Skip to content

Akeyless

Akeyless Vault

External Secrets Operator integrates with Akeyless API.

Authentication

The API requires an access-id, access-type and access-Type-param.

The supported auth-methods and their params are:

accessType accessTypeParam
api_key The access key.
k8s The k8s configuration name
aws_iam -
gcp The gcp audience
azure_ad azure object id (optional)

form more information about Akeyless Authentication Methods

Akeless credentials secret

Create a secret containing your credentials:

apiVersion: v1
kind: Secret
metadata:
  name: akeylss-secret-creds
type: Opaque
stringData:
  accessId: "p-XXXX"
  accessType:  # k8s/aws_iam/gcp/azure_ad/api_key
  accessTypeParam:  # can be one of the following: k8s-conf-name/gcp-audience/azure-obj-id/access-key

Update secret store

Be sure the akeyless provider is listed in the Kind=SecretStore and the akeylessGWApiURL is set (def: "https://api.akeless.io".

apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: akeyless-secret-store
spec:
  provider:
    akeyless:
      # URL of your akeyless API
      akeylessGWApiURL: "https://api.akeyless.io"
      authSecretRef:
        secretRef:
          accessID:
            name: akeylss-secret-creds
            key: accessId
          accessType:
            name: akeylss-secret-creds
            key: accessType
          accessTypeParam:
            name: akeylss-secret-creds
            key: accessTypeParam
NOTE: In case of a ClusterSecretStore, Be sure to provide namespace for accessID, accessType and accessTypeParam with the namespaces where the secrets reside.

Creating external secret

To get a secret from Akeyless and secret it on the Kubernetes cluster, a Kind=ExternalSecret is needed.

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: akeyless-external-secret-example
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: akeyless-secret-store # Must match SecretStore on the cluster

  target:
    name: akeyless-secret-to-create # Name for the secret to be created on the cluster
    creationPolicy: Owner

  data:
    - secretKey: secretKey # Key given to the secret to be created on the cluster
      remoteRef:
        key: secret-name # Full path of the secret on Akeyless

Using DataFrom

DataFrom can be used to get a secret as a JSON string and attempt to parse it.

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: akeyless-external-secret-example-json
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: akeyless-secret-store # Must match SecretStore on the cluster

  target:
    name: akeyless-secret-to-create-json # Name for the secret to be created on the cluster
    creationPolicy: Owner

  # for json formatted secrets: each key in the json will be used as the secret key in the SECRET k8s target object
  dataFrom:
  - key: secret-name # Full path of the secret on Akeyless

Getting the Kubernetes secret

The operator will fetch the secret and inject it as a Kind=Secret.

kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d

kubectl get secret akeyless-secret-to-create-json -o jsonpath='{.data}'