From c113e1d2c881f81b24e89b153f8d35797b28fb52 Mon Sep 17 00:00:00 2001
From: Makito <i@maki.to>
Date: Wed, 24 Jul 2024 15:51:24 +0800
Subject: [PATCH 1/4] feat(*): vault secret picker

---
 .../forms/src/components/FormGenerator.vue    |  23 +-
 .../src/components/fields/FieldArray.vue      |  60 ++-
 .../src/components/fields/FieldArrayItem.vue  |  23 +-
 .../src/components/fields/FieldInput.vue      |  21 +-
 .../components/fields/FieldKeyValuePairs.vue  |  72 ++-
 .../components/fields/FieldObjectAdvanced.vue |  15 +
 .../src/components/fields/FieldTextArea.vue   |  53 ++-
 .../forms/src/components/forms/ACMEForm.vue   |   7 +-
 .../src/components/forms/ExitTransformer.vue  |   9 +-
 .../forms/src/components/forms/OIDCForm.vue   | 153 +++++--
 .../src/components/forms/PostFunction.vue     |   7 +-
 .../forms/src/components/forms/RLAForm.vue    |   7 +-
 .../components/forms/schemas/OIDCAdvanced.js  | 219 ---------
 .../src/components/forms/schemas/OIDCAuth.js  |  75 ---
 .../components/forms/schemas/OIDCCommon.js    |  24 -
 packages/core/forms/src/const.ts              |   6 +
 packages/core/forms/src/types.ts              |  10 +
 .../entities-plugins/docs/plugin-form.md      |   8 +
 .../entities-plugins/fixtures/mockData.ts     |  79 ++++
 .../entities/entities-plugins/package.json    |   1 +
 .../entities-plugins/sandbox/index.ts         |  10 +
 .../sandbox/pages/HomePage.vue                |  14 +
 .../sandbox/pages/PluginFormPage.vue          |   8 +-
 .../sandbox/pages/VaultSecretPickerPage.vue   | 114 +++++
 .../src/components/PluginEntityForm.vue       |  60 ++-
 .../src/components/PluginForm.vue             |  26 +-
 .../src/components/VaultSecretPicker.cy.ts    | 429 ++++++++++++++++++
 .../src/components/VaultSecretPicker.vue      | 424 +++++++++++++++++
 .../components/VaultSecretPickerProvider.vue  |  45 ++
 .../entities-plugins/src/locales/en.json      |  33 +-
 .../entities-plugins/src/vaults-utils.ts      |  80 ++++
 .../src/composables/useDebouncedFilter.ts     |  33 +-
 .../entities-shared/src/types/utils.ts        |   7 +
 .../entities/entities-vaults/src/index.ts     |   5 +
 pnpm-lock.yaml                                |   3 +
 35 files changed, 1700 insertions(+), 463 deletions(-)
 delete mode 100644 packages/core/forms/src/components/forms/schemas/OIDCAdvanced.js
 delete mode 100644 packages/core/forms/src/components/forms/schemas/OIDCAuth.js
 delete mode 100644 packages/core/forms/src/components/forms/schemas/OIDCCommon.js
 create mode 100644 packages/entities/entities-plugins/sandbox/pages/HomePage.vue
 create mode 100644 packages/entities/entities-plugins/sandbox/pages/VaultSecretPickerPage.vue
 create mode 100644 packages/entities/entities-plugins/src/components/VaultSecretPicker.cy.ts
 create mode 100644 packages/entities/entities-plugins/src/components/VaultSecretPicker.vue
 create mode 100644 packages/entities/entities-plugins/src/components/VaultSecretPickerProvider.vue
 create mode 100644 packages/entities/entities-plugins/src/vaults-utils.ts

diff --git a/packages/core/forms/src/components/FormGenerator.vue b/packages/core/forms/src/components/FormGenerator.vue
index 5897ba79cc..c1c191954e 100644
--- a/packages/core/forms/src/components/FormGenerator.vue
+++ b/packages/core/forms/src/components/FormGenerator.vue
@@ -148,18 +148,37 @@
  * @typedef {Record<string, any> & PartialGroup} Group
  */
 
-import { ref } from 'vue'
 import forEach from 'lodash-es/forEach'
 import objGet from 'lodash-es/get'
 import isFunction from 'lodash-es/isFunction'
 import isNil from 'lodash-es/isNil'
-import formMixin from './FormMixin.vue'
+import { ref } from 'vue'
+import { AUTOFILL_SLOT, AUTOFILL_SLOT_NAME } from '../const'
 import formGroup from './FormGroup.vue'
+import formMixin from './FormMixin.vue'
 
 export default {
   name: 'FormGenerator',
   components: { formGroup },
   mixins: [formMixin],
+
+  inject: {
+    // Inject AUTOFILL_SLOT for provide()
+    autofillSlot: {
+      from: AUTOFILL_SLOT,
+      default: undefined,
+    },
+  },
+
+  provide() {
+    return {
+      // Provide AUTOFILL_SLOT only if it is not already provided
+      ...!this.autofillSlot && {
+        [AUTOFILL_SLOT]: this.$slots?.[AUTOFILL_SLOT_NAME],
+      },
+    }
+  },
+
   props: {
     schema: {
       type: Object,
diff --git a/packages/core/forms/src/components/fields/FieldArray.vue b/packages/core/forms/src/components/fields/FieldArray.vue
index c4c3a4698b..abf0cea0af 100644
--- a/packages/core/forms/src/components/fields/FieldArray.vue
+++ b/packages/core/forms/src/components/fields/FieldArray.vue
@@ -24,6 +24,7 @@
           @model-updated="modelUpdated"
         />
       </component>
+
       <span v-else-if="schema.items">
         <component
           :is="getFieldType(schema.items)"
@@ -33,6 +34,7 @@
           @model-updated="modelUpdated"
         />
       </span>
+
       <component
         :is="schema.itemContainerComponent"
         v-else-if="schema.itemContainerComponent"
@@ -73,28 +75,33 @@
           :type="schema.inputAttributes?.type || 'text'"
         >
 
+        <template #after>
+          <!-- autofill -->
+          <component
+            :is="autofillSlot"
+            :schema="schema"
+            :update="(val) => value[index] = val"
+            :value="value[index]"
+          />
+        </template>
+      </component>
+
+      <template v-else>
         <input
-          v-if="schema.showRemoveButton"
-          v-bind="schema.removeElementButtonAttributes"
-          type="button"
-          :value="schema.removeElementButtonLabel || removeElementButtonLabel"
-          @click="removeElement(index)"
+          v-bind="schema.inputAttributes"
+          v-model="value[index]"
+          :aria-labelledby="getLabelId(schema)"
+          type="text"
         >
-      </component>
-      <input
-        v-else
-        v-bind="schema.inputAttributes"
-        v-model="value[index]"
-        :aria-labelledby="getLabelId(schema)"
-        type="text"
-      >
-      <input
-        v-if="schema.showRemoveButton"
-        v-bind="schema.removeElementButtonAttributes"
-        type="button"
-        :value="schema.removeElementButtonLabel || removeElementButtonLabel"
-        @click="removeElement(index)"
-      >
+
+        <!-- autofill -->
+        <component
+          :is="autofillSlot"
+          :schema="schema"
+          :update="(val) => value[index] = val"
+          :value="value[index]"
+        />
+      </template>
     </div>
 
     <KButton
@@ -110,17 +117,18 @@
 </template>
 
 <script>
-import abstractField from './abstractField'
-import FieldInput from './FieldInput.vue'
-import FieldSelect from './FieldSelect.vue'
+import { AUTOFILL_SLOT } from '../../const'
 import FieldArrayCardContainer from './FieldArrayCardContainer.vue'
 import FieldArrayItem from './FieldArrayItem.vue'
 import FieldArrayMultiItem from './FieldArrayMultiItem.vue'
 import FieldAutoSuggest from './FieldAutoSuggest.vue'
+import FieldInput from './FieldInput.vue'
 import FieldMetric from './FieldMetric.vue'
 import FieldObject from './FieldObject.vue'
 import FieldObjectAdvanced from './FieldObjectAdvanced.vue'
 import FieldRadio from './FieldRadio.vue'
+import FieldSelect from './FieldSelect.vue'
+import abstractField from './abstractField'
 
 export default {
   name: 'FieldArray',
@@ -137,6 +145,12 @@ export default {
     FieldInput,
   },
   mixins: [abstractField],
+  inject: {
+    autofillSlot: {
+      from: AUTOFILL_SLOT,
+      default: undefined,
+    },
+  },
   props: {
     newElementButtonLabel: {
       type: String,
diff --git a/packages/core/forms/src/components/fields/FieldArrayItem.vue b/packages/core/forms/src/components/fields/FieldArrayItem.vue
index a40747ef70..1bb10dd80b 100644
--- a/packages/core/forms/src/components/fields/FieldArrayItem.vue
+++ b/packages/core/forms/src/components/fields/FieldArrayItem.vue
@@ -1,13 +1,18 @@
 <template>
-  <div class="array-item">
-    <slot />
-    <KButton
-      appearance="tertiary"
-      class="delete"
-      @click="$emit('remove-item')"
-    >
-      <TrashIcon />
-    </KButton>
+  <div class="array-item-wrapper">
+    <div class="array-item">
+      <slot />
+      <KButton
+        appearance="tertiary"
+        class="delete"
+        @click="$emit('remove-item')"
+      >
+        <TrashIcon />
+      </KButton>
+    </div>
+    <div class="array-item-after">
+      <slot name="after" />
+    </div>
   </div>
 </template>
 
diff --git a/packages/core/forms/src/components/fields/FieldInput.vue b/packages/core/forms/src/components/fields/FieldInput.vue
index 627e7a0097..b90e7ec5c4 100644
--- a/packages/core/forms/src/components/fields/FieldInput.vue
+++ b/packages/core/forms/src/components/fields/FieldInput.vue
@@ -22,18 +22,28 @@
       @blur="onBlur"
       @update:model-value="onInput"
     />
+
+    <!-- autofill -->
+    <component
+      :is="autofillSlot"
+      :schema="schema"
+      :update="handleAutofill"
+      :value="inputValue"
+    />
   </div>
 </template>
 
 <script lang="ts" setup>
-import { computed, ref, onBeforeMount, onMounted, toRefs, type PropType } from 'vue'
-import type { DebouncedFunc } from 'lodash-es'
 import fecha from 'fecha'
+import type { DebouncedFunc } from 'lodash-es'
 import debounce from 'lodash-es/debounce'
 import objGet from 'lodash-es/get'
 import isFunction from 'lodash-es/isFunction'
 import isNumber from 'lodash-es/isNumber'
+import { computed, inject, onBeforeMount, onMounted, ref, toRefs, type PropType } from 'vue'
 import composables from '../../composables'
+import { AUTOFILL_SLOT } from '../../const'
+import type { AutofillSlot } from '../../types'
 
 const props = defineProps({
   disabled: {
@@ -76,6 +86,8 @@ const emit = defineEmits<{
 
 const propsRefs = toRefs(props)
 
+const autofillSlot = inject<AutofillSlot | undefined>(AUTOFILL_SLOT, undefined)
+
 const { updateModelValue, getFieldID, clearValidationErrors, value: inputValue } = composables.useAbstractFields({
   model: propsRefs.model,
   schema: props.schema,
@@ -145,6 +157,11 @@ const onInput = (val: string): void => {
   updateModelValue(formattedVal, val)
 }
 
+const handleAutofill = (value: string) => {
+  inputValue.value = value
+  updateModelValue(value, value)
+}
+
 const debouncedFormatFunc = ref<DebouncedFunc<(newValue: string, oldValue: string) => void> | null>(null)
 
