What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

types.SecretProviderSpec

addressstring

Address is the Vault server URL (required for hashicorp_vault).

auth object

Auth defines how to authenticate to this provider. Optional for cloud providers (SDK default chain), required for hashicorp_vault.

access_key_idstring

AccessKeyID is a static AWS access key ID.

client_idstring

ClientID is the Azure AD application (client) ID.

client_secret_envstring

ClientSecretEnv is the environment variable containing the Azure client secret.

impersonate_service_accountstring

ImpersonateServiceAccount is the target service account to impersonate.

jwtstring

JWT is the JWT token value.

jwt_envstring

JWTEnv is the environment variable containing the JWT token.

jwt_filestring

JWTFile is the path to a file containing the JWT token.

managed_identity_client_idstring

ManagedIdentityClientID is the client ID for a user-assigned managed identity.

methodstring

Method is the authentication method.

mount_pathstring

MountPath overrides the default auth mount path in Vault (e.g. "auth/approle").

pathstring

Path is the path to a credential file for file-based auth.

rolestring

Role is the backend role name (Vault role, AWS role, etc.) bound to the identity.

role_idstring

RoleID is the AppRole role ID value.

role_id_envstring

RoleIDEnv is the environment variable containing the AppRole role ID.

role_id_filestring

RoleIDFile is the path to a file containing the AppRole role ID.

secret_access_keystring

SecretAccessKey is a static AWS secret access key.

secret_idstring

SecretID is the AppRole secret ID value.

secret_id_envstring

SecretIDEnv is the environment variable containing the AppRole secret ID.

secret_id_filestring

SecretIDFile is the path to a file containing the AppRole secret ID.

service_account_key_filestring

ServiceAccountKeyFile is the path to a GCP service account key JSON file.

tenant_idstring

TenantID is the Azure AD tenant ID.

tokenstring

Token is a static Vault token value.

token_envstring

TokenEnv is the environment variable containing a static Vault token.

token_filestring

TokenFile is the path to the projected service account token. Default: /var/run/secrets/kubernetes.io/serviceaccount/token

duration_secondsinteger

DurationSeconds is the STS session duration (default: 3600, max: 43200).

endpoint_urlstring

EndpointURL is a custom endpoint (LocalStack, PrivateLink, VPC endpoints).

external_idstring

ExternalID is for sts:ExternalId trust policies.

locationstring

Location is the GCP location for regional secrets.

namespacestring

Namespace is the Vault Enterprise namespace.

profilestring

Profile is the AWS shared-config profile name.

projectstring

Project is the GCP project ID (required for gcp_secret_manager).

providerstring

Provider is the backend type (required).

regionstring

Region is the AWS region (required for AWS providers).

role_arnstring

RoleARN is the IAM role to assume (required for aws_sts).

session_namestring

SessionName appears in CloudTrail and the assumed-role ARN.

tls object

TLS configures TLS settings for the Vault connection.

ca_certstring

CACert is the path to a custom CA certificate for verifying the server.

client_certstring

ClientCert is the path to a client certificate for mutual TLS.

client_keystring

ClientKey is the path to a client key for mutual TLS.

skip_verifyboolean

SkipVerify disables TLS verification. For dev/testing only.

vault_urlstring

VaultURL is the Azure Key Vault URL (required for azure_key_vault).

types.SecretProviderSpec
{
  "address": "string",
  "auth": {
    "access_key_id": "string",
    "client_id": "string",
    "client_secret_env": "string",
    "impersonate_service_account": "string",
    "jwt": "string",
    "jwt_env": "string",
    "jwt_file": "string",
    "managed_identity_client_id": "string",
    "method": "string",
    "mount_path": "string",
    "path": "string",
    "role": "string",
    "role_id": "string",
    "role_id_env": "string",
    "role_id_file": "string",
    "secret_access_key": "string",
    "secret_id": "string",
    "secret_id_env": "string",
    "secret_id_file": "string",
    "service_account_key_file": "string",
    "tenant_id": "string",
    "token": "string",
    "token_env": "string",
    "token_file": "string"
  },
  "duration_seconds": 0,
  "endpoint_url": "string",
  "external_id": "string",
  "location": "string",
  "namespace": "string",
  "profile": "string",
  "project": "string",
  "provider": "string",
  "region": "string",
  "role_arn": "string",
  "session_name": "string",
  "tls": {
    "ca_cert": "string",
    "client_cert": "string",
    "client_key": "string",
    "skip_verify": true
  },
  "vault_url": "string"
}