Skip to content

Akeyless

Akeyless Vault

External Secrets Operator integrates with the Akeyless API.

Authentication

To operate the API first define an access-id, access-type and access-Type-param.

The supported auth-methods and their parameters are:

accessType accessTypeParam
api_key The access key.
k8s The k8s configuration name
aws_iam -
gcp The gcp audience
azure_ad azure object id (optional)

For more information see Akeyless Authentication Methods

Creating an Akeyless Ccredentials Secret

Create a secret containing your credentials using the following example as a guide:

apiVersion: v1
kind: Secret
metadata:
  name: akeyless-secret-creds
type: Opaque
stringData:
  accessId: "p-XXXX"
  accessType:  # k8s/aws_iam/gcp/azure_ad/api_key
  accessTypeParam:  # can be one of the following: k8s-conf-name/gcp-audience/azure-obj-id/access-key

Update Secret Store

Be sure the akeyless provider is listed in the Kind=SecretStore and the akeylessGWApiURL is set (def: "https://api.akeless.io").

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: akeyless-secret-store
spec:
  provider:
    akeyless:
      # URL of your akeyless API
      akeylessGWApiURL: "https://api.akeyless.io"
      authSecretRef:
        secretRef:
          accessID:
            name: akeyless-secret-creds
            key: accessId
          accessType:
            name: akeyless-secret-creds
            key: accessType
          accessTypeParam:
            name: akeyless-secret-creds
            key: accessTypeParam
NOTE: In case of a ClusterSecretStore, be sure to provide namespace for accessID, accessType and accessTypeParam according to the namespaces where the secrets reside.

Authentication with Kubernetes

Options for obtaining Kubernetes credentials include:

  1. Using a service account jwt referenced in serviceAccountRef
  2. Using the jwt from a Kind=Secret referenced by the secretRef
  3. Using transient credentials from the mounted service account token within the external-secrets operator

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: akeyless-secret-store
spec:
  provider:
    akeyless:
      # URL of your akeyless API
      akeylessGWApiURL: "https://api.akeyless.io"
      authSecretRef:
        kubernetesAuth:
          accessID: "p-XXXXXX"
          k8sConfName: "my-conf-name"

          # Optional service account field containing the name
          # of a kubernetes ServiceAccount
          serviceAccountRef:
            name: "my-sa"

          # Optional secret field containing a Kubernetes ServiceAccount JWT
          # used for authenticating with Akeyless
          secretRef:
            name: "my-secret"
            key: "token"
NOTE: In case of a ClusterSecretStore, Be sure to provide namespace for serviceAccountRef and secretRef according to the namespaces where the secrets reside.

Creating an external secret

To get a secret from Akeyless and create it as a secret on the Kubernetes cluster, a Kind=ExternalSecret is needed.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: akeyless-secret-store # Must match SecretStore on the cluster

  target:
    name: database-credentials # Name for the secret to be created on the cluster
    creationPolicy: Owner

  data:
    - secretKey: username # Key given to the secret to be created on the cluster
      remoteRef:
        key: db-username  # Full path of the secret on Akeyless
    - secretKey: password # Key given to the secret to be created on the cluster
      remoteRef:
        key: db-password  # Full path of the secret on Akeyless

Using DataFrom

DataFrom can be used to get a secret as a JSON string and attempt to parse it.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: akeyless-secret-store # Must match SecretStore on the cluster

  target:
    name: database-credentials # Name for the secret to be created on the cluster
    creationPolicy: Owner

  # for json formatted secrets: each key in the json will be used as the secret key in the SECRET k8s target object
  dataFrom:
  - extract:
      key: database-credentials # Full path of the secret on Akeyless

Getting the Kubernetes Secret

The operator will fetch the secret and inject it as a Kind=Secret.

kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d

kubectl get secret akeyless-secret-to-create-json -o jsonpath='{.data}'