 // Clean up debounced calls
diff --git a/packages/core/forms/src/components/fields/FieldKeyValuePairs.vue b/packages/core/forms/src/components/fields/FieldKeyValuePairs.vue
index 9977e32069..75609f7afb 100644
--- a/packages/core/forms/src/components/fields/FieldKeyValuePairs.vue
+++ b/packages/core/forms/src/components/fields/FieldKeyValuePairs.vue
@@ -5,22 +5,44 @@
       :key="index"
       class="pair-item"
     >
-      <input
-        class="form-control"
-        :data-testid="`${getFieldID(schema)}-pair-key-${index}`"
-        :placeholder="schema.keyInputPlaceholder ?? 'Key'"
-        type="text"
-        :value="pair.key"
-        @input="(e) => { onInput(e, index, 'key') }"
-      >
-      <input
-        class="form-control"
-        :data-testid="`${getFieldID(schema)}-pair-value-${index}`"
-        :placeholder="schema.valueInputPlaceholder ?? 'Value'"
-        type="text"
-        :value="pair.value"
-        @input="(e) => { onInput(e, index, 'value') }"
-      >
+      <div class="pair-item-cell">
+        <input
+          class="form-control"
+          :data-testid="`${getFieldID(schema)}-pair-key-${index}`"
+          :placeholder="schema.keyInputPlaceholder ?? 'Key'"
+          type="text"
+          :value="pair.key"
+          @input="(e) => { onInput(e, index, 'key') }"
+        >
+
+        <!-- autofill -->
+        <component
+          :is="autofillSlot"
+          :schema="schema"
+          :update="(value) => onInput({ target: { value }}, index, 'key')"
+          :value="pair.key"
+        />
+      </div>
+
+      <div class="pair-item-cell">
+        <input
+          class="form-control"
+          :data-testid="`${getFieldID(schema)}-pair-value-${index}`"
+          :placeholder="schema.valueInputPlaceholder ?? 'Value'"
+          type="text"
+          :value="pair.value"
+          @input="(e) => { onInput(e, index, 'value') }"
+        >
+
+        <!-- autofill -->
+        <component
+          :is="autofillSlot"
+          :schema="schema"
+          :update="(value) => onInput({ target: { value }}, index, 'value')"
+          :value="pair.value"
+        />
+      </div>
+
       <KButton
         appearance="tertiary"
         :data-testid="`${getFieldID(schema)}-remove-pair-${index}`"
@@ -42,8 +64,9 @@
 </template>
 
 <script>
-import abstractField from './abstractField'
 import { TrashIcon } from '@kong/icons'
+import { AUTOFILL_SLOT } from '../../const'
+import abstractField from './abstractField'
 
 export default {
   name: 'FieldKeyValuePairs',
@@ -52,6 +75,13 @@ export default {
 
   mixins: [abstractField],
 
+  inject: {
+    autofillSlot: {
+      from: AUTOFILL_SLOT,
+      default: undefined,
+    },
+  },
+
   data() {
     return {
       pairs: [],
@@ -114,13 +144,15 @@ export default {
 
   .pair-item {
     display: flex;
+    gap: $kui-space-50;
+    justify-content: space-between;
 
     &:not(:first-child) {
-      margin-top: 12px;
+      margin-top: $kui-space-50;
     }
 
-    input {
-      margin-right: 12px;
+    .pair-item-cell {
+      flex-grow: 1;
     }
   }
 }
diff --git a/packages/core/forms/src/components/fields/FieldObjectAdvanced.vue b/packages/core/forms/src/components/fields/FieldObjectAdvanced.vue
index f9185164bb..93934899a9 100644
--- a/packages/core/forms/src/components/fields/FieldObjectAdvanced.vue
+++ b/packages/core/forms/src/components/fields/FieldObjectAdvanced.vue
@@ -48,6 +48,14 @@
             >
               {{ schema.fields[0].schema.hint }}
             </p>
+
+            <!-- autofill -->
+            <component
+              :is="autofillSlot"
+              :schema="(schema.fields && schema.fields[0].schema) || schema.values"
+              :update="(val) => value[index] = val"
+              :value="value[index]"
+            />
           </div>
           <hr class="wide-divider">
         </div>
@@ -86,12 +94,19 @@
 
 <script>
 import { TrashIcon } from '@kong/icons'
+import { AUTOFILL_SLOT } from '../../const'
 import abstractField from './abstractField'
 export default {
   components: {
     TrashIcon,
   },
   mixins: [abstractField],
+  inject: {
+    autofillSlot: {
+      from: AUTOFILL_SLOT,
+      default: undefined,
+    },
+  },
   emits: ['model-updated'],
   data() {
     return {
diff --git a/packages/core/forms/src/components/fields/FieldTextArea.vue b/packages/core/forms/src/components/fields/FieldTextArea.vue
index 0af834b212..0653839666 100644
--- a/packages/core/forms/src/components/fields/FieldTextArea.vue
+++ b/packages/core/forms/src/components/fields/FieldTextArea.vue
@@ -1,23 +1,48 @@
-<template lang="pug">
-textarea.form-control(
-        v-model="value",
-        :id="getFieldID(schema)",
-        :class="schema.fieldClasses",
-        :disabled="disabled || null",
-        :maxlength="schema.max",
-        :minlength="schema.min",
-        :placeholder="schema.placeholder",
-        :readonly="schema.readonly",
-        :required="schema.required",
-        :rows="schema.rows || 2",
-        :name="schema.inputName",
-        v-attributes="'input'")
+<template>
+  <div class="field-textarea">
+    <textarea
+      :id="getFieldID(schema)"
+      v-model="value"
+      v-attributes="'input'"
+      class="form-control"
+      :class="schema.fieldClasses"
+      :disabled="disabled || null"
+      :maxlength="schema.max"
+      :minlength="schema.min"
+      :name="schema.inputName"
+      :placeholder="schema.placeholder"
+      :readonly="schema.readonly"
+      :required="schema.required"
+      :rows="schema.rows || 2"
+    />
+
+    <!-- autofill -->
+    <component
+      :is="autofillSlot"
+      :schema="schema"
+      :update="(val) => value = val"
+      :value="value"
+    />
+  </div>
 </template>
 
 <script>
+import { AUTOFILL_SLOT } from '../../const'
 import abstractField from './abstractField'
 
 export default {
   mixins: [abstractField],
+  inject: {
+    autofillSlot: {
+      from: AUTOFILL_SLOT,
+      default: undefined,
+    },
+  },
 }
 </script>
+
+<style lang="scss" scoped>
+.field-textarea {
+  width: 100%;
+}
+</style>
diff --git a/packages/core/forms/src/components/forms/ACMEForm.vue b/packages/core/forms/src/components/forms/ACMEForm.vue
index 61b1f4fb5e..435932e9c8 100644
--- a/packages/core/forms/src/components/forms/ACMEForm.vue
+++ b/packages/core/forms/src/components/forms/ACMEForm.vue
@@ -133,11 +133,16 @@
 <script setup lang="ts">
 import cloneDeep from 'lodash-es/cloneDeep'
 import type { PropType } from 'vue'
-import { computed, onMounted, ref } from 'vue'
+import { computed, onMounted, provide, ref, useSlots } from 'vue'
+import { AUTOFILL_SLOT, AUTOFILL_SLOT_NAME } from '../../const'
+import type { AutofillSlot } from '../../types'
 import VueFormGenerator from '../FormGenerator.vue'
 import type { Schema } from './schemas/ACMECommon'
 import { ACMECommonSchema, ACMELetsEncryptSchema, ACMEZeroSSLSchema } from './schemas/ACMECommon'
 
+// Provide AUTOFILL_SLOT
+provide<AutofillSlot | undefined>(AUTOFILL_SLOT, useSlots()?.[AUTOFILL_SLOT_NAME])
+
 const props = defineProps({
   formModel: {
     type: Object as PropType<any>,
diff --git a/packages/core/forms/src/components/forms/ExitTransformer.vue b/packages/core/forms/src/components/forms/ExitTransformer.vue
index 137b11ef5e..7f93b11360 100644
--- a/packages/core/forms/src/components/forms/ExitTransformer.vue
+++ b/packages/core/forms/src/components/forms/ExitTransformer.vue
@@ -9,12 +9,17 @@
 </template>
 
 <script setup lang="ts">
-import type { PropType } from 'vue'
-import { computed } from 'vue'
 import { createI18n } from '@kong-ui-public/i18n'
+import type { PropType } from 'vue'
+import { computed, provide, useSlots } from 'vue'
+import { AUTOFILL_SLOT, AUTOFILL_SLOT_NAME } from '../../const'
 import english from '../../locales/en.json'
+import type { AutofillSlot } from '../../types'
 import VueFormGenerator from '../FormGenerator.vue'
 
+// Provide AUTOFILL_SLOT
+provide<AutofillSlot | undefined>(AUTOFILL_SLOT, useSlots()?.[AUTOFILL_SLOT_NAME])
+
 const { t, te } = createI18n<typeof english>('en-us', english)
 
 const props = defineProps({
diff --git a/packages/core/forms/src/components/forms/OIDCForm.vue b/packages/core/forms/src/components/forms/OIDCForm.vue
index e96f41c5e9..3b1ef91c86 100644
--- a/packages/core/forms/src/components/forms/OIDCForm.vue
+++ b/packages/core/forms/src/components/forms/OIDCForm.vue
@@ -13,12 +13,15 @@
       <template #common>
         <div class="general-settings">
           <div class="link-wrapper">
-            <KExternalLink href="https://docs.konghq.com/hub/kong-inc/openid-connect/#important-configuration-parameters">
+            <KExternalLink
+              href="https://docs.konghq.com/hub/kong-inc/openid-connect/#important-configuration-parameters"
+            >
               <span class="section-header">Common Configuration Settings</span>
             </KExternalLink>
           </div>
           <div class="description">
-            Parameters for enabling the OpenID Connect plugin. Set these parameters before adding authorization, authentication, or other advanced configuration details.
+            Parameters for enabling the OpenID Connect plugin. Set these parameters before adding authorization,
+            authentication, or other advanced configuration details.
           </div>
           <VueFormGenerator
             v-if="displayForm"
@@ -66,7 +69,14 @@
             :options="formOptions"
             :schema="authFieldsSchema"
             @model-updated="onModelUpdated"
-          />
+          >
+            <template #autofill-provider="slotProps">
+              <slot
+                name="autofill-provider"
+                v-bind="slotProps"
+              />
+            </template>
+          </VueFormGenerator>
         </div>
       </template>
       <template #advanced>
@@ -93,14 +103,36 @@
 </template>
 
 <script>
+import { AUTOFILL_SLOT, AUTOFILL_SLOT_NAME } from '../../const'
 import VueFormGenerator from '../FormGenerator.vue'
-import OIDCAdvancedSchema from './schemas/OIDCAdvanced.js'
-import OIDCAuthSchema from './schemas/OIDCAuth'
-import OIDCCommonSchema from './schemas/OIDCCommon'
+
+const COMMON_FIELD_MODELS = new Set([
+  'config-client_id',
+  'config-client_secret',
+  'config-issuer',
+])
+
+const AUTH_FIELD_MODELS = new Set([
+  'config-scopes_claim',
+  'config-scopes_required',
+  'config-audience_claim',
+  'config-audience_required',
+  'config-roles_claim',
+  'config-roles_required',
+  'config-groups_claim',
+  'config-groups_required',
+  'config-authenticated_groups_claim',
+])
 
 export default {
   name: 'OIDCForm',
   components: { VueFormGenerator },
+  provide() {
+    // Provide AUTOFILL_SLOT
+    return {
+      [AUTOFILL_SLOT]: this.$slots?.[AUTOFILL_SLOT_NAME],
+    }
+  },
   props: {
     formModel: {
       type: Object,
@@ -112,7 +144,7 @@ export default {
     },
     formOptions: {
       type: Object,
-      default: () => {},
+      default: () => { },
     },
     onModelUpdated: {
       type: Function,
@@ -177,38 +209,76 @@ export default {
           }),
         }
 
-        // init schema for autoconfig tab
+        const fieldMap = this.formSchema.fields.reduce((m, f) => {
+          m[f.model] = f
+          return m
+        }, {})
+
         this.commonFieldsSchema = {
-          ...OIDCCommonSchema,
+          fields: Array.from(COMMON_FIELD_MODELS)
+            .reduce((fields, model) => {
+              const field = fieldMap[model]
+              if (field) {
+                fields.push(fieldMap[model])
+              }
+              return fields
+            }, []),
         }
 
         this.authFieldsSchema = {
-          ...OIDCAuthSchema,
+          fields: Array.from(AUTH_FIELD_MODELS)
+            .reduce((fields, model) => {
+              const field = fieldMap[model]
+              if (field) {
+                fields.push(fieldMap[model])
+              }
+              return fields
+            }, []),
         }
 
