Akeyless
Akeyless Vault
External Secrets Operator integrates with the Akeyless API.
Authentication
To operate the API first define an access-id, access-type and access-Type-param.
The supported auth-methods and their parameters are:
| accessType | accessTypeParam |
|---|---|
api_key |
The access key. |
k8s |
The k8s configuration name |
aws_iam |
- |
gcp |
The gcp audience |
azure_ad |
azure object id (optional) |
For more information see Akeyless Authentication Methods
Creating an Akeyless Ccredentials Secret
Create a secret containing your credentials using the following example as a guide:
apiVersion: v1
kind: Secret
metadata:
name: akeyless-secret-creds
type: Opaque
stringData:
accessId: "p-XXXX"
accessType: # k8s/aws_iam/gcp/azure_ad/api_key
accessTypeParam: # can be one of the following: k8s-conf-name/gcp-audience/azure-obj-id/access-key
Update Secret Store
Be sure the akeyless provider is listed in the Kind=SecretStore and the akeylessGWApiURL is set (def: "https://api.akeless.io").
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: akeyless-secret-store
spec:
provider:
akeyless:
# URL of your akeyless API
akeylessGWApiURL: "https://api.akeyless.io"
authSecretRef:
secretRef:
accessID:
name: akeyless-secret-creds
key: accessId
accessType:
name: akeyless-secret-creds
key: accessType
accessTypeParam:
name: akeyless-secret-creds
key: accessTypeParam
ClusterSecretStore, be sure to provide namespace for accessID, accessType and accessTypeParam according to the namespaces where the secrets reside.
Authentication with Kubernetes
Options for obtaining Kubernetes credentials include:
- Using a service account jwt referenced in serviceAccountRef
- Using the jwt from a Kind=Secret referenced by the secretRef
- Using transient credentials from the mounted service account token within the external-secrets operator
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: akeyless-secret-store
spec:
provider:
akeyless:
# URL of your akeyless API
akeylessGWApiURL: "https://api.akeyless.io"
authSecretRef:
kubernetesAuth:
accessID: "p-XXXXXX"
k8sConfName: "my-conf-name"
# Optional service account field containing the name
# of a kubernetes ServiceAccount
serviceAccountRef:
name: "my-sa"
# Optional secret field containing a Kubernetes ServiceAccount JWT
# used for authenticating with Akeyless
secretRef:
name: "my-secret"
key: "token"
ClusterSecretStore, Be sure to provide namespace for serviceAccountRef and secretRef according to the namespaces where the secrets reside.
Creating an external secret
To get a secret from Akeyless and create it as a secret on the Kubernetes cluster, a Kind=ExternalSecret is needed.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: akeyless-secret-store # Must match SecretStore on the cluster
target:
name: database-credentials # Name for the secret to be created on the cluster
creationPolicy: Owner
data:
- secretKey: username # Key given to the secret to be created on the cluster
remoteRef:
key: db-username # Full path of the secret on Akeyless
- secretKey: password # Key given to the secret to be created on the cluster
remoteRef:
key: db-password # Full path of the secret on Akeyless
Using DataFrom
DataFrom can be used to get a secret as a JSON string and attempt to parse it.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: akeyless-secret-store # Must match SecretStore on the cluster
target:
name: database-credentials # Name for the secret to be created on the cluster
creationPolicy: Owner
# for json formatted secrets: each key in the json will be used as the secret key in the SECRET k8s target object
dataFrom:
- extract:
key: database-credentials # Full path of the secret on Akeyless
Getting the Kubernetes Secret
The operator will fetch the secret and inject it as a Kind=Secret.
kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d
kubectl get secret akeyless-secret-to-create-json -o jsonpath='{.data}'