First, You may use one of

• HTTPTargetConnection
• ScriptTarget

...in your TargetEndpoint. In fact I consider it to be a bug that Apigee Edge does not reject a TargetEndpoint configuration as you provided above.

Second, if you want to store and retrieve a secret, you should use the encrypted KVM.

It would look like this:

<TargetEndpoint name="default">
  <Description/>
  <PreFlow name="PreFlow">
    <Request>
      <Step><Name>KVM-Get-Secret</Name></Step>
    </Request>
    <Response/>
  </PreFlow>
  <PostFlow name="PostFlow">
    <Request/>
    <Response/>
  </PostFlow>
  <Flows/>
  <HTTPTargetConnection>
    <Properties/>
    <URL>https://wwww.google.com</URL>
  </HTTPTargetConnection>
</TargetEndpoint>

The KVM policy will be something like this:

<KeyValueMapOperations name='KVM-Get-Secret' mapIdentifier='nameOfMap'>
  <Scope>environment</Scope>
  <Get assignTo='private.secret'>
    <Key>
      <Parameter ref='variable.containing.key'/>
    </Key>
  </Get>
</KeyValueMapOperations>

But this will merely retrieve the secret. It does not actually use the secret in the call to the target. For that you would need to add an AssignMessage policy, or similar.

The Vault is accessible at runtime only from nodejs. Therefore if you have a regular HTTPTargetEndpoint, you cannot use the Vault. We have introduced the encrypted KVM as a more general way to store and retrieve secrets. It is accessible from a regular policy, or from a nodejs script. The encrypted KVM will supplant the Vault in future Apigee Edge releases.