-        // strip out all fields not already visible
-        // use this for advanced tab
-        this.advancedFieldsSchema.fields = this.formSchema.fields.filter(r => {
-          return (r.model.startsWith('config') && !this.commonFieldsSchema.fields.filter(field => {
-            return field.model === r.model
-          }).length && !this.authFieldsSchema.fields.filter(field => {
-            return field.model === r.model
-          }).length) || r.model === 'tags'
-        })
-
-        this.advancedFieldsSchema.fields = this.advancedFieldsSchema.fields.map(item => {
-          const findElement = OIDCAdvancedSchema.fields.find(i => i.model === item.model)
-
-          if (findElement) {
-            return findElement
-          }
-
-          return item
-        })
-
-        this.commonFieldsSchema.fields = this.commonFieldsSchema.fields.filter(r => {
-          return r.model !== 'config-auth_methods'
-        })
+        this.advancedFieldsSchema = {
+          fields: this.formSchema.fields
+            .filter(field =>
+              (field.model.startsWith('config')
+                && field.model !== 'config-auth_methods'
+                && !COMMON_FIELD_MODELS.has(field.model)
+                && !AUTH_FIELD_MODELS.has(field.model))
+              || field.model === 'tags',
+            )
+            .reduce((fields, field) => {
+              switch (field.model) {
+                case 'config-client_jwk': {
+                  if (Array.isArray(field.items?.schema?.fields)) {
+                    for (const itemField of field.items.schema.fields) {
+                      itemField.label = itemField.model
+                    }
+                  }
+
+                  fields.push({
+                    ...field,
+                    link: 'https://docs.konghq.com/hub/kong-inc/openid-connect/#jwk-record',
+                    newElementButtonLabel: '+ Add Client JWK',
+                    ...Array.isArray(field.items?.schema?.fields)
+                    && field.items.schema.fields.map(itemField => ({ ...itemField, label: itemField.model })),
+                  })
+                  break
+                }
+                case 'config-session_redis_cluster_nodes': {
+                  fields.push({
+                    ...field,
+                    link: 'https://docs.konghq.com/hub/kong-inc/openid-connect/#host-record',
+                    newElementButtonLabel: '+ Add Cluster Node',
+                  })
+                  break
+                }
+                default: {
+                  fields.push(field)
+                }
+              }
+
+              return fields
+            }, []),
+        }
 
         // Use checkboxes for auth methods
         this.sessionManagement = this.isEditing ? this.formModel['config-auth_methods'].includes('session') : false
@@ -255,18 +325,13 @@ export default {
           hint: 'OAuth refresh token grant',
           prop: this.isEditing ? this.formModel['config-auth_methods'].includes('refresh_token') : false,
         }]
-      }
-
-      const fieldMap = {}
-      for (const field of this.formSchema.fields) {
-        fieldMap[field.model] = field
-      }
 
-      for (const s of [this.commonFieldsSchema, this.authFieldsSchema, this.advancedFieldsSchema]) {
-        for (const f of s.fields) {
-          const help = fieldMap[f.model]?.help
-          if (f.help === undefined && typeof help === 'string') {
-            f.help = help
+        for (const s of [this.commonFieldsSchema, this.authFieldsSchema, this.advancedFieldsSchema]) {
+          for (const f of s.fields) {
+            const help = fieldMap[f.model]?.help
+            if (f.help === undefined && typeof help === 'string') {
+              f.help = help
+            }
           }
         }
       }
diff --git a/packages/core/forms/src/components/forms/PostFunction.vue b/packages/core/forms/src/components/forms/PostFunction.vue
index fb56d19f8e..e0b2e51f93 100644
--- a/packages/core/forms/src/components/forms/PostFunction.vue
+++ b/packages/core/forms/src/components/forms/PostFunction.vue
@@ -11,10 +11,15 @@
 <script setup lang="ts">
 import { createI18n } from '@kong-ui-public/i18n'
 import type { PropType } from 'vue'
-import { computed } from 'vue'
+import { computed, provide, useSlots } from 'vue'
+import { AUTOFILL_SLOT, AUTOFILL_SLOT_NAME } from '../../const'
 import english from '../../locales/en.json'
+import type { AutofillSlot } from '../../types'
 import VueFormGenerator from '../FormGenerator.vue'
 
+// Provide AUTOFILL_SLOT
+provide<AutofillSlot | undefined>(AUTOFILL_SLOT, useSlots()?.[AUTOFILL_SLOT_NAME])
+
 const { t, te } = createI18n<typeof english>('en-us', english)
 
 const props = defineProps({
diff --git a/packages/core/forms/src/components/forms/RLAForm.vue b/packages/core/forms/src/components/forms/RLAForm.vue
index 8108bc515d..f0ce30d3d6 100644
--- a/packages/core/forms/src/components/forms/RLAForm.vue
+++ b/packages/core/forms/src/components/forms/RLAForm.vue
@@ -225,8 +225,10 @@ import { createI18n } from '@kong-ui-public/i18n'
 import { AddIcon, RemoveIcon } from '@kong/icons'
 import type { SelectItem } from '@kong/kongponents'
 import cloneDeep from 'lodash-es/cloneDeep'
-import { computed, nextTick, ref } from 'vue'
+import { computed, nextTick, provide, ref, useSlots } from 'vue'
+import { AUTOFILL_SLOT, AUTOFILL_SLOT_NAME } from '../../const'
 import english from '../../locales/en.json'
+import type { AutofillSlot } from '../../types'
 
 interface UseCase {
   label: string
@@ -237,6 +239,9 @@ interface UseCase {
   }
 }
 
+// Provide AUTOFILL_SLOT
+provide<AutofillSlot | undefined>(AUTOFILL_SLOT, useSlots()?.[AUTOFILL_SLOT_NAME])
+
 const USE_CASES: Record<string, UseCase[]> = {
   fixed: [
     {
diff --git a/packages/core/forms/src/components/forms/schemas/OIDCAdvanced.js b/packages/core/forms/src/components/forms/schemas/OIDCAdvanced.js
deleted file mode 100644
index d9f17d2219..0000000000
--- a/packages/core/forms/src/components/forms/schemas/OIDCAdvanced.js
+++ /dev/null
@@ -1,219 +0,0 @@
-export default {
-  fields: [
-    {
-      type: 'array',
-      showRemoveButton: false,
-      newElementButtonLabelClasses: 'kong-form-new-element-button-label',
-      itemContainerComponent: 'FieldArrayCardContainer',
-      fieldClasses: 'array-card-container-wrapper',
-
-      newElementButtonLabel: '+ Add Client JWK',
-      items: {
-        type: 'object',
-        schema: {
-          fields: [
-            {
-              model: 'kid',
-              label: 'kid',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'issuer',
-              label: 'issuer',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'kty',
-              label: 'kty',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'use',
-              label: 'use',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'key_ops',
-              label: 'key_ops',
-              type: 'array',
-              fieldItemsClasses: 'jwk-array-input-wrapper',
-              showRemoveButton: true,
-              removeElementButtonLabel: 'Remove',
-              items: {
-                type: 'input',
-                inputType: 'string',
-              },
-            },
-            {
-              model: 'alg',
-              label: 'alg',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'x5u',
-              label: 'x5u',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'x5c',
-              label: 'x5c',
-              type: 'array',
-              fieldItemsClasses: 'jwk-array-input-wrapper',
-              showRemoveButton: true,
-              removeElementButtonLabel: 'Remove',
-              items: {
-                type: 'input',
-                inputType: 'string',
-              },
-            },
-            {
-              model: 'x5t',
-              label: 'x5t',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'x5t#S256',
-              label: 'x5t#S256',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'k',
-              label: 'k',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'x',
-              label: 'x',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'y',
-              label: 'y',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'crv',
-              label: 'crv',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'n',
-              label: 'n',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'e',
-              label: 'e',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'd',
-              label: 'd',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'p',
-              label: 'p',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'q',
-              label: 'q',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'dp',
-              label: 'dp',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'dq',
-              label: 'dq',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'qi',
-              label: 'qi',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'oth',
-              label: 'oth',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 'r',
-              label: 'r',
-              type: 'input',
-              inputType: 'string',
-            },
-            {
-              model: 't',
-              label: 't',
-              type: 'input',
-              inputType: 'string',
-            },
-          ],
-        },
-      },
-
-      model: 'config-client_jwk',
-      label: 'Config.Client Jwk',
-      order: 0,
-      disabled: false,
-      link: 'https://docs.konghq.com/hub/kong-inc/openid-connect/#jwk-record',
-    },
-    {
-      type: 'array',
-      showRemoveButton: false,
-      newElementButtonLabelClasses: 'kong-form-new-element-button-label',
-      itemContainerComponent: 'FieldArrayCardContainer',
-      fieldClasses: 'array-card-container-wrapper',
-
-      newElementButtonLabel: '+ Add Cluster Node',
-      items: {
-        type: 'object',
-        schema: {
-          fields: [{
-            label: 'IP',
-            model: 'ip',
-            type: 'input',
-            inputType: 'text',
-          }, {
-            label: 'Port',
-            model: 'port',
-            type: 'input',
-            inputType: 'number',
-          }],
-        },
-      },
-
-      model: 'config-session_redis_cluster_nodes',
-      label: 'Config.Session Redis Cluster Nodes',
-      order: 0,
-      disabled: false,
-      link: 'https://docs.konghq.com/hub/kong-inc/openid-connect/#host-record',
-    },
-  ],
-}
diff --git a/packages/core/forms/src/components/forms/schemas/OIDCAuth.js b/packages/core/forms/src/components/forms/schemas/OIDCAuth.js
deleted file mode 100644
index 921c283b24..0000000000
--- a/packages/core/forms/src/components/forms/schemas/OIDCAuth.js
+++ /dev/null
@@ -1,75 +0,0 @@
-export default {
-  fields: [{
-    inputType: 'text',
-    label: 'Config.Scopes Claim',
-    model: 'config-scopes_claim',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Scopes Required',
-    model: 'config-scopes_required',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Audience Claim',
-    model: 'config-audience_claim',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Audience Required',
-    model: 'config-audience_required',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Roles Claim',
-    model: 'config-roles_claim',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Roles Required',
-    model: 'config-roles_required',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Groups Claim',
-    model: 'config-groups_claim',
-    type: 'array',
-    valueType: 'string',
-    valueArrayType: 'array',
-    itemContainerComponent: 'FieldArrayItem',
-    fieldClasses: 'auth-array-item-container',
-    fieldItemsClasses: 'auth-array-item',
-    inputAttributes: { class: 'form-control', style: { minWidth: '200px' } },
-    validator: 'array',
-    newElementButtonLabelClasses: 'auth-array-item-new',
-    newElementButtonLabel: '+ Add',
-  }, {
-    inputType: 'text',
-    label: 'Config.Groups Required',
-    model: 'config-groups_required',
-    type: 'array',
-    valueType: 'string',
-    valueArrayType: 'array',
-    itemContainerComponent: 'FieldArrayItem',
-    fieldClasses: 'auth-array-item-container',
-    fieldItemsClasses: 'auth-array-item',
-    inputAttributes: { class: 'form-control', style: { minWidth: '200px' } },
-    validator: 'array',
-    newElementButtonLabelClasses: 'auth-array-item-new',
-    newElementButtonLabel: '+ Add',
-  }, {
-    inputType: 'text',
-    label: 'Config.Authenticated Groups Claim',
-    model: 'config-authenticated_groups_claim',
-    type: 'array',
-    valueType: 'string',
-    valueArrayType: 'array',
-    itemContainerComponent: 'FieldArrayItem',
-    fieldClasses: 'auth-array-item-container',
-    fieldItemsClasses: 'auth-array-item',
-    inputAttributes: { class: 'form-control', style: { minWidth: '200px' } },
-    validator: 'array',
-    newElementButtonLabelClasses: 'auth-array-item-new',
-    newElementButtonLabel: '+ Add',
-  }],
-}
diff --git a/packages/core/forms/src/components/forms/schemas/OIDCCommon.js b/packages/core/forms/src/components/forms/schemas/OIDCCommon.js
deleted file mode 100644
index 36d4912708..0000000000
--- a/packages/core/forms/src/components/forms/schemas/OIDCCommon.js
+++ /dev/null
@@ -1,24 +0,0 @@
-export default {
-  fields: [{
-    inputType: 'text',
-    label: 'Config.Client Id',
-    model: 'config-client_id',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Client Secret',
-    model: 'config-client_secret',
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Issuer',
-    model: 'config-issuer',
-    required: true,
-    type: 'input',
-  }, {
-    inputType: 'text',
-    label: 'Config.Auth Methods',
-    model: 'config-auth_methods',
-    type: 'input',
-  }],
-}
diff --git a/packages/core/forms/src/const.ts b/packages/core/forms/src/const.ts
index 90ac0823d6..633d7e1210 100644
--- a/packages/core/forms/src/const.ts
+++ b/packages/core/forms/src/const.ts
@@ -1 +1,7 @@
 export const FORMS_API_KEY = 'kong-ui-forms-api'
+
+/** Used by `template` and `slot` */
+export const AUTOFILL_SLOT_NAME = 'autofill'
+
+/** Used by `provide` and `inject` */
+export const AUTOFILL_SLOT = 'autofillSlot'
diff --git a/packages/core/forms/src/types.ts b/packages/core/forms/src/types.ts
index 19ea73da9c..6795eb0c45 100644
--- a/packages/core/forms/src/types.ts
+++ b/packages/core/forms/src/types.ts
@@ -1,3 +1,5 @@
+import type { Slot } from 'vue'
+
 export type FGCollapsibleOptions = boolean | {
   title?: string
   description?: string
@@ -14,3 +16,11 @@ export interface FGSlots {
   beforeContent?: string
   emptyState?: string
 }
+
+export interface AutofillSlotProps {
+  schema: Record<string, any>
+  value: any
+  update: (value: any) => void
+}
+
+export type AutofillSlot = Slot<AutofillSlotProps>
diff --git a/packages/entities/entities-plugins/docs/plugin-form.md b/packages/entities/entities-plugins/docs/plugin-form.md
index 351a326787..434b233c26 100644
--- a/packages/entities/entities-plugins/docs/plugin-form.md
+++ b/packages/entities/entities-plugins/docs/plugin-form.md
@@ -173,6 +173,14 @@ Control if the form is wrapped in KCard or not.
 
