Configure external secrets managers

A secrets manager is an external service that manages and stores secrets for multiple applications. Semarchy xDM can reference these secrets and retrieve them from the secrets manager when needed.

This page outlines the steps to configure an external secrets manager for managing secrets storage in xDM.

Supported secrets managers

xDM supports the following secrets managers to store the secrets:

  • AWS: stores the secrets in an AWS Secrets Manager.

  • Azure: stores the secrets in an Azure Key Vault.

  • GCP: stores the secrets in a Google Cloud Secret Manager.

Secrets manager configuration

Secrets managers are configured using startup configuration properties.

Secrets manager alias

Each secrets manager is identified by an alias. This alias is a lowercase string containing alphanumerical characters. Other characters, such as spaces, dots, dashes, and underscores, are not supported in the alias. Besides, the alias cannot be one of the reserved aliases: current or insecure.

The alias is part of the secrets manager configuration properties name. For example, the xdm.secrets.external.azurecorporate.type property defines the type of azurecorporate secrets manager.

Common properties

The following table lists the common properties used to configure each secrets manager.

Property Mandatory Description

xdm.secrets.external.<secrets_manager_alias>.type

Yes

Secret manager type. Possible values are AWS, AZURE or GCP.

xdm.secrets.external.<secrets_manager_alias>.<property>

Yes

Each type of secrets manager has its own set of configuration properties, listed in the following sections for the AWS Secrets Manager, Azure Key Vault, and Google Cloud secrets manager.

xdm.secrets.external.<secrets_manager_alias>.allowed

No

Configure whether the secrets manager is allowed by default for usages in xDM. For more information, see Limit secrets usage.

secrets.external.<secrets_manager_alias>.allowed.<secret_usage>

No

Overrides the default allowed value for a given <secret_usage>. For more information, see Limit secrets usage.

AWS Secrets Manager

xDM can read secrets stored in AWS Secrets Manager in two forms:

  • Text: the secret stores a plain text string (e.g., a password).

  • JSON: the secret stores a JSON object, into which one property is retrieved and used as a string.

Configuration properties

Property Mandatory Description

xdm.secrets.external.<secrets_manager_alias>.versionstage

No

Provides the version stage used to retrieve the secret value.

AWS region and credentials configuration

xDM uses the AWS default credential provider chain and default region provider chain and therefore relies on the system or environment for the AWS region and credentials. However, you use the following properties to specify them for a secrets manager.

Property Mandatory Description

xdm.secrets.external.<secrets_manager_alias>.region

No

The AWS region to use. This property must be a valid input for the AWS region

xdm.secrets.external.<secrets_manager_alias>.credentials.profile

No

Alternate credential profile, similar to the one provided with the AWS_PROFILE environment variable.

xdm.secrets.external.<secrets_manager_alias>.credentials.basic.accesskey
xdm.secrets.external.<secrets_manager_alias>.credentials.basic.secretkey

No

Access AWS Secrets Manager using an AWS access key ID and secret access key.

xdm.secrets.external.<secrets_manager_alias>.credentials.session.accesskey
xdm.secrets.external.<secrets_manager_alias>.credentials.session.secretkey
xdm.secrets.external.<secrets_manager_alias>.credentials.session.token

No

Access AWS Secrets Manager by explicitly providing temporary credentials.

Azure Key Vault

xDM can read text secrets stored in Azure Key Vault.

Configuration properties

Property Mandatory Description

xdm.secrets.external.<secrets_manager_alias>.vaulturl

Yes

Azure Key Vault base URL.

Azure credentials configuration

xDM uses the DefaultAzureCredentialBuilder class and relies on the system or environment for the Azure credentials. However, you can use the following properties to configure the credentials for a secrets manager.

Property Mandatory Description

xdm.secrets.external.<secrets_manager_alias>.credentials.tenantid
xdm.secrets.external.<secrets_manager_alias>.credentials.clientid
xdm.secrets.external.<secrets_manager_alias>.credentials.clientsecret

No

Use these properties to build the credentials using a client ID and client secret. Having any of those properties defined makes the other ones required.

xdm.secrets.external.<secrets_manager_alias>.credentials.username
xdm.secrets.external.<secrets_manager_alias>.credentials.password

No

Use these properties to build the credentials using a username and password. Having any of those properties defined makes the other ones required.

Google Cloud secrets manager

xDM can read text secrets stored in Google Cloud Secret Manager.

Configuration properties

Property Mandatory Description

xdm.secrets.external.<secrets_manager_alias>.projectid

Yes

The ID of the project in the Google Cloud Platform.

xdm.secrets.external.<secrets_manager_alias>.versionid

No

Version ID to send when calling accessSecretVersion. The default value is latest.

Google Cloud credentials configuration

xDM uses Googlecredentials` to build the Google credentials and so relies on the GOOGLE_APPLICATION_CREDENTIALS environment variable. However, you can use the following properties to configure the credentials for a secrets manager.

Property Mandatory Description

xdm.secrets.external.<secrets_manager_alias>.credentials.file

No

Path to the key file created in Service Account. Required if neither the GOOGLE_APPLICATION_CREDENTIALS environment variable above nor the properties below is defined.

xdm.secrets.external.<secrets_manager_alias>.credentials.value

No

Raw content of the Service Account key file. Required if neither the GOOGLE_APPLICATION_CREDENTIALS environment variable nor the credential file is defined.

xdm.secrets.external.<secrets_manager_alias>.credentials.scope

No

Provides the scope to send when calling accessSecretVersion. The default value is https://www.googleapis.com/auth/cloud-platform.

Google Cloud credentials are first checked in the credential file, then the credential value, then the environment variable.