Motivation: 

There are some secret values that would be useful to extract from secret managers. We can implement a scaffolder action that connects to a secret manager, retrieves the values, and sets them as output variables for subsequent actions. This feature should help avoid exposing secret values to scaffolder users and provide a better user experience, as users won't need to manually enter sensitive default secrets.

Alternatives: impelementation good feature https://github.com/backstage/backstage/issues/9461 , but this approach has some small minor minus: secret values will be hard coded in the env variables. In case some default secrets change, customers currently have to restart the deployment to fetch the updated secret values. A scaffolder action dynamically retrieves the current values without requiring a deployment restart. 

Proposed secret storages:

One possible option is Azure Key Vault, since the Backstage community already provides some support through Azure plugins. However, a more generic solution might be HashiCorp Vault. There is community plugin support for this secret manager as well, and it is cloud-agnostic—it doesn't depend on any specific cloud platform.