 Control if the View Configuration action button is hidden.
 
+#### `enableVaultSecretPicker`
+
+- type: `Boolean`
+- required: `false`
+- default: `false`
+
+Control if the vault secret picker is enabled for applicable fields.
+
 ### Events
 
 #### cancel
diff --git a/packages/entities/entities-plugins/fixtures/mockData.ts b/packages/entities/entities-plugins/fixtures/mockData.ts
index 43d97d4658..504a05ab92 100644
--- a/packages/entities/entities-plugins/fixtures/mockData.ts
+++ b/packages/entities/entities-plugins/fixtures/mockData.ts
@@ -1,3 +1,4 @@
+import type { SecretEntityRow, EntityRow as VaultEntityRow } from '@kong-ui-public/entities-vaults'
 import type { EntityRow } from '../src/types/plugin-list'
 
 // FetcherRawResponse is the raw format of the endpoint's response
@@ -748,3 +749,81 @@ export const scopedConsumer = {
     ],
   },
 }
+
+export interface VaultsFetcherRawResponse {
+  data: VaultEntityRow[];
+  total: number;
+  offset?: string;
+}
+
+export interface SecretsFetcherRawResponse {
+  data: SecretEntityRow[];
+  total: number;
+  offset?: string;
+}
+
+const vaults: VaultEntityRow[] = [
+  {
+    id: '1',
+    name: 'hcv',
+    prefix: 'hcv-1',
+    description: 'HashiCorp Vault',
+  },
+  {
+    id: '2',
+    name: 'aws',
+    prefix: 'aws-1',
+    description: 'AWS Secrets Manager',
+  },
+  {
+    id: '3',
+    name: 'konnect',
+    prefix: 'kv-1',
+    description: 'Konnect Config Store',
+  },
+  {
+    id: '4',
+    name: 'env',
+    prefix: 'env-1',
+    description: 'Environment Variables',
+  },
+]
+
+// ... without Konnect vaults
+const kongManagerVaults = vaults.filter((v) => v.name !== 'konnect')
+
+export const vaultsResponse: VaultsFetcherRawResponse = {
+  data: vaults,
+  total: vaults.length,
+}
+
+// ... without Konnect vaults
+export const kongManagerVaultsResponse: VaultsFetcherRawResponse = {
+  data: kongManagerVaults,
+  total: kongManagerVaults.length,
+}
+
+export const konnectVaultId = '3'
+
+const secrets: SecretEntityRow[] = [
+  {
+    id: '1',
+    key: 'password',
+    value: '<redacted>',
+  },
+  {
+    id: '2',
+    key: 'username',
+    value: '<redacted>',
+  },
+  {
+    id: '3',
+    key: 'tokens',
+    value: '{ "refresh_token": "<redacted>" }',
+  },
+]
+
+export const secretsResponse: SecretsFetcherRawResponse = {
+  data: secrets,
+  total: secrets.length,
+}
diff --git a/packages/entities/entities-plugins/package.json b/packages/entities/entities-plugins/package.json
index 677cdeda54..9e2822dfbe 100644
--- a/packages/entities/entities-plugins/package.json
+++ b/packages/entities/entities-plugins/package.json
@@ -32,6 +32,7 @@
     "vue-router": "^4.3.3"
   },
   "devDependencies": {
+    "@kong-ui-public/entities-vaults": "workspace:^",
     "@kong-ui-public/i18n": "workspace:^",
     "@kong/design-tokens": "1.15.3",
     "@kong/kongponents": "9.1.7",
diff --git a/packages/entities/entities-plugins/sandbox/index.ts b/packages/entities/entities-plugins/sandbox/index.ts
index 07f0c27be9..1db03631de 100644
--- a/packages/entities/entities-plugins/sandbox/index.ts
+++ b/packages/entities/entities-plugins/sandbox/index.ts
@@ -14,6 +14,16 @@ const init = async () => {
       {
         path: '/',
         name: 'home',
+        component: () => import('./pages/HomePage.vue'),
+      },
+      {
+        path: '/vault-secret-picker',
+        name: 'vault-secret-picker',
+        component: () => import('./pages/VaultSecretPickerPage.vue'),
+      },
+      {
+        path: '/plugin',
+        name: 'list-plugin',
         component: () => import('./pages/PluginListPage.vue'),
       },
       {
diff --git a/packages/entities/entities-plugins/sandbox/pages/HomePage.vue b/packages/entities/entities-plugins/sandbox/pages/HomePage.vue
new file mode 100644
index 0000000000..cea07501c8
--- /dev/null
+++ b/packages/entities/entities-plugins/sandbox/pages/HomePage.vue
@@ -0,0 +1,14 @@
+<template>
+  <ul>
+    <li>
+      <router-link :to="{ name: 'list-plugin' }">
+        PluginList
+      </router-link>
+    </li>
+    <li>
+      <router-link :to="{ name: 'vault-secret-picker' }">
+        VaultSecretPicker
+      </router-link>
+    </li>
+  </ul>
+</template>
diff --git a/packages/entities/entities-plugins/sandbox/pages/PluginFormPage.vue b/packages/entities/entities-plugins/sandbox/pages/PluginFormPage.vue
index aa69477dff..a2083a06aa 100644
--- a/packages/entities/entities-plugins/sandbox/pages/PluginFormPage.vue
+++ b/packages/entities/entities-plugins/sandbox/pages/PluginFormPage.vue
@@ -3,6 +3,7 @@
     <h2>Konnect API</h2>
     <PluginForm
       :config="konnectConfig"
+      enable-vault-secret-picker
       :plugin-id="id"
       :plugin-type="plugin"
       use-custom-names-for-plugin
@@ -12,6 +13,7 @@
     <h2>Kong Manager API</h2>
     <PluginForm
       :config="kongManagerConfig"
+      enable-vault-secret-picker
       :plugin-id="id"
       :plugin-type="plugin"
       @update="onUpdate"
@@ -48,7 +50,7 @@ const konnectConfig = ref<KonnectPluginFormConfig>({
   // force the scope
   // entityType: 'services',
   // entityId: '6f1ef200-d3d4-4979-9376-726f2216d90c',
-  cancelRoute: { name: 'home' },
+  cancelRoute: { name: 'list-plugin' },
 })
 
 const kongManagerConfig = ref<KongManagerPluginFormConfig>({
@@ -58,13 +60,13 @@ const kongManagerConfig = ref<KongManagerPluginFormConfig>({
   // force the scope
   // entityType: 'consumers',
   // entityId: '123-abc-i-lover-cats',
-  cancelRoute: { name: 'home' },
+  cancelRoute: { name: 'list-plugin' },
 })
 
 const onUpdate = (payload: Record<string, any>) => {
   console.log('update', payload)
 
-  router.push({ name: 'home' })
+  router.push({ name: 'list-plugin' })
 }
 </script>
 
diff --git a/packages/entities/entities-plugins/sandbox/pages/VaultSecretPickerPage.vue b/packages/entities/entities-plugins/sandbox/pages/VaultSecretPickerPage.vue
new file mode 100644
index 0000000000..97359917b0
--- /dev/null
+++ b/packages/entities/entities-plugins/sandbox/pages/VaultSecretPickerPage.vue
@@ -0,0 +1,114 @@
+<template>
+  <div>
+    <h2>
+      VaultSecretPicker
+    </h2>
+
+    <div>
+      <h3>Konnect API</h3>
+
+      <KInput
+        v-model.trim="konnectSecretRef"
+        autocomplete="off"
+        label="Token"
+        placeholder="Raw token or secret reference"
+        type="text"
+      />
+
+      <div class="look-up-key">
+        Look up
+        <span
+          class="look-up-key-action"
+          @click="() => konnectSecretPickerSetup = konnectSecretRef"
+        >
+          Key on Vault
+        </span>
+      </div>
+
+      <VaultSecretPicker
+        :config="konnectConfig"
+        :setup="konnectSecretPickerSetup"
+        @cancel="() => konnectSecretPickerSetup = false"
+        @proceed="useKonnectSecretRef"
+      />
+    </div>
+
+    <div>
+      <h3>Kong Manager API</h3>
+
+      <KInput
+        v-model.trim="kongManagerSecretRef"
+        autocomplete="off"
+        label="Token"
+        placeholder="Raw token or secret reference"
+        type="text"
+      />
+
+      <div class="look-up-key">
+        Look up
+        <span
+          class="look-up-key-action"
+          @click="() => kongManagerSecretPickerSetup = kongManagerSecretRef"
+        >
+          Key on Vault
+        </span>
+      </div>
+
+      <VaultSecretPicker
+        :config="kongManagerConfig"
+        :setup="kongManagerSecretPickerSetup"
+        @cancel="() => kongManagerSecretPickerSetup = false"
+        @proceed="useKongManagerSecretRef"
+      />
+    </div>
+  </div>
+</template>
+
+
+<script setup lang="ts">
+import type { KongManagerConfig, KonnectConfig } from '@kong-ui-public/entities-shared'
+import { ref } from 'vue'
+import VaultSecretPicker from '../../src/components/VaultSecretPicker.vue'
+
+const controlPlaneId = import.meta.env.VITE_KONNECT_CONTROL_PLANE_ID || ''
+
+const konnectConfig = ref<KonnectConfig>({
+  app: 'konnect',
+  apiBaseUrl: '/us/kong-api',
+  controlPlaneId,
+})
+
+const kongManagerConfig = ref<KongManagerConfig>({
+  app: 'kongManager',
+  workspace: 'default',
+  apiBaseUrl: '/kong-manager',
+})
+
+const konnectSecretPickerSetup = ref<string | false>(false)
+const kongManagerSecretPickerSetup = ref<string | false>(false)
+
+const konnectSecretRef = ref('{vault://kv-1/password/aaa}')
+const kongManagerSecretRef = ref('{vault://env-1/password/aaa}')
+
+const useKonnectSecretRef = (secretRef: string) => {
+  konnectSecretRef.value = secretRef
+  konnectSecretPickerSetup.value = false
+}
+
+const useKongManagerSecretRef = (secretRef: string) => {
+  kongManagerSecretRef.value = secretRef
+  kongManagerSecretPickerSetup.value = false
+}
+</script>
+
+<style lang="scss" scoped>
+.look-up-key {
+  font-size: $kui-font-size-20;
+  margin: $kui-space-40 0;
+
+  &-action {
+    color: $kui-color-text-primary;
+    cursor: pointer;
+  }
+}
+</style>
diff --git a/packages/entities/entities-plugins/src/components/PluginEntityForm.vue b/packages/entities/entities-plugins/src/components/PluginEntityForm.vue
index b69444454e..6af9947c54 100644
--- a/packages/entities/entities-plugins/src/components/PluginEntityForm.vue
+++ b/packages/entities/entities-plugins/src/components/PluginEntityForm.vue
@@ -17,7 +17,18 @@
         :form-schema="formSchema"
         :is-editing="editing"
         :on-model-updated="onModelUpdated"
-      />
+      >
+        <template
+          v-if="enableVaultSecretPicker"
+          #[AUTOFILL_SLOT_NAME]="slotProps: AutofillSlotProps"
+        >
+          <VaultSecretPickerProvider
+            v-if="slotProps.schema.referenceable"
+            v-bind="slotProps"
+            @open="(value, update) => setUpVaultSecretPicker(value, update)"
+          />
+        </template>
+      </component>
 
