Configure external secrets managers

A secrets manager is an external service that manages and stores secrets for multiple applications. Semarchy xDM can reference these secrets and retrieve them from the secrets manager when needed.

This page outlines the steps to configure an external secrets manager for managing secrets storage in xDM.

Supported secrets managers

xDM supports the following secrets managers to store the secrets:

AWS: stores the secrets in an AWS Secrets Manager.
Azure: stores the secrets in an Azure Key Vault.
GCP: stores the secrets in a Google Cloud Secret Manager.

Secrets manager configuration

Secrets managers are configured using startup configuration properties.

Secrets manager alias

Each secrets manager is identified by an alias. This alias is a lowercase string containing alphanumerical characters. Other characters, such as spaces, dots, dashes, and underscores, are not supported in the alias. Besides, the alias cannot be one of the reserved aliases: current or insecure.

The alias is part of the secrets manager configuration properties name. For example the xdm.secrets.external.azurecorporate.type property defines the type of azurecorporate secrets manager.

Common properties

The following table lists the common properties used to configure each secrets manager.

Property Mandatory Description

Property	Mandatory	Description
`xdm.secrets.external.<secrets_manager_alias>.type`	Yes	Secret manager type. Possible values are `AWS`, `AZURE` or `GCP`.
`xdm.secrets.external.<secrets_manager_alias>.<property>`	Yes	Each type of secrets manager has its own set of configuration properties, listed in the following sections for the AWS Secrets Manager, Azure Key Vault, and Google Cloud secrets manager.
`xdm.secrets.external.<secrets_manager_alias>.allowed`	No	Configure whether the secrets manager is allowed by default for usages in xDM. For more information, see Limit secrets usage.
`secrets.external.<secrets_manager_alias>.allowed.<secret_usage>`	No	Overrides the default `allowed` value for a given `<secret_usage>`. For more information, see Limit secrets usage.

xdm.secrets.external.<secrets_manager_alias>.type

Yes

Secret manager type. Possible values are AWS, AZURE or GCP.

xdm.secrets.external.<secrets_manager_alias>.<property>

Yes

Each type of secrets manager has its own set of configuration properties, listed in the following sections for the AWS Secrets Manager, Azure Key Vault, and Google Cloud secrets manager.

xdm.secrets.external.<secrets_manager_alias>.allowed

Configure whether the secrets manager is allowed by default for usages in xDM. For more information, see Limit secrets usage.

secrets.external.<secrets_manager_alias>.allowed.<secret_usage>

Overrides the default allowed value for a given <secret_usage>. For more information, see Limit secrets usage.

AWS Secrets Manager

xDM can read secrets stored in AWS Secrets Manager in two forms:

Text: the secret stores a plain text string. For example, a password.
JSON: the secret stores a JSON object, into which one property is retrieved and used as a string.

Configuration properties

Property Mandatory Description

Property	Mandatory	Description
`xdm.secrets.external.<secrets_manager_alias>.versionstage`	No	Provides the version stage used to retrieve the secret value.

xdm.secrets.external.<secrets_manager_alias>.versionstage

Provides the version stage used to retrieve the secret value.

AWS region and credentials configuration

xDM uses the AWS default credential provider chain and default region provider chain and therefore relies on the system or environment for the AWS region and credentials. However, you use the following properties to specify them for a secrets manager.

Property Mandatory Description

Property	Mandatory	Description
`xdm.secrets.external.<secrets_manager_alias>.region`	No	The AWS region to use. This property must be a valid input for the AWS region
`xdm.secrets.external.<secrets_manager_alias>.credentials.profile`	No	Alternate credential profile, similar to the one provided with the `AWS_PROFILE` environment variable.
`xdm.secrets.external.<secrets_manager_alias>.credentials.basic.accesskey` `xdm.secrets.external.<secrets_manager_alias>.credentials.basic.secretkey`	No	Access AWS Secrets Manager using an AWS access key ID and secret access key.
`xdm.secrets.external.<secrets_manager_alias>.credentials.session.accesskey` `xdm.secrets.external.<secrets_manager_alias>.credentials.session.secretkey` `xdm.secrets.external.<secrets_manager_alias>.credentials.session.token`	No	Access AWS Secrets Manager by explicitly providing temporary credentials.

xdm.secrets.external.<secrets_manager_alias>.region

The AWS region to use. This property must be a valid input for the AWS region

xdm.secrets.external.<secrets_manager_alias>.credentials.profile

Alternate credential profile, similar to the one provided with the AWS_PROFILE environment variable.

xdm.secrets.external.<secrets_manager_alias>.credentials.basic.accesskey
xdm.secrets.external.<secrets_manager_alias>.credentials.basic.secretkey

Access AWS Secrets Manager using an AWS access key ID and secret access key.

xdm.secrets.external.<secrets_manager_alias>.credentials.session.accesskey
xdm.secrets.external.<secrets_manager_alias>.credentials.session.secretkey
xdm.secrets.external.<secrets_manager_alias>.credentials.session.token

Access AWS Secrets Manager by explicitly providing temporary credentials.

