Configure external secrets managers
A Secrets Manager is a service, external to Semarchy xDM, that manages and stores secrets for multiple applications. Such secrets may be referenced from Semarchy xDM and retrieved when needed from the Secrets Manager.
Supported secrets managers
Semarchy xDM supports the following secrets managers to store the secrets:
-
AWS: Stores the secrets in an AWS Secrets Manager.
-
AZURE: Stores the secrets in an Azure Key Vault.
-
GCP: Stores the secrets in an Google Cloud Secret Manager.
Secrets manager configuration
Secrets managers are configured using startup configuration properties.
Secrets manager alias
Each secrets manager is identified by an Alias. This alias is a lowercase string containing alphanumerical characters. Other characters, such as spaces, dots, dashes, underscores, etc, are not supported in the alias. Besides, the alias cannot be one of the reserved aliases: current
, insecure
.
The alias is part of the secrets manager configuration properties name. For example the xdm.secrets.external.azurecorporate.type
property defines the type of azurecorporate
secrets manager.
Common properties
The following table lists the common properties used to configure each secrets manager.
Property | Description |
---|---|
|
Required. Secret manager type. Possible values are |
|
Each type of secrets manager has its own set of configuration properties, listed in the following sections for the AWS Secrets Manager, Azure key vault, and [_google_cloud_secret_manager]. |
|
Optional. Configure whether the secrets manager is allowed by default for usages in Semarchy xDM. For more information, see Limit secrets usage. |
|
Optional. Overrides, for a given |
AWS Secrets Manager
Semarchy xDM can read secrets stored in AWS Secrets Manager in two forms:
-
Text: the secret stores a plain text string. For example, a password.
-
JSON: the secret stores a JSON object, into which one property is retrieved and used as a string.
Configuration properties
Property | Description |
---|---|
|
Optional. Provides the VersionStage used to retreive the secret value. |
AWS region and credentials configuration
Semarchy xDM uses the AWS Default Credential Provider Chain and Default Region Provider Chain and therefore relies on the system/environment for the AWS region and credentials. However, you use the following properties to specify them for a secrets manager.
|
Optional. AWS region to use. This property must be a valid input for AWS Region |
|
Optional. Alternate credential profile, similar to the one provided with the AWS_PROFILE environment variable. |
|
Optional. Access AWS Secrets Manager using an AWS access key ID and secret access key. |
|
Optional. Access AWS Secrets Manager by explicitly providing temporary credentials. |
Azure key vault
Semarchy xDM can read text secrets stored in Azure Key Vault.
Configuration properties
Property | Description |
---|---|
|
Required. Azure Key Vault base URL. |
Azure credentials configuration
Semarchy xDM uses the DefaultAzureCredentialBuilder and relies on the system/environment for the Azure Credentials. However, you can use the following properties to configure the credentials for a secrets manager.
Property | Description |
---|---|
|
Use these properties to build the credentials using a clientid and client secret. Having any of those properties defined makes the other ones required. |
|
Use these properties to build the credentials using a username and password. Having any of those properties defined makes the other ones required. |
Google Cloud secrets manager
Semarchy xDM can read text secrets stored in Google Cloud Secret Manager.
Configuration properties
Property | Description |
---|---|
|
Required. The ID of the project in the Google Cloud Platform. |
|
Optional. VersionId to send when calling accessSecretVersion. The default value is latest |
Google Cloud credentials configuration
Semarchy xDM uses the GoogleCredentials to build the Google Credentials and so relies on the GOOGLE_APPLICATION_CREDENTIALS
environment variable. However, you can use the following properties to configure the credentials for a secrets manager.
Property | Description |
---|---|
|
Path to the key file created in Service Account. Required if neither the |
|
Raw content of the Service Account key file. Required if neither the |
|
Optional. Provides the scope to send when calling accessSecretVersion. The default value is |
Google Cloud credentials are first checked in the credential file, then credential value, then the environment variable. |