       <VueFormGenerator
         v-if="!sharedFormName && (formModel.id && editing || !editing)"
@@ -39,18 +50,38 @@
         >
           <PluginFieldRuleAlerts :rules="PLUGIN_METADATA[formModel.name].fieldRules!" />
         </template>
+
+        <template
+          v-if="enableVaultSecretPicker"
+          #[AUTOFILL_SLOT_NAME]="slotProps: AutofillSlotProps"
+        >
+          <VaultSecretPickerProvider
+            v-if="slotProps.schema.referenceable"
+            v-bind="slotProps"
+            @open="(value, update) => setUpVaultSecretPicker(value, update)"
+          />
+        </template>
       </VueFormGenerator>
     </div>
   </div>
+
+  <VaultSecretPicker
+    :config="props.config"
+    :setup="vaultSecretPickerSetup"
+    @cancel="() => vaultSecretPickerSetup = false"
+    @proceed="handleVaultSecretPickerAutofill"
+  />
 </template>
 
 <script lang="ts">
 import { useAxios, useHelpers } from '@kong-ui-public/entities-shared'
 import {
+  AUTOFILL_SLOT_NAME,
   FORMS_API_KEY,
   customFields,
   getSharedFormName,
   sharedForms,
+  type AutofillSlotProps,
 } from '@kong-ui-public/forms'
 import '@kong-ui-public/forms/dist/style.css'
 import type { AxiosRequestConfig, AxiosResponse } from 'axios'
@@ -65,6 +96,8 @@ import {
   type PluginEntityInfo,
 } from '../types'
 import PluginFieldRuleAlerts from './PluginFieldRuleAlerts.vue'
+import VaultSecretPicker from './VaultSecretPicker.vue'
+import VaultSecretPickerProvider from './VaultSecretPickerProvider.vue'
 
 // Must explicitly specify these as components since they are rendered dynamically
 export default defineComponent({
@@ -131,6 +164,13 @@ const props = defineProps({
     type: Boolean,
     default: false,
   },
+  /**
+   * Control if the vault secret picker is enabled for applicable fields. (referenceable = true)
+   */
+  enableVaultSecretPicker: {
+    type: Boolean,
+    default: false,
+  },
 })
 
 const { axiosInstance } = useAxios(props.config?.axiosRequestConfig)
@@ -236,6 +276,17 @@ const originalModel = reactive<Record<string, any>>({})
 const formModel = reactive<Record<string, any>>({})
 const formOptions = computed(() => form.value?.options)
 
+const vaultSecretPickerSetup = ref<string | false>(false)
+const vaultSecretPickerAutofillAction = ref<(secretRef: string) => void | undefined>()
+const setUpVaultSecretPicker = (setupValue: string, autofillAction: (secretRef: string) => void) => {
+  vaultSecretPickerSetup.value = setupValue ?? ''
+  vaultSecretPickerAutofillAction.value = autofillAction
+}
+const handleVaultSecretPickerAutofill = (secretRef: string) => {
+  vaultSecretPickerAutofillAction.value?.(secretRef)
+  vaultSecretPickerSetup.value = false
+}
+
 // This function transforms the form data into the correct structure to be submitted to the API
 const getModel = (): Record<string, any> => {
   const schema = { ...props.schema }
@@ -651,7 +702,8 @@ onBeforeMount(() => {
     transition: opacity 0.5s;
   }
 
-  .fade-enter-from, .fade-leave-to {
+  .fade-enter-from,
+  .fade-leave-to {
     opacity: 0;
   }
 
@@ -665,7 +717,7 @@ onBeforeMount(() => {
   }
 
   :deep(.vue-form-generator) {
-    > fieldset {
+    >fieldset {
       .form-group:last-child {
         margin-bottom: 0;
       }
@@ -685,7 +737,7 @@ onBeforeMount(() => {
     .field-switch {
       #enabled {
         &:not(:checked) {
-          & + .label {
+          &+.label {
             background-color: $kui-color-background-neutral-weak;
           }
         }
diff --git a/packages/entities/entities-plugins/src/components/PluginForm.vue b/packages/entities/entities-plugins/src/components/PluginForm.vue
index eb6a19084c..a47bd5d504 100644
--- a/packages/entities/entities-plugins/src/components/PluginForm.vue
+++ b/packages/entities/entities-plugins/src/components/PluginForm.vue
@@ -44,6 +44,7 @@
         :config="config"
         :credential="treatAsCredential"
         :editing="formType === EntityBaseFormType.Edit"
+        :enable-vault-secret-picker="props.enableVaultSecretPicker"
         :entity-map="entityMap"
         :record="record || undefined"
         :schema="schema || {}"
@@ -94,6 +95,7 @@
         </Teleport>
       </template>
     </EntityBaseForm>
+
     <KSlideout
       :close-on-blur="false"
       data-testid="form-view-configuration-slideout"
@@ -258,6 +260,14 @@ const props = defineProps({
     type: Boolean,
     default: false,
   },
+
+  /**
+   * Control if the vault secret picker is enabled for applicable fields. (referenceable = true)
+   */
+  enableVaultSecretPicker: {
+    type: Boolean,
+    default: false,
+  },
 })
 
 const router = useRouter()
@@ -482,7 +492,7 @@ const resourceEndpoint = computed((): string => {
 })
 
 const getArrayType = (list: unknown[]): string => {
-  const uniqueTypes = [...(new Set(list.map(item => typeof item)))]
+  const uniqueTypes = Array.from(new Set(list.map(item => typeof item)))
 
   return uniqueTypes.length > 1 ? 'string' : uniqueTypes[0]
 }
@@ -545,6 +555,8 @@ const buildFormSchema = (parentKey: string, response: Record<string, any>, initi
     initialFormSchema[field] = { id: field, model: key } // each field's key will be set as the id
     initialFormSchema[field].type = scheme.type === 'boolean' ? 'checkbox' : 'input'
     initialFormSchema[field].required = scheme.required
+    initialFormSchema[field].values = scheme.values
+    initialFormSchema[field].referenceable = scheme.referenceable
 
     if (field.startsWith('config-')) {
       if (!arrayNested && scheme.type === 'array') {
@@ -666,10 +678,14 @@ const buildFormSchema = (parentKey: string, response: Record<string, any>, initi
 
