diff --git a/pkg/modules/generators/app_configurations_generator.go b/pkg/modules/generators/app_configurations_generator.go
index 286f68c83..059b05ba7 100644
--- a/pkg/modules/generators/app_configurations_generator.go
+++ b/pkg/modules/generators/app_configurations_generator.go
@@ -585,7 +585,7 @@ func getModuleName(accessory v1.Accessory) (string, error) {
 }
 
 func (g *appConfigurationGenerator) initModuleRequest(config moduleConfig) (*proto.GeneratorRequest, error) {
-	var workloadConfig, devConfig, platformConfig, ctx []byte
+	var workloadConfig, secretStoreConfig, devConfig, platformConfig, ctx []byte
 	var err error
 	// Attention: we MUST yaml.v2 to serialize the object,
 	// because we have introduced MapSlice in the Workload which is supported only in the yaml.v2
@@ -594,6 +594,11 @@ func (g *appConfigurationGenerator) initModuleRequest(config moduleConfig) (*pro
 			return nil, fmt.Errorf("marshal workload config failed. %w", err)
 		}
 	}
+	if g.ws.SecretStore != nil {
+		if secretStoreConfig, err = yamlv2.Marshal(g.ws.SecretStore); err != nil {
+			return nil, fmt.Errorf("marshal secret store config failed. %w", err)
+		}
+	}
 	if config.devConfig != nil {
 		if devConfig, err = yaml.Marshal(config.devConfig); err != nil {
 			return nil, fmt.Errorf("marshal dev module config failed. %w", err)
@@ -618,6 +623,7 @@ func (g *appConfigurationGenerator) initModuleRequest(config moduleConfig) (*pro
 		DevConfig:      devConfig,
 		PlatformConfig: platformConfig,
 		Context:        ctx,
+		SecretStore:    secretStoreConfig,
 	}
 	return protoRequest, nil
 }
diff --git a/pkg/modules/proto/module.pb.go b/pkg/modules/proto/module.pb.go
index f45c5ea17..b1cec4a17 100644
--- a/pkg/modules/proto/module.pb.go
+++ b/pkg/modules/proto/module.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.32.0
+// 	protoc-gen-go v1.34.2
 // 	protoc        v3.21.12
 // source: module.proto
 
@@ -40,6 +40,8 @@ type GeneratorRequest struct {
 	PlatformConfig []byte `protobuf:"bytes,6,opt,name=platform_config,json=platformConfig,proto3" json:"platform_config,omitempty"`
 	// context contains workspace-level configurations, such as topologies, server endpoints, metadata, etc.
 	Context []byte `protobuf:"bytes,7,opt,name=context,proto3" json:"context,omitempty"`
+	// SecretStore represents a secure external location for storing secrets.
+	SecretStore []byte `protobuf:"bytes,8,opt,name=secret_store,json=secretStore,proto3" json:"secret_store,omitempty"`
 }
 
 func (x *GeneratorRequest) Reset() {
@@ -123,6 +125,13 @@ func (x *GeneratorRequest) GetContext() []byte {
 	return nil
 }
 
+func (x *GeneratorRequest) GetSecretStore() []byte {
+	if x != nil {
+		return x.SecretStore
+	}
+	return nil
+}
+
 // GeneratorResponse represents the generate result of the generator.
 type GeneratorResponse struct {
 	state         protoimpl.MessageState
@@ -184,7 +193,7 @@ func (x *GeneratorResponse) GetPatcher() []byte {
 var File_module_proto protoreflect.FileDescriptor
 
 var file_module_proto_rawDesc = []byte{
-	0x0a, 0x0c, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd2,
+	0x0a, 0x0c, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf5,
 	0x01, 0x0a, 0x10, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x14, 0x0a,
@@ -198,17 +207,19 @@ var file_module_proto_rawDesc = []byte{
 	0x66, 0x69, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0e, 0x70, 0x6c, 0x61, 0x74, 0x66,
 	0x6f, 0x72, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e,
 	0x74, 0x65, 0x78, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74,
-	0x65, 0x78, 0x74, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x6f,
-	0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x09, 0x72, 0x65, 0x73,
-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x61, 0x74, 0x63, 0x68, 0x65,
-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x70, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72,
-	0x32, 0x3b, 0x0a, 0x06, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x12, 0x31, 0x0a, 0x08, 0x47, 0x65,
-	0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x12, 0x11, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
-	0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x47, 0x65, 0x6e, 0x65,
-	0x72, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x0a, 0x5a,
-	0x08, 0x2e, 0x2e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
+	0x65, 0x78, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x5f, 0x73, 0x74,
+	0x6f, 0x72, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x73, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x53, 0x74, 0x6f, 0x72, 0x65, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61,
+	0x74, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x72,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x09,
+	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x61, 0x74,
+	0x63, 0x68, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x70, 0x61, 0x74, 0x63,
+	0x68, 0x65, 0x72, 0x32, 0x3b, 0x0a, 0x06, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x12, 0x31, 0x0a,
+	0x08, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x12, 0x11, 0x2e, 0x47, 0x65, 0x6e, 0x65,
+	0x72, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x47,
+	0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x42, 0x0a, 0x5a, 0x08, 0x2e, 0x2e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -224,7 +235,7 @@ func file_module_proto_rawDescGZIP() []byte {
 }
 