Azure Key Vault

xDM can read text secrets stored in Azure Key Vault.

Configuration properties

Property Mandatory Description

Property	Mandatory	Description
`xdm.secrets.external.<secrets_manager_alias>.vaulturl`	Yes	Azure Key Vault base URL.

xdm.secrets.external.<secrets_manager_alias>.vaulturl

Yes

Azure Key Vault base URL.

Azure credentials configuration

xDM uses the DefaultAzureCredentialBuilder class and relies on the system or environment for the Azure credentials. However, you can use the following properties to configure the credentials for a secrets manager.

Property Mandatory Description

Property	Mandatory	Description
`xdm.secrets.external.<secrets_manager_alias>.credentials.tenantid` `xdm.secrets.external.<secrets_manager_alias>.credentials.clientid` `xdm.secrets.external.<secrets_manager_alias>.credentials.clientsecret`	No	Use these properties to build the credentials using a client ID and client secret. Having any of those properties defined makes the other ones required.
`xdm.secrets.external.<secrets_manager_alias>.credentials.username` `xdm.secrets.external.<secrets_manager_alias>.credentials.password`	No	Use these properties to build the credentials using a username and password. Having any of those properties defined makes the other ones required.

xdm.secrets.external.<secrets_manager_alias>.credentials.tenantid
xdm.secrets.external.<secrets_manager_alias>.credentials.clientid
xdm.secrets.external.<secrets_manager_alias>.credentials.clientsecret

Use these properties to build the credentials using a client ID and client secret. Having any of those properties defined makes the other ones required.

xdm.secrets.external.<secrets_manager_alias>.credentials.username
xdm.secrets.external.<secrets_manager_alias>.credentials.password

Use these properties to build the credentials using a username and password. Having any of those properties defined makes the other ones required.

Google Cloud secrets manager

xDM can read text secrets stored in Google Cloud Secret Manager.

Configuration properties

Property Mandatory Description

Property	Mandatory	Description
`xdm.secrets.external.<secrets_manager_alias>.projectid`	Yes	The ID of the project in the Google Cloud Platform.
`xdm.secrets.external.<secrets_manager_alias>.versionid`	No	Version ID to send when calling `accessSecretVersion`. The default value is `latest`.

xdm.secrets.external.<secrets_manager_alias>.projectid

Yes

The ID of the project in the Google Cloud Platform.

xdm.secrets.external.<secrets_manager_alias>.versionid

Version ID to send when calling accessSecretVersion. The default value is latest.

Google Cloud credentials configuration

xDM uses Googlecredentials` to build the Google credentials and so relies on the GOOGLE_APPLICATION_CREDENTIALS environment variable. However, you can use the following properties to configure the credentials for a secrets manager.

Property Mandatory Description

Property	Mandatory	Description
`xdm.secrets.external.<secrets_manager_alias>.credentials.file`	No	Path to the key file created in Service Account. Required if neither the `GOOGLE_APPLICATION_CREDENTIALS` environment variable above nor the properties below is defined.
`xdm.secrets.external.<secrets_manager_alias>.credentials.value`	No	Raw content of the Service Account key file. Required if neither the `GOOGLE_APPLICATION_CREDENTIALS` environment variable nor the credential file is defined.
`xdm.secrets.external.<secrets_manager_alias>.credentials.scope`	No	Provides the scope to send when calling `accessSecretVersion`. The default value is `https://www.googleapis.com/auth/cloud-platform`.

xdm.secrets.external.<secrets_manager_alias>.credentials.file

Path to the key file created in Service Account. Required if neither the GOOGLE_APPLICATION_CREDENTIALS environment variable above nor the properties below is defined.

xdm.secrets.external.<secrets_manager_alias>.credentials.value

Raw content of the Service Account key file. Required if neither the GOOGLE_APPLICATION_CREDENTIALS environment variable nor the credential file is defined.

xdm.secrets.external.<secrets_manager_alias>.credentials.scope

Provides the scope to send when calling accessSecretVersion. The default value is https://www.googleapis.com/auth/cloud-platform.

Google Cloud credentials are first checked in the credential file, then credential value, then the environment variable.