     if (scheme.elements && scheme.type === 'array') {
       const elements = scheme.elements
+
+      // pass the referenceable flag from elements to the parent
+      initialFormSchema[field].referenceable = elements.referenceable
+
       if (elements.type === 'string' && !elements.one_of) {
-        const { id, help, label, hint } = initialFormSchema[field]
+        const { id, help, label, hint, values, referenceable } = initialFormSchema[field]
         const { help: helpOverride, ...overrides } = JSON.parse(JSON.stringify(ArrayStringFieldSchema))
-        initialFormSchema[field] = { id, help, label, hint, ...overrides }
+        initialFormSchema[field] = { id, help, label, hint, values, referenceable, ...overrides }
         // Only replace the help text when it is not defined because ArrayStringFieldSchema is more generic
         if (initialFormSchema[field].help === undefined && typeof helpOverride === 'string') {
           initialFormSchema[field].help = marked.parse(helpOverride, { mangle: false, headerIds: false } as MarkedOptions)
@@ -687,9 +703,9 @@ const buildFormSchema = (parentKey: string, response: Record<string, any>, initi
         // Check if current plugin matches any of custom schema keys
         if (plugin === field) {
           // Use custom defined schema instead of building from default && set field label
-          const { help, label, hint } = initialFormSchema[field]
+          const { help, label, hint, values, referenceable } = initialFormSchema[field]
           const { help: helpOverride, ...overrides } = pluginSchema[plugin as keyof typeof pluginSchema] as Record<string, any>
-          initialFormSchema[field] = { help, label, hint, ...overrides }
+          initialFormSchema[field] = { help, label, hint, values, referenceable, ...overrides }
           // Eagerly replace the help text because we are overriding
           if (typeof helpOverride === 'string') {
             initialFormSchema[field].help = marked.parse(helpOverride, { mangle: false, headerIds: false } as MarkedOptions)
diff --git a/packages/entities/entities-plugins/src/components/VaultSecretPicker.cy.ts b/packages/entities/entities-plugins/src/components/VaultSecretPicker.cy.ts
new file mode 100644
index 0000000000..4c20adf94a
--- /dev/null
+++ b/packages/entities/entities-plugins/src/components/VaultSecretPicker.cy.ts
@@ -0,0 +1,429 @@
+// Cypress component test spec file
+import type { KongManagerConfig, KonnectConfig } from '@kong-ui-public/entities-shared'
+import {
+  kongManagerVaultsResponse,
+  konnectVaultId,
+  secretsResponse,
+  vaultsResponse,
+} from '../../fixtures/mockData'
+import VaultSecretPicker from './VaultSecretPicker.vue'
+
+const baseConfigKonnect: KonnectConfig = {
+  app: 'konnect',
+  apiBaseUrl: '/us/kong-api',
+  controlPlaneId: '00000000-0000-0000-0000-000000000000',
+}
+
+const baseConfigKM: KongManagerConfig = {
+  app: 'kongManager',
+  workspace: 'default',
+  apiBaseUrl: '/kong-manager',
+}
+
+describe('<VaultSecretPicker />', () => {
+  describe('Kong Manager', () => {
+    const interceptKM = (params?: {
+      mockData?: object
+      alias?: string
+    }) => {
+      cy.intercept(
+        {
+          method: 'GET',
+          url: `${baseConfigKM.apiBaseUrl}/${baseConfigKM.workspace}/vaults*`,
+        },
+        cy.spy((req) => {
+          req.reply({
+            statusCode: 200,
+            body: params?.mockData ?? kongManagerVaultsResponse,
+          })
+        }).as(`${params?.alias ?? 'getVaults'}.handler`), // used to count requests
+      ).as(params?.alias ?? 'getVaults')
+    }
+
+    it('should show nothing if `setup` prop is unset', () => {
+      interceptKM()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKM,
+        },
+      })
+
+      cy.get('.vault-secret-picker-modal').should('not.exist')
+      cy.get('@getVaults.handler').should('not.be.called')
+    })
+
+    it('should show the modal if `setup` prop is empty', () => {
+      interceptKM()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKM,
+          setup: '',
+        },
+      })
+
+      cy.wait('@getVaults')
+      cy.getTestId('vault-secret-picker-modal').find('.modal-container').should('be.visible')
+
+      // Cannot select/input secret ID and key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('be.disabled')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.disabled')
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+    })
+
+    it('should list vaults but show input for secret IDs on selecting a non-Konnect vault', () => {
+      interceptKM()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKM,
+          setup: '',
+          onProceed: cy.stub().as('onProceed'),
+        },
+      })
+
+      cy.wait('@getVaults')
+      cy.getTestId('vault-secret-picker-modal')
+        .find('.modal-container').should('be.visible')
+
+      cy.getTestId('vault-secret-picker-vault-select').click()
+      cy.getTestId('vault-secret-picker-vault-popover')
+        .should('be.visible')
+        .find('.select-items-container .select-item')
+        .should('have.length', kongManagerVaultsResponse.total)
+
+      // Cannot select/input secret ID and key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('be.disabled')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.disabled')
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Should not have the Konnect vault
+      cy.getTestId('select-item-kv-1').should('not.exist')
+      // Select a non-Konnect vault (e.g. an env vault)
+      cy.getTestId('select-item-env-1').click()
+
+      // Can input secret ID and key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('be.enabled')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.enabled')
+
+      // But still cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Type in a secret ID
+      cy.getTestId('vault-secret-picker-secret-id-input').type('public_key')
+
+      // Can proceed
+      cy.getTestId('modal-action-button')
+        .should('be.enabled')
+        .click()
+
+      // Check emitted event
+      cy.get('@onProceed').should('be.calledWith', '{vault://env-1/public_key}')
+    })
+
+    it('should only allow to proceed when vault and secret is provided', () => {
+      interceptKM()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKM,
+          setup: '',
+          onProceed: cy.stub().as('onProceed'),
+        },
+      })
+
+      cy.getTestId('vault-secret-picker-modal')
+        .find('.modal-container').should('be.visible')
+
+      cy.getTestId('vault-secret-picker-vault-select').click()
+      cy.getTestId('vault-secret-picker-vault-popover')
+        .should('be.visible')
+        .find('.select-items-container .select-item')
+        .should('have.length', kongManagerVaultsResponse.total)
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Select a vault
+      cy.getTestId('select-item-env-1').click()
+
+      // Can input secret key
+      cy.getTestId('vault-secret-picker-secret-key-input')
+        .should('be.enabled')
+        .type('refresh_token')
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Provide a secret ID
+      cy.getTestId('vault-secret-picker-secret-id-input').type('tokens')
+
+      // Can proceed
+      cy.getTestId('modal-action-button')
+        .should('be.enabled')
+        .click()
+
+      // Check emitted event
+      cy.get('@onProceed').should('be.calledWith', '{vault://env-1/tokens/refresh_token}')
+    })
+  })
+
+  describe('Konnect', () => {
+    const interceptKonnect = (params?: {
+      mockData?: object
+      alias?: string
+    }) => {
+      cy.intercept(
+        {
+          method: 'GET',
+          url: `${baseConfigKonnect.apiBaseUrl}/v2/control-planes/${baseConfigKonnect.controlPlaneId}/core-entities/vaults*`,
+        },
+        cy.spy((req) => {
+          req.reply({
+            statusCode: 200,
+            body: params?.mockData ?? vaultsResponse,
+          })
+        }).as(`${params?.alias ?? 'getVaults'}.handler`), // used to count requests
+      ).as(params?.alias ?? 'getVaults')
+
+      cy.intercept(
+        {
+          method: 'GET',
+          url: `${baseConfigKonnect.apiBaseUrl}/v2/control-planes/${baseConfigKonnect.controlPlaneId}/core-entities/vaults/*/secrets*`,
+        },
+        cy.spy((req) => {
+          if (!req.url.includes(`/vaults/${konnectVaultId}/secrets`)) {
+            req.reply({
+              statusCode: 400,
+              body: { message: 'Not a Konnect vault!' },
+            })
+            return
+          }
+
+          req.reply({
+            statusCode: 200,
+            body: params?.mockData ?? secretsResponse,
+          })
+        }).as(`${params?.alias ?? 'getSecrets'}.handler`), // used to count requests
+      ).as(params?.alias ?? 'getSecrets')
+    }
+
+    it('should show nothing if `setup` prop is unset', () => {
+      interceptKonnect()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKonnect,
+        },
+      })
+
+      cy.get('.vault-secret-picker-modal').should('not.exist')
+      cy.get('@getVaults.handler').should('not.be.called')
+    })
+
+    it('should show the modal if `setup` prop is empty', () => {
+      interceptKonnect()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKonnect,
+          setup: '',
+        },
+      })
+
+      cy.wait('@getVaults')
+      cy.getTestId('vault-secret-picker-modal').find('.modal-container').should('be.visible')
+
+      // Cannot select/input secret ID and key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('be.disabled')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.disabled')
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+    })
+
+    it('should list vaults and list secrets on selecting a Konnect vault', () => {
+      interceptKonnect()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKonnect,
+          setup: '',
+          onProceed: cy.stub().as('onProceed'),
+        },
+      })
+
+      cy.wait('@getVaults')
+      cy.getTestId('vault-secret-picker-modal')
+        .find('.modal-container').should('be.visible')
+
+      cy.getTestId('vault-secret-picker-vault-select').click()
+      cy.getTestId('vault-secret-picker-vault-popover')
+        .should('be.visible')
+        .find('.select-items-container .select-item')
+        .should('have.length', vaultsResponse.total)
+
+      // Cannot select/input secret ID and key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('be.disabled')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.disabled')
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Select Konnect vault
+      cy.getTestId('select-item-kv-1').click()
+
+      // Should fetch secrets
+      cy.wait('@getSecrets')
+
+      // Can select secret ID and input key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('be.enabled')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.enabled')
+
+      // But still cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      cy.getTestId('vault-secret-picker-secret-id-select').click()
+      cy.getTestId('vault-secret-picker-secret-id-popover')
+        .should('be.visible')
+        .find('.select-items-container .select-item')
+        .should('have.length', secretsResponse.total)
+
+      // Select a secret
+      cy.getTestId('select-item-password').click()
+
+      // Can proceed
+      cy.getTestId('modal-action-button')
+        .should('be.enabled')
+        .click()
+
+      // Check emitted event
+      cy.get('@onProceed').should('be.calledWith', '{vault://kv-1/password}')
+    })
+
+    it('should list vaults but show input for secret IDs on selecting a non-Konnect vault', () => {
+      interceptKonnect()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKonnect,
+          setup: '',
+          onProceed: cy.stub().as('onProceed'),
+        },
+      })
+
+      cy.wait('@getVaults')
+      cy.getTestId('vault-secret-picker-modal')
+        .find('.modal-container').should('be.visible')
+
+      cy.getTestId('vault-secret-picker-vault-select').click()
+      cy.getTestId('vault-secret-picker-vault-popover')
+        .should('be.visible')
+        .find('.select-items-container .select-item')
+        .should('have.length', vaultsResponse.total)
+
+      // Cannot select/input secret ID and key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('be.disabled')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.disabled')
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Select a non-Konnect vault (e.g. an env vault)
+      cy.getTestId('select-item-env-1').click()
+
+      // Should NOT fetch secrets
+      cy.get('@getSecrets.handler').should('not.be.called')
+
+      // Can input secret ID and key
+      cy.getTestId('vault-secret-picker-secret-id-select').should('not.exist')
+      cy.getTestId('vault-secret-picker-secret-id-input').should('be.enabled')
+      cy.getTestId('vault-secret-picker-secret-key-input').should('be.enabled')
+
+      // But still cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Type in a secret ID
+      cy.getTestId('vault-secret-picker-secret-id-input').type('public_key')
+
+      // Can proceed
+      cy.getTestId('modal-action-button')
+        .should('be.enabled')
+        .click()
+
+      // Check emitted event
+      cy.get('@onProceed').should('be.calledWith', '{vault://env-1/public_key}')
+    })
+
+    it('should only allow to proceed when vault and secret is provided', () => {
+      interceptKonnect()
+
+      cy.mount(VaultSecretPicker, {
+        props: {
+          config: baseConfigKonnect,
+          setup: '',
+          onProceed: cy.stub().as('onProceed'),
+        },
+      })
+
+      cy.wait('@getVaults')
+      cy.getTestId('vault-secret-picker-modal')
+        .find('.modal-container').should('be.visible')
+
+      cy.getTestId('vault-secret-picker-vault-select').click()
+      cy.getTestId('vault-secret-picker-vault-popover')
+        .should('be.visible')
+        .find('.select-items-container .select-item')
+        .should('have.length', vaultsResponse.total)
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Select Konnect vault
+      cy.getTestId('select-item-kv-1').click()
+
+      // Should fetch secrets
+      cy.wait('@getSecrets')
+
+      // Can input secret key
+      cy.getTestId('vault-secret-picker-secret-key-input')
+        .should('be.enabled')
+        .type('refresh_token')
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      cy.getTestId('vault-secret-picker-secret-id-select').click()
+      cy.getTestId('vault-secret-picker-secret-id-popover')
+        .should('be.visible')
+        .find('.select-items-container .select-item')
+        .should('have.length', secretsResponse.total)
+
+      // Cannot proceed
+      cy.getTestId('modal-action-button').should('be.disabled')
+
+      // Select a secret
+      cy.getTestId('select-item-tokens').click()
+
+      // Can proceed
+      cy.getTestId('modal-action-button')
+        .should('be.enabled')
+        .click()
+
+      // Check emitted event
+      cy.get('@onProceed').should('be.calledWith', '{vault://kv-1/tokens/refresh_token}')
+    })
+  })
+})
diff --git a/packages/entities/entities-plugins/src/components/VaultSecretPicker.vue b/packages/entities/entities-plugins/src/components/VaultSecretPicker.vue
new file mode 100644
index 0000000000..435e2de668
--- /dev/null
+++ b/packages/entities/entities-plugins/src/components/VaultSecretPicker.vue
@@ -0,0 +1,424 @@
+<template>
+  <KModal
+    :action-button-disabled="!canProceed"
+    :action-button-text="t('vault_secret_picker.actions.use_key')"
+    class="vault-secret-picker"
+    data-testid="vault-secret-picker-modal"
+    :title="t('vault_secret_picker.title')"
+    :visible="props.setup !== false"
+    @cancel="() => emit('cancel')"
+    @proceed="handleProceed"
+  >
+    <KEmptyState
+      v-if="vaultsFetchError || secretsFetchError"
+      data-testid="vault-secret-picker-fetch-error"
+      icon-variant="error"
+      :message="errorMessage"
+    />
+
+    <div
+      v-else
+      class="inputs-wrapper"
+    >
+      <KSelect
+        v-model="selectedVaultPrefix"
+        clearable
+        data-testid="vault-secret-picker-vault-select"
+        :disabled="setupLoading"
+        enable-filtering
+        :filter-function="() => true"
+        :items="availableVaults"
+        :kpop-attributes="{ 'data-testid': 'vault-secret-picker-vault-popover' }"
+        :label="t('vault_secret_picker.vault.label')"
+        :loading="loadingVaults"
+        :placeholder="t('vault_secret_picker.vault.placeholder')"
+        required
+        reuse-item-template
+        width="100%"
+        @query-change="debouncedVaultsQuery"
+      >
+        <template #loading>
+          <div>{{ t('actions.loading') }}</div>
+        </template>
+        <template #empty>
+          <div data-testid="no-search-results">
+            {{ t('vault_secret_picker.no_results') }}
+          </div>
+        </template>
+        <template #selected-item-template="{ item }">
+          <span class="k-select-selected-item-label">
+            {{ formatSelectedVault(item as SelectVaultItem) }}
+          </span>
+        </template>
+        <template #item-template="{ item }">
+          <div class="vault-secret-picker-vault-dropdown-item">
+            <span class="select-item-label">{{ item.label }}</span>
+            <span class="select-item-description">{{ item.vault.name }}</span>
+            <span class="select-item-description">{{ item.vault.id }}</span>
+          </div>
+        </template>
+      </KSelect>