 var file_module_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
-var file_module_proto_goTypes = []interface{}{
+var file_module_proto_goTypes = []any{
 	(*GeneratorRequest)(nil),  // 0: GeneratorRequest
 	(*GeneratorResponse)(nil), // 1: GeneratorResponse
 }
@@ -244,7 +255,7 @@ func file_module_proto_init() {
 		return
 	}
 	if !protoimpl.UnsafeEnabled {
-		file_module_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+		file_module_proto_msgTypes[0].Exporter = func(v any, i int) any {
 			switch v := v.(*GeneratorRequest); i {
 			case 0:
 				return &v.state
@@ -256,7 +267,7 @@ func file_module_proto_init() {
 				return nil
 			}
 		}
-		file_module_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+		file_module_proto_msgTypes[1].Exporter = func(v any, i int) any {
 			switch v := v.(*GeneratorResponse); i {
 			case 0:
 				return &v.state
diff --git a/pkg/modules/proto/module.proto b/pkg/modules/proto/module.proto
index 40877291c..6a85a57c2 100644
--- a/pkg/modules/proto/module.proto
+++ b/pkg/modules/proto/module.proto
@@ -17,6 +17,8 @@ message GeneratorRequest {
   bytes platform_config = 6;
   // context contains workspace-level configurations, such as topologies, server endpoints, metadata, etc.
   bytes context = 7;
+  // SecretStore represents a secure external location for storing secrets.
+  bytes secret_store = 8;
 }
 
 // GeneratorResponse represents the generate result of the generator.
diff --git a/pkg/modules/proto/module_grpc.pb.go b/pkg/modules/proto/module_grpc.pb.go
index d5a684ab8..370ffc828 100644
--- a/pkg/modules/proto/module_grpc.pb.go
+++ b/pkg/modules/proto/module_grpc.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             v3.21.12
 // source: module.proto
 
@@ -15,8 +15,12 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.32.0 or later.
-const _ = grpc.SupportPackageIsVersion7
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	Module_Generate_FullMethodName = "/Module/Generate"
+)
 
 // ModuleClient is the client API for Module service.
 //
@@ -34,8 +38,9 @@ func NewModuleClient(cc grpc.ClientConnInterface) ModuleClient {
 }
 
 func (c *moduleClient) Generate(ctx context.Context, in *GeneratorRequest, opts ...grpc.CallOption) (*GeneratorResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GeneratorResponse)
-	err := c.cc.Invoke(ctx, "/Module/Generate", in, out, opts...)
+	err := c.cc.Invoke(ctx, Module_Generate_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -44,20 +49,24 @@ func (c *moduleClient) Generate(ctx context.Context, in *GeneratorRequest, opts
 
 // ModuleServer is the server API for Module service.
 // All implementations must embed UnimplementedModuleServer
-// for forward compatibility
+// for forward compatibility.
 type ModuleServer interface {
 	Generate(context.Context, *GeneratorRequest) (*GeneratorResponse, error)
 	mustEmbedUnimplementedModuleServer()
 }
 
-// UnimplementedModuleServer must be embedded to have forward compatible implementations.
-type UnimplementedModuleServer struct {
-}
+// UnimplementedModuleServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedModuleServer struct{}
 
 func (UnimplementedModuleServer) Generate(context.Context, *GeneratorRequest) (*GeneratorResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Generate not implemented")
 }
 func (UnimplementedModuleServer) mustEmbedUnimplementedModuleServer() {}
+func (UnimplementedModuleServer) testEmbeddedByValue()                {}
 
 // UnsafeModuleServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to ModuleServer will
@@ -67,6 +76,13 @@ type UnsafeModuleServer interface {
 }
 
 func RegisterModuleServer(s grpc.ServiceRegistrar, srv ModuleServer) {
+	// If the following call pancis, it indicates UnimplementedModuleServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&Module_ServiceDesc, srv)
 }
 
@@ -80,7 +96,7 @@ func _Module_Generate_Handler(srv interface{}, ctx context.Context, dec func(int
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/Module/Generate",
+		FullMethod: Module_Generate_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(ModuleServer).Generate(ctx, req.(*GeneratorRequest))