` | OCI config profile (default: `DEFAULT`) |
+| `OCI_VAULT_OCID` | Default OCI Vault OCID (optional, used for single-arg secret calls) |
+| `OCI_COMPARTMENT_OCID` | OCI Compartment OCID (required for vault name resolution and write operations) |
+| `OCI_KEY_OCID` | OCI Master Encryption Key OCID (required for write operations) |
+
 ### Local File
 
 Stores secrets in a local JSON file encrypted with RSA (OAEP + SHA256).
@@ -211,6 +233,11 @@ Stores secrets in a local JSON file encrypted with RSA (OAEP + SHA256).
     "filename": "secrets.json",
     "enc_priv_key": "LS0tLS...."
   },
+  "oci_vault_config": {
+    "vault_ocid": "$OCI_VAULT_OCID",
+    "compartment_ocid": "$OCI_COMPARTMENT_OCID",
+    "key_ocid": "$OCI_KEY_OCID"
+  },
   "options": {
     "secretShowNameAsValueIfEmpty": false,
     "secretIgnoreNotFoundKey": false,
 
@@ -1,12 +1,14 @@
 module github.com/zcloud-ws/secure-templates
 
-go 1.21.9
+go 1.24.0
 
 require (
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/hashicorp/vault/api v1.12.0
 	github.com/joho/godotenv v1.5.1
+	github.com/oracle/oci-go-sdk/v65 v65.108.2
+	github.com/sirupsen/logrus v1.9.3
 	github.com/urfave/cli/v2 v2.27.1
 )
 
@@ -15,6 +17,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/gofrs/flock v0.10.0 // indirect
 	github.com/google/uuid v1.1.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -34,12 +37,13 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sony/gobreaker v0.5.0 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
 )
@@ -19,6 +19,8 @@ github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
 github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/gofrs/flock v0.10.0 h1:SHMXenfaB03KbroETaCMtbBg3Yn29v4w1r+tgy4ff4k=
+github.com/gofrs/flock v0.10.0/go.mod h1:FirDy1Ing0mI2+kB6wk+vyyAH+e6xiE+EYA0jnzV9jc=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
@@ -73,6 +75,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/oracle/oci-go-sdk/v65 v65.108.2 h1:emoGAxw/vcqoKHgUy6a10RIhAQbaDPQPiuIcoZuoJGw=
+github.com/oracle/oci-go-sdk/v65 v65.108.2/go.mod h1:8ZzvzuEG/cFLFZhxg/Mg1w19KqyXBKO3c17QIc5PkGs=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
@@ -85,25 +89,32 @@ github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXY
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sony/gobreaker v0.5.0 h1:dRCvqm0P490vZPmy7ppEk2qCnCieBooFJ+YoXGYB+yg=
+github.com/sony/gobreaker v0.5.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/urfave/cli/v2 v2.27.1 h1:8xSQ6szndafKVRmfyeUMxkNUJQMjL1F2zmsZ+qHpfho=
 github.com/urfave/cli/v2 v2.27.1/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -112,8 +123,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -128,8 +139,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -142,8 +153,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 
@@ -14,6 +14,7 @@ const (
 	SecretEngineLocalFile SecretEngine = "local-file"
 	SecretEnginePrintKeys SecretEngine = "print-keys"
 	SecretEngineNo        SecretEngine = "no"
+	SecretEngineOCIVault  SecretEngine = "oci-vault"
 	//SecretEngineOnePassword SecretEngine = "one-password"
 )
 
@@ -32,6 +33,7 @@ type SecureTemplateConfig struct {
 	VaultConfig  VaultConfig  `json:"vault_config,omitempty"`
 	//OnePasswordConfig OnePasswordConfig `json:"one_password_config,omitempty"`
 	LocalFileConfig LocalFileConfig             `json:"local_file_config,omitempty"`
+	OCIVaultConfig  OCIVaultConfig              `json:"oci_vault_config,omitempty"`
 	Options         SecureTemplateConfigOptions `json:"options"`
 }
 
@@ -51,6 +53,14 @@ type LocalFileConfig struct {
 	Passphrase string `json:"passphrase,omitempty"`
 }
 
+type OCIVaultConfig struct {
+	ConfigFile      string `json:"config_file,omitempty"`
+	Profile         string `json:"profile,omitempty"`
+	VaultOCID       string `json:"vault_ocid,omitempty"`
+	CompartmentOCID string `json:"compartment_ocid,omitempty"`
+	KeyOCID         string `json:"key_ocid,omitempty"`
+}
+
 func (cfg *SecureTemplateConfig) Json(out io.Writer) error {
 	data, err := json.MarshalIndent(cfg, "", "  ")
 	if err != nil {
@@ -63,6 +73,7 @@ func (cfg *SecureTemplateConfig) Json(out io.Writer) error {
 func (cfg *SecureTemplateConfig) ExpandEnvVars() {
 	cfg.VaultConfig.expandEnvVars()
 	cfg.LocalFileConfig.expandEnvVars()
+	cfg.OCIVaultConfig.expandEnvVars()
 }
 
 func (vCfg *VaultConfig) expandEnvVars() {
@@ -78,6 +89,14 @@ func (lCfg *LocalFileConfig) expandEnvVars() {
 	lCfg.Passphrase = expandEnvironmentVariables(lCfg.Passphrase)
 }
 
+func (oCfg *OCIVaultConfig) expandEnvVars() {
+	oCfg.ConfigFile = expandEnvironmentVariables(oCfg.ConfigFile)
+	oCfg.Profile = expandEnvironmentVariables(oCfg.Profile)
+	oCfg.VaultOCID = expandEnvironmentVariables(oCfg.VaultOCID)
+	oCfg.CompartmentOCID = expandEnvironmentVariables(oCfg.CompartmentOCID)
+	oCfg.KeyOCID = expandEnvironmentVariables(oCfg.KeyOCID)
+}
+
 func expandEnvironmentVariables(env string) string {
 	if env == "" || !strings.Contains(env, "$") {
 		return env
 
@@ -25,6 +25,8 @@ func NewConnector(secTplConfig config.SecureTemplateConfig) Connector {
 		connector = &PrintKeysConnector{}
 	case config.SecretEngineNo:
 		connector = &NoConnector{}
+	case config.SecretEngineOCIVault:
+		connector = &OCIVaultConnector{}
 	default:
 		logging.Log.Fatalf("Connector not implemented: %s\n", secTplConfig.SecretEngine)
 		return nil