+
+      <KSelect
+        v-if="isKonnectVaultSelected"
+        v-model="secretId"
+        clearable
+        data-testid="vault-secret-picker-secret-id-select"
+        :disabled="setupLoading || !selectedVault"
+        enable-filtering
+        :filter-function="() => true"
+        :items="availableSecrets"
+        :kpop-attributes="{ 'data-testid': 'vault-secret-picker-secret-id-popover' }"
+        :label="t('vault_secret_picker.secret_id.label')"
+        :loading="loadingSecrets"
+        :placeholder="t('vault_secret_picker.secret_id.select_placeholder')"
+        required
+        reuse-item-template
+        width="100%"
+        @query-change="debouncedSecretsQuery"
+      >
+        <template #loading>
+          <div>{{ t('actions.loading') }}</div>
+        </template>
+        <template #empty>
+          <div data-testid="no-search-results">
+            {{ t('vault_secret_picker.no_results') }}
+          </div>
+        </template>
+      </KSelect>
+
+      <KInput
+        v-else
+        v-model.trim="secretId"
+        autocomplete="off"
+        data-testid="vault-secret-picker-secret-id-input"
+        :disabled="setupLoading || !selectedVault"
+        :label="t('vault_secret_picker.secret_id.label')"
+        :placeholder="t('vault_secret_picker.secret_id.input_placeholder')"
+        required
+        type="text"
+      />
+
+      <KInput
+        v-model.trim="optionalSecretKey"
+        autocomplete="off"
+        data-testid="vault-secret-picker-secret-key-input"
+        :disabled="setupLoading || !selectedVault"
+        :help="t('vault_secret_picker.optional_secret_key.help')"
+        :label="t('vault_secret_picker.optional_secret_key.label')"
+        :placeholder="t('vault_secret_picker.optional_secret_key.placeholder')"
+        type="text"
+      />
+    </div>
+  </KModal>
+</template>
+
+<script lang="ts">
+import { useAxios, useDebouncedFilter } from '@kong-ui-public/entities-shared'
+import type { SecretEntityRow as SecretEntity, EntityRow as VaultEntity } from '@kong-ui-public/entities-vaults'
+import { secretsEndpoints, vaultsEndpoints } from '@kong-ui-public/entities-vaults'
+import type { SelectItem } from '@kong/kongponents'
+import { computed, nextTick, ref, watch, type PropType } from 'vue'
+import composables from '../composables'
+import type { KongManagerPluginFormConfig, KonnectPluginFormConfig } from '../types'
+import { buildSecretRef, parseSecretRef } from '../vaults-utils'
+
+export interface SelectVaultItem extends SelectItem {
+  vault: VaultEntity
+}
+</script>
+
+<script setup lang="ts">
+const { i18n: { t } } = composables.useI18n()
+
+const props = defineProps({
+  config: {
+    type: Object as PropType<KonnectPluginFormConfig | KongManagerPluginFormConfig>,
+    required: true,
+    validator: (config: KonnectPluginFormConfig | KongManagerPluginFormConfig): boolean => {
+      if (!config || !['konnect', 'kongManager'].includes(config?.app)) return false
+      if (config.app === 'konnect' && !config.controlPlaneId) return false
+      if (config.app === 'kongManager' && typeof config.workspace !== 'string') return false
+      return true
+    },
+  },
+  setup: {
+    type: null as unknown as PropType<string | false>,
+    required: false,
+    default: false,
+  },
+})
+
+const emit = defineEmits<{
+  proceed: [secretRef: string]
+  cancel: []
+}>()
+
+const { axiosInstance } = useAxios({
+  // 404 errors are allowed in this components
+  validateStatus: (status: number) => status === 404 || (status >= 200 && status < 300),
+  // Spread the passed-in config later to allow overriding
+  ...props.config?.axiosRequestConfig,
+})
+
+const setupLoading = ref(false)
+const selectedVaultPrefix = ref('')
+const secretId = ref('')
+const optionalSecretKey = ref('')
+
+const selectedVault = ref<VaultEntity | undefined>()
+
+// Endpoint to list secrets for a Konnect Vault
+// We don't care about other typed vaults
+const secretsEndpoint = computed(() => {
+  if (props.config.app === 'konnect') {
+    return secretsEndpoints.list[props.config.app].replace(/{id}/gi, selectedVault.value?.id ?? '')
+  }
+
+  return '<not_applicable>'
+})
+
+const errorMessage = computed(() => {
+  if (vaultsFetchError && secretsFetchError) {
+    return t('vault_secret_picker.fetch_error.vaults_and_secrets')
+  }
+
+  if (vaultsFetchError) {
+    return t('vault_secret_picker.fetch_error.vaults')
+  }
+
+  if (secretsFetchError) {
+    return t('vault_secret_picker.fetch_error.secrets')
+  }
+
+  return undefined
+})
+
+// Vault fetching
+const {
+  debouncedQueryChange: debouncedVaultsQuery,
+  loading: loadingVaults,
+  error: vaultsFetchError,
+  loadItems: loadVaults,
+  results: vaultsResults,
+} = useDebouncedFilter(props.config, vaultsEndpoints.list[props.config.app], undefined, {
+  fetchedItemsKey: 'data',
+  searchKeys: ['prefix'],
+})
+
+// Secret fetching
+const {
+  debouncedQueryChange: debouncedSecretsQuery,
+  loading: loadingSecrets,
+  error: secretsFetchError,
+  loadItems: loadSecrets,
+  results: secretsResults,
+} = useDebouncedFilter(props.config, secretsEndpoint, undefined, {
+  fetchedItemsKey: 'data',
+  searchKeys: ['key'],
+  exactMatchKey: 'key',
+})
+
+const availableVaults = computed<SelectVaultItem[]>(() => {
+  let hasSelectedVault = false
+
+  const items = vaultsResults.value?.map((v) => {
+    if (v.prefix === selectedVaultPrefix.value) {
+      hasSelectedVault = true
+    }
+
+    return { label: v.prefix, value: v.prefix, vault: v as VaultEntity }
+  }) ?? []
+
+
+  if (!hasSelectedVault && selectedVault.value) {
+    items.push({
+      label: selectedVault.value.prefix,
+      value: selectedVault.value.prefix,
+      vault: selectedVault.value,
+    })
+  }
+
+  return items
+})
+
+const availableSecrets = computed<SelectItem[]>(() => {
+  let hasSecret = false
+
+  const items = secretsResults.value?.map((s) => {
+    if (s.key === secretId.value) {
+      hasSecret = true
+    }
+
+    return { label: s.key, value: s.key }
+  }) ?? []
+
+  if (!hasSecret && secretId.value) {
+    items.push({ label: secretId.value, value: secretId.value })
+  }
+
+  return items
+})
+
+const isKonnectVaultSelected = computed(() => selectedVault?.value?.name === 'konnect')
+
+const canProceed = computed(() => Boolean(selectedVault.value) && Boolean(secretId.value))
+
+const formatSelectedVault = (item: SelectVaultItem) => {
+  return item.label ? `${item.label} - (${item.vault.name} - ${item.vault.id})` : item.value
+}
+
+const buildVaultFetchUrl = (vaultPrefix: string) => {
+  let url = `${props.config.apiBaseUrl}${vaultsEndpoints.form[props.config.app].edit}`
+
+  if (props.config.app === 'konnect') {
+    url = url.replace(/{controlPlaneId}/gi, props.config?.controlPlaneId || '')
+  } else if (props.config.app === 'kongManager') {
+    url = url.replace(/\/{workspace}/gi, props.config?.workspace ? `/${props.config.workspace}` : '')
+  }
+
+  // Replacing {id} with the prefix because /vaults/:prefix is allowed
+  return url.replace(/{id}/gi, vaultPrefix)
+}
+
+const buildSecretFetchUrl = (secretId: string, vaultId: string) => {
+  if (props.config.app !== 'konnect') {
+    // We should never use this URL
+    return '<not_applicable>'
+  }
+
+  return `${props.config.apiBaseUrl}${secretsEndpoints.form[props.config.app].edit}`
+    .replace(/{controlPlaneId}/gi, props.config?.controlPlaneId || '')
+    .replace(/{id}/gi, vaultId)
+    .replace(/{secretId}/gi, secretId)
+}
+
+const handleProceed = () => {
+  emit('proceed', buildSecretRef({
+    vaultPrefix: selectedVaultPrefix.value,
+    secretId: secretId.value || undefined, // Either a non-empty string or undefined
+    optionalSecretKey: optionalSecretKey.value || undefined, // Either a non-empty string or undefined
+  }))
+}
+
+watch(() => props.setup, async (secretRef) => {
+  if (secretRef === false) {
+    return
+  }
+
+  setupLoading.value = true
+
+  selectedVaultPrefix.value = ''
+  selectedVault.value = undefined
+  secretId.value = ''
+  optionalSecretKey.value = ''
+
+  if (typeof secretRef === 'string' && secretRef.trim().length > 0) {
+    try {
+      let verifiedVault: VaultEntity | undefined
+      let verifiedVaultPrefix = ''
+      let verifiedSecretId = ''
+      let verifiedOptionalSecretKey = ''
+
+      const parsed = parseSecretRef(secretRef)
+      const { data: vault } = await axiosInstance.get<VaultEntity | undefined>(buildVaultFetchUrl(parsed.vaultPrefix))
+
+      // Ensure the vault exists
+      if (vault?.name) {
+        verifiedVault = vault
+        verifiedVaultPrefix = parsed.vaultPrefix
+
+        if (verifiedVault.name === 'konnect') {
+          if (parsed.secretId) {
+            // Check if the secret exists in the Konnect vault
+            const { data: secret } = await axiosInstance.get<SecretEntity>(buildSecretFetchUrl(parsed.secretId, vault.id))
+
+            // Ensure the secret exists
+            // Secret key is secret ID in the secret reference
+            if (secret.key === parsed.secretId) {
+
+              verifiedSecretId = parsed.secretId
+              verifiedOptionalSecretKey = parsed.optionalSecretKey ?? ''
+            }
+          }
+        } else {
+
+
+          // We assume the secret ID and key are correct because we have no way to validate them
+          verifiedSecretId = parsed.secretId ?? ''
+          verifiedOptionalSecretKey = parsed.optionalSecretKey ?? ''
+        }
+      }
+
+      await nextTick(() => {
+        selectedVaultPrefix.value = verifiedVaultPrefix
+        selectedVault.value = verifiedVault
+        secretId.value = verifiedSecretId
+        optionalSecretKey.value = verifiedOptionalSecretKey
+      })
+    } catch (e) {
+      // Invalid secret reference
+      console.debug(e)
+    }
+  }
+
+  setupLoading.value = false
+
+  await loadVaults()
+}, { immediate: true })
+
+watch(selectedVaultPrefix, async (newValue, oldValue) => {
+  if (setupLoading.value || newValue === oldValue) {
+    return
+  }
+
+  selectedVault.value = availableVaults.value.find((vault) => vault.value === newValue)?.vault
+  // Clear the secret ID and optional secret key as the selected vault has updated
+  secretId.value = ''
+  optionalSecretKey.value = ''
+})
+
+// Reactivity chain: selectedVault -> secretsEndpoint
+watch(secretsEndpoint, async () => {
+  // Do not load secrets if the vault is not a Konnect vault
+  if (isKonnectVaultSelected.value) {
+    await loadSecrets()
+  }
+}, { immediate: true })
+</script>
+
+<style lang="scss" scoped>
+.vault-secret-picker {
+  .inputs-wrapper {
+    display: flex;
+    flex-direction: column;
+    gap: $kui-space-70;
+  }
+
+  &-vault-dropdown-item,
+  &-secret-dropdown-item {
+    display: flex;
+    flex-direction: column;
+
+    span {
+      line-height: $kui-line-height-30;
+    }
+
+    .select-item-label {
+      font-weight: $kui-font-weight-semibold;
+    }
+  }
+
+  &-vault-dropdown-item {
+    .select-item-description {
+      color: $kui-color-text-neutral;
+      font-size: $kui-font-size-20;
+    }
+  }
+
+  .k-empty-state {
+    background: none;
+    box-sizing: border-box;
+  }
+}
+</style>
diff --git a/packages/entities/entities-plugins/src/components/VaultSecretPickerProvider.vue b/packages/entities/entities-plugins/src/components/VaultSecretPickerProvider.vue
new file mode 100644
index 0000000000..7458bc34b0
--- /dev/null
+++ b/packages/entities/entities-plugins/src/components/VaultSecretPickerProvider.vue
@@ -0,0 +1,45 @@
+<template>
+  <div
+    v-if="props.schema.referenceable"
+    class="vault-secret-picker-provider"
+  >
+    <i18nT
+      keypath="vault_secret_picker.provider.complete_action"
+      scope="global"
+    >
+      <template #cta>
+        <span
+          class="vault-secret-picker-provider-action"
+          @click="() => emit('open', props.value, props.update)"
+        >
+          {{ t('vault_secret_picker.provider.cta') }}
+        </span>
+      </template>
+    </i18nT>
+  </div>
+</template>
+
+<script setup lang="tsx">
+import type { AutofillSlotProps } from '@kong-ui-public/forms'
+import composables from '../composables'
+
+const props = defineProps<AutofillSlotProps>()
+
+const emit = defineEmits<{
+  open: [AutofillSlotProps['value'], AutofillSlotProps['update']]
+}>()
+
+const { i18n: { t }, i18nT } = composables.useI18n()
+</script>
+
+<style lang="scss" scoped>
+.vault-secret-picker-provider {
+  font-size: $kui-font-size-20;
+  margin: $kui-space-40 0;
+
+  &-action {
+    color: $kui-color-text-primary;
+    cursor: pointer;
+  }
+}
+</style>
diff --git a/packages/entities/entities-plugins/src/locales/en.json b/packages/entities/entities-plugins/src/locales/en.json
index a9ca215236..1d1bf20147 100644
--- a/packages/entities/entities-plugins/src/locales/en.json
+++ b/packages/entities/entities-plugins/src/locales/en.json
@@ -14,7 +14,8 @@
     "view": "View Details",
     "configure_dynamic_ordering": "Configure Dynamic Ordering",
     "go_to_plugins": "Go to Plugins",
-    "save": "Save"
+    "save": "Save",
+    "loading": "Loading..."
   },
   "view_configuration": {
     "title": "Configuration",
@@ -579,5 +580,35 @@
   },
   "glossary": {
     "plugin": "plugin"
+  },
+  "vault_secret_picker": {
+    "title": "Look up Key on Vault",
+    "vault": {
+      "label": "Vault",
+      "placeholder": "Select a vault"
+    },
+    "secret_id": {
+      "label": "Secret ID",
+      "input_placeholder": "Enter a secret ID",
+      "select_placeholder": "Select or enter a complete secret ID"
+    },
+    "optional_secret_key": {
+      "label": "Secret Key",
+      "placeholder": "Enter the key or key path to access a nested secret value",
+      "help": "Optional. e.g. tokens, tokens/refresh_token"
+    },
+    "fetch_error": {
+      "vaults": "Could not fetch available vaults",
+      "secrets": "Could not fetch available secrets",
+      "vaults_and_secrets": "Could not fetch available vaults and secrets"
+    },
+    "no_results": "No results found",
+    "actions": {
+      "use_key": "Use Key"
+    },
+    "provider": {
+      "complete_action": "Look up {cta}",
+      "cta": "Key on Vault"
+    }
   }
 }
diff --git a/packages/entities/entities-plugins/src/vaults-utils.ts b/packages/entities/entities-plugins/src/vaults-utils.ts
new file mode 100644
index 0000000000..269a01e02c
--- /dev/null
+++ b/packages/entities/entities-plugins/src/vaults-utils.ts
@@ -0,0 +1,80 @@
+/**
+ * Example: {vault://my-vault/secret-id/tokens/refresh_token}
+ */
+export interface ParsedSecretRef {
+  /**
+   * Vault prefix (non-empty string)
+   *
+   * Example: my-vault
+   */
+  vaultPrefix: string
+
+  /**
+   * Secret ID (non-empty string or undefined)
+   *
+   * A secret reference without a secret ID is invalid, but we should allow
+   * references in this format being parsed and built.
+   *
+   * Example: secret-id
+   */
+  secretId?: string
+
+  /**
+   * Secret key (non-empty string or undefined)
+   *
+   * Example: tokens/refresh_token
+   */
+  optionalSecretKey?: string
+}
+
+/**
+ * Parses a secret reference like {vault://vault-name/secret-id[/secret-key]}
+ *
+ * THIS FUNC MAY THROW ERRORS. USE IN TRY/CATCH BLOCK
+ *
+ * @param secretRef the secret reference to parse
+ * @returns
+ */
+export const parseSecretRef = (secretRef: string): ParsedSecretRef => {
+  let r = secretRef.trim()
+  if (!r.startsWith('{') || !r.endsWith('}')) {
+    throw new Error('Invalid secret reference: must be enclosed in curly braces')
+  }
+
+  r = r.substring(1, r.length - 1).trim()
+  if (!r.startsWith('vault://')) {
+    throw new Error('Invalid secret reference: must start with vault://')
+  }
+
+  // Workaround to parse the reference as a URL
+  const parsed = new URL(`http://${r.substring(8)}`)
+  if (!parsed) {
+    throw new Error('Invalid secret reference: must have a vault prefix')
+  }
+
+  const parsedVaultPrefix = parsed.host // Everything before the first slash
+  const [, parsedSecretId, ...parsedOptionalSecretKey] = parsed.pathname.split('/')
+  if (!parsedVaultPrefix) {
+    throw new Error('Invalid secret reference: must have a vault prefix')
+  }
+
+  return {
+    vaultPrefix: parsedVaultPrefix,
+    secretId: parsedSecretId || undefined, // Non-empty string or undefined
+    optionalSecretKey: parsedOptionalSecretKey?.join('/'), // Non-empty string or undefined
+  }
+}
+
+export const buildSecretRef = (parsedSecretRef: ParsedSecretRef): string => {
+  if (!parsedSecretRef.vaultPrefix) {
+    throw new Error('Invalid secret reference: must have a vault prefix')
+  }
+  let ref = `vault://${parsedSecretRef.vaultPrefix}`
+  if (parsedSecretRef.secretId) {
+    ref = `${ref}/${parsedSecretRef.secretId}`
+  }
+  if (parsedSecretRef.optionalSecretKey) {
+    ref = `${ref}/${parsedSecretRef.optionalSecretKey}`
+  }
+  return `{${ref}}`
+}
diff --git a/packages/entities/entities-shared/src/composables/useDebouncedFilter.ts b/packages/entities/entities-shared/src/composables/useDebouncedFilter.ts
index 7c55cf1dff..9c24fb551e 100644
--- a/packages/entities/entities-shared/src/composables/useDebouncedFilter.ts
+++ b/packages/entities/entities-shared/src/composables/useDebouncedFilter.ts
@@ -1,4 +1,4 @@
-import { ref, unref } from 'vue'
+import { computed, ref, unref } from 'vue'
 import { useDebounce } from '@kong-ui-public/core'
 import type {
   KongManagerBaseTableConfig,
@@ -41,14 +41,17 @@ export default function useDebouncedFilter(
   const resultsCache = ref<Record<string, any>[]>([])
   const allRecords = ref<Record<string, any>[] | undefined>(undefined)
 
