Configure external secrets managers
A secrets manager is an external service that manages and stores secrets for multiple applications. Semarchy xDM can reference these secrets and retrieve them from the secrets manager when needed.
This page outlines the steps to configure an external secrets manager for managing secrets storage in xDM.
Supported secrets managers
xDM supports the following secrets managers to store the secrets:
-
AWS: stores the secrets in an AWS Secrets Manager.
-
Azure: stores the secrets in an Azure Key Vault.
-
GCP: stores the secrets in a Google Cloud Secret Manager.
Secrets manager configuration
Secrets managers are configured using startup configuration properties.
Secrets manager alias
Each secrets manager is identified by an alias. This alias is a lowercase string containing alphanumerical characters. Other characters, such as spaces, dots, dashes, and underscores, are not supported in the alias. Besides, the alias cannot be one of the reserved aliases: current
or insecure
.
The alias is part of the secrets manager configuration properties name. For example, the xdm.secrets.external.azurecorporate.type
property defines the type of azurecorporate
secrets manager.
Common properties
The following table lists the common properties used to configure each secrets manager.
Property | Mandatory | Description |
---|---|---|
|
Yes |
Secret manager type. Possible values are |
|
Yes |
Each type of secrets manager has its own set of configuration properties, listed in the following sections for the AWS Secrets Manager, Azure Key Vault, and Google Cloud secrets manager. |
|
No |
Configure whether the secrets manager is allowed by default for usages in xDM. For more information, see Limit secrets usage. |
|
No |
Overrides the default |
AWS Secrets Manager
xDM can read secrets stored in AWS Secrets Manager in two forms:
-
Text: the secret stores a plain text string (e.g., a password).
-
JSON: the secret stores a JSON object, into which one property is retrieved and used as a string.
Configuration properties
Property | Mandatory | Description |
---|---|---|
|
No |
Provides the version stage used to retrieve the secret value. |
AWS region and credentials configuration
xDM uses the AWS default credential provider chain and default region provider chain and therefore relies on the system or environment for the AWS region and credentials. However, you use the following properties to specify them for a secrets manager.
Property | Mandatory | Description |
---|---|---|
|
No |
The AWS region to use. This property must be a valid input for the AWS region |
|
No |
Alternate credential profile, similar to the one provided with the |
|
No |
Access AWS Secrets Manager using an AWS access key ID and secret access key. |
|
No |
Access AWS Secrets Manager by explicitly providing temporary credentials. |
Azure Key Vault
xDM can read text secrets stored in Azure Key Vault.
Configuration properties
Property | Mandatory | Description |
---|---|---|
|
Yes |
Azure Key Vault base URL. |
Azure credentials configuration
xDM uses the DefaultAzureCredentialBuilder class and relies on the system or environment for the Azure credentials. However, you can use the following properties to configure the credentials for a secrets manager.
Property | Mandatory | Description |
---|---|---|
|
No |
Use these properties to build the credentials using a client ID and client secret. Having any of those properties defined makes the other ones required. |
|
No |
Use these properties to build the credentials using a username and password. Having any of those properties defined makes the other ones required. |
Google Cloud secrets manager
xDM can read text secrets stored in Google Cloud Secret Manager.
Configuration properties
Property | Mandatory | Description |
---|---|---|
|
Yes |
The ID of the project in the Google Cloud Platform. |
|
No |
Version ID to send when calling |
Google Cloud credentials configuration
xDM uses Googlecredentials`
to build the Google credentials and so relies on the GOOGLE_APPLICATION_CREDENTIALS
environment variable. However, you can use the following properties to configure the credentials for a secrets manager.
Property | Mandatory | Description |
---|---|---|
|
No |
Path to the key file created in Service Account. Required if neither the |
|
No |
Raw content of the Service Account key file. Required if neither the |
|
No |
Provides the scope to send when calling |
Google Cloud credentials are first checked in the credential file, then the credential value, then the environment variable. |