-  const _baseUrl = unref(baseUrl)
-  let url = `${config.apiBaseUrl}${_baseUrl}`
+  const url = computed(() => {
+    const url = `${config.apiBaseUrl}${unref(baseUrl)}`
 
-  if (config.app === 'konnect') {
-    url = url.replace(/{controlPlaneId}/gi, config?.controlPlaneId || '')
-  } else if (config.app === 'kongManager') {
-    url = url.replace(/\/{workspace}/gi, config?.workspace ? `/${config.workspace}` : '')
-  }
+    if (config.app === 'konnect') {
+      return url.replace(/{controlPlaneId}/gi, config?.controlPlaneId || '')
+    } else if (config.app === 'kongManager') {
+      return url.replace(/\/{workspace}/gi, config?.workspace ? `/${config.workspace}` : '')
+    }
+
+    return url
+  })
 
   const { isValidUuid } = useHelpers()
 
@@ -58,7 +61,7 @@ export default function useDebouncedFilter(
       // Trigger the loading state
       loading.value = true
 
-      const { data }: Record<string, any> = await axiosInstance.get(`${url}?size=${size}`)
+      const { data }: Record<string, any> = await axiosInstance.get(`${url.value}?size=${size}`)
 
       // determine if we've got all of the available records or not
       // to determine how we handle filtering
@@ -83,6 +86,10 @@ export default function useDebouncedFilter(
     // using this to skip unnecessary fetch fired on focus
     if (previousQuery.value === query) {
       return
+    } else if (query === '') {
+      // use cached results if query is empty
+      results.value = resultsCache.value
+      return
     } else {
       previousQuery.value = query || ''
     }
@@ -97,7 +104,7 @@ export default function useDebouncedFilter(
 
         if (config.app === 'konnect') { // KoKo only supports exact match
           // If user has typed info in the query field
-          let currUrl = url + '' // clone
+          let currUrl = url.value + '' // clone
           if (query) {
             currUrl += `/${query}`
           }
@@ -106,7 +113,7 @@ export default function useDebouncedFilter(
 
           if (keys.fetchedItemsKey in data) {
             results.value = data[keys.fetchedItemsKey]
-          } else if (data?.id) { // exact match
+          } else if (data?.[keys.exactMatchKey ?? 'id']) { // exact match
             results.value = [data]
           } else {
             results.value = []
@@ -117,7 +124,7 @@ export default function useDebouncedFilter(
           if (isValidUuid(query) && keys.searchKeys.includes('id')) {
             // If query is a valid UUID, do the exact search
             promises.push((async () => {
-              const { data } = await axiosInstance.get(`${url}/${query}`)
+              const { data } = await axiosInstance.get(`${url.value}/${query}`)
               return [data[keys.fetchedItemsKey] ?? data]
             })())
           } else {
@@ -126,7 +133,7 @@ export default function useDebouncedFilter(
               ...keys.searchKeys
                 .filter(key => key !== 'id')
                 .map(async key => {
-                  const { data } = await axiosInstance.get(`${url}?${key}=${query}`)
+                  const { data } = await axiosInstance.get(`${url.value}?${key}=${query}`)
                   return data[keys.fetchedItemsKey]
                 }),
             )
diff --git a/packages/entities/entities-shared/src/types/utils.ts b/packages/entities/entities-shared/src/types/utils.ts
index b04cab26ae..ce93de4d83 100644
--- a/packages/entities/entities-shared/src/types/utils.ts
+++ b/packages/entities/entities-shared/src/types/utils.ts
@@ -5,4 +5,11 @@ export type MaybeRef<T> = T | Ref<T>
 export interface FilterKeys {
   fetchedItemsKey: string
   searchKeys: string[]
+
+  /**
+   * The key to look for while doing exact match
+   *
+   * @default 'id'
+   */
+  exactMatchKey?: string
 }
diff --git a/packages/entities/entities-vaults/src/index.ts b/packages/entities/entities-vaults/src/index.ts
index 08246743f3..694db77140 100644
--- a/packages/entities/entities-vaults/src/index.ts
+++ b/packages/entities/entities-vaults/src/index.ts
@@ -4,6 +4,11 @@ import VaultConfigCard from './components/VaultConfigCard.vue'
 import SecretList from './components/SecretList.vue'
 import SecretForm from './components/SecretForm.vue'
 
+import vaultsEndpoints from './vaults-endpoints'
+import secretsEndpoints from './secrets-endpoints'
+
 export { VaultList, VaultForm, VaultConfigCard, SecretList, SecretForm }
 
+export { vaultsEndpoints, secretsEndpoints }
+
 export * from './types'
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index dee0712ef1..7c3f2ea00a 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -893,6 +893,9 @@ importers:
         specifier: ^12.0.2
         version: 12.0.2
     devDependencies:
+      '@kong-ui-public/entities-vaults':
+        specifier: workspace:^
+        version: link:../entities-vaults
       '@kong-ui-public/i18n':
         specifier: workspace:^
         version: link:../../core/i18n

From 368e1cd494d094bedc9491cb5d91c199e5104033 Mon Sep 17 00:00:00 2001
From: Makito <i@maki.to>
Date: Wed, 7 Aug 2024 11:57:23 +0800
Subject: [PATCH 2/4] fix(forms): suggestion: remove wrapper

---
 .../src/components/fields/FieldArrayItem.vue  | 27 +++++++++----------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/packages/core/forms/src/components/fields/FieldArrayItem.vue b/packages/core/forms/src/components/fields/FieldArrayItem.vue
index 1bb10dd80b..e15699d070 100644
--- a/packages/core/forms/src/components/fields/FieldArrayItem.vue
+++ b/packages/core/forms/src/components/fields/FieldArrayItem.vue
@@ -1,18 +1,17 @@
 <template>
-  <div class="array-item-wrapper">
-    <div class="array-item">
-      <slot />
-      <KButton
-        appearance="tertiary"
-        class="delete"
-        @click="$emit('remove-item')"
-      >
-        <TrashIcon />
-      </KButton>
-    </div>
-    <div class="array-item-after">
-      <slot name="after" />
-    </div>
+  <div class="array-item">
+    <slot />
+    <KButton
+      appearance="tertiary"
+      class="delete"
+      @click="$emit('remove-item')"
+    >
+      <TrashIcon />
+    </KButton>
+  </div>
+
+  <div class="array-item-after">
+    <slot name="after" />
   </div>
 </template>
 

From 77f9de0295bd56a137948b7df114a619b1fc6b63 Mon Sep 17 00:00:00 2001
From: Makito <i@maki.to>
Date: Wed, 7 Aug 2024 12:10:54 +0800
Subject: [PATCH 3/4] fix(entities-plugins): improve readability

---
 .../entities/entities-plugins/src/components/PluginForm.vue  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/entities/entities-plugins/src/components/PluginForm.vue b/packages/entities/entities-plugins/src/components/PluginForm.vue
index a47bd5d504..011eb0df70 100644
--- a/packages/entities/entities-plugins/src/components/PluginForm.vue
+++ b/packages/entities/entities-plugins/src/components/PluginForm.vue
@@ -555,7 +555,6 @@ const buildFormSchema = (parentKey: string, response: Record<string, any>, initi
     initialFormSchema[field] = { id: field, model: key } // each field's key will be set as the id
     initialFormSchema[field].type = scheme.type === 'boolean' ? 'checkbox' : 'input'
     initialFormSchema[field].required = scheme.required
-    initialFormSchema[field].values = scheme.values
     initialFormSchema[field].referenceable = scheme.referenceable
 
     if (field.startsWith('config-')) {
@@ -613,6 +612,10 @@ const buildFormSchema = (parentKey: string, response: Record<string, any>, initi
     if (scheme.type === 'map') {
       initialFormSchema[field].type = 'object-advanced'
 
+      // Passing `values` to this field in the generated schema for autofill providers
+      // Note: `values` may contain `referenceable` flag.
+      initialFormSchema[field].values = scheme.values
+
       if (scheme.values.type === 'array') {
         const { type: elementsType } = scheme.values.elements || {}
 

From 725f7d768ae98f96b446ef95823a178d7a09172d Mon Sep 17 00:00:00 2001
From: Makito <i@maki.to>
Date: Wed, 7 Aug 2024 15:29:05 +0800
Subject: [PATCH 4/4] fix(forms): add back the wrapper

---
 .../src/components/fields/FieldArrayItem.vue  | 27 ++++++++++---------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/packages/core/forms/src/components/fields/FieldArrayItem.vue b/packages/core/forms/src/components/fields/FieldArrayItem.vue
index e15699d070..1bb10dd80b 100644
--- a/packages/core/forms/src/components/fields/FieldArrayItem.vue
+++ b/packages/core/forms/src/components/fields/FieldArrayItem.vue
@@ -1,17 +1,18 @@
 <template>
-  <div class="array-item">
-    <slot />
-    <KButton
-      appearance="tertiary"
-      class="delete"
-      @click="$emit('remove-item')"
-    >
-      <TrashIcon />
-    </KButton>
-  </div>
-
-  <div class="array-item-after">
-    <slot name="after" />
+  <div class="array-item-wrapper">
+    <div class="array-item">
+      <slot />
+      <KButton
+        appearance="tertiary"
+        class="delete"
+        @click="$emit('remove-item')"
+      >
+        <TrashIcon />
+      </KButton>
+    </div>
+    <div class="array-item-after">
+      <slot name="after" />
+    </div>
   </div>
 </template>