Configure external secrets managers

A Secrets Manager is a service, external to Semarchy xDM, that manages and stores secrets for multiple applications. Such secrets may be referenced from Semarchy xDM and retrieved when needed from the Secrets Manager.

Supported secrets managers

Semarchy xDM supports the following Secret Managers to store the secrets:

  • AWS: Stores the secrets in an AWS Secrets Manager.

  • AZURE: Stores the secrets in an Azure Key Vault.

  • GCP: Stores the secrets in an Google Cloud Secret Manager.

Secrets manager configuration

Secrets managers are configured using startup configuration properties.

Secrets manager alias

Each secrets manager is identified by an Alias. This alias is a lowercase string containing alphanumerical characters. Other characters, such as spaces, dots, dashes, underscores, etc, are not supported in the alias. Besides, the alias cannot be one of the reserved aliases: current, insecure.

The alias is part of the secrets manager configuration properties name. For example the xdm.secrets.external.azurecorporate.type property defines the type of azurecorporate secrets manager.

Common properties

The following table lists the common properties used to configure each secrets manager.

Property Description

xdm.secrets.external.<secrets_manager_alias>.type

Required. Secret manager type. Possible values are AWS, AZURE or GCP.

xdm.secrets.external.<secrets_manager_alias>.<property>

Each type of secrets manager has its own set of configuration properties, listed in the following sections for the AWS Secrets Manager, Azure key vault, and [_google_cloud_secret_manager].

xdm.secrets.external.<secrets_manager_alias>.allowed

Optional. Configure what whether the secret manager is allowed by default for usages in Semarchy xDM. See Limit secrets usage for more information.

secrets.external.<secrets_manager_alias>.allowed.<secret_usage>

Optional. Overrides, for a given <secret_usage>, the default allowed value. See Limit secrets usage for more information.

AWS Secrets Manager

Semarchy xDM can read secrets stored in AWS Secrets Manager in two forms:

  • Text: the secret stores a plain text string. For example, a password.

  • JSON: the secret stores a JSON object, into which one property is retrieved and used as a string.

Configuration properties

Property Description

xdm.secrets.external.<secrets_manager_alias>.versionstage

Optional. Provides the VersionStage used to retreive the secret value.

AWS region and credentials configuration

Semarchy xDM uses the AWS Default Credential Provider Chain and Default Region Provider Chain and therefore relies on the system/environment for the AWS region and credentials. However, you use the following properties to specify them for a secrets manager.

xdm.secrets.external.<secrets_manager_alias>.region

Optional. AWS region to use. This property must be a valid input for AWS Region

xdm.secrets.external.<secrets_manager_alias>.credentials.profile

Optional. Alternate credential profile, similar to the one provided with the AWS_PROFILE environment variable.

xdm.secrets.external.<secrets_manager_alias>.credentials.basic.accesskey
xdm.secrets.external.<secrets_manager_alias>.credentials.basic.secretkey

Optional. Access AWS Secrets Manager using an AWS access key ID and secret access key.

xdm.secrets.external.<secrets_manager_alias>.credentials.session.accesskey
xdm.secrets.external.<secrets_manager_alias>.credentials.session.secretkey
xdm.secrets.external.<secrets_manager_alias>.credentials.session.token

Optional. Access AWS Secrets Manager by explicitly providing temporary credentials.

Azure key vault

Semarchy xDM can read text secrets stored in Azure Key Vault.

Configuration properties

Property Description

xdm.secrets.external.<secrets_manager_alias>.vaulturl

Required. Azure Key Vault base URL.

Azure credentials configuration

Semarchy xDM uses the DefaultAzureCredentialBuilder and relies on the system/environment for the Azure Credentials. However, you can use the following properties to configure the credentials for a secrets manager.

Property Description

xdm.secrets.external.<secrets_manager_alias>.credentials.tenantid
xdm.secrets.external.<secrets_manager_alias>.credentials.clientid
xdm.secrets.external.<secrets_manager_alias>.credentials.clientsecret

Use these properties to build the credentials using a clientid and client secret. Having any of those properties defined makes the other ones required.

xdm.secrets.external.<secrets_manager_alias>.credentials.username
xdm.secrets.external.<secrets_manager_alias>.credentials.password

Use these properties to build the credentials using a username and password. Having any of those properties defined makes the other ones required.

Google Cloud secrets manager

Semarchy xDM can read text secrets stored in Google Cloud Secret Manager.

Configuration properties

Property Description

xdm.secrets.external.<secrets_manager_alias>.projectid

Required. The ID of the project in the Google Cloud Platform.

xdm.secrets.external.<secrets_manager_alias>.versionid

Optional. VersionId to send when calling accessSecretVersion. The default value is latest

Google Cloud credentials configuration

Semarchy xDM uses the GoogleCredentials to build the Google Credentials and so relies on the GOOGLE_APPLICATION_CREDENTIALS environment variable. However, you can use the following properties to configure the credentials for a secrets manager.

Property Description

xdm.secrets.external.<secrets_manager_alias>.credentials.file

Path to the key file created in Service Account. Required if neither the GOOGLE_APPLICATION_CREDENTIALS environment variable above nor the properties below are defined.

xdm.secrets.external.<secrets_manager_alias>.credentials.value

Raw content of the Service Account key file. Required if neither the GOOGLE_APPLICATION_CREDENTIALS environment variable nor the credential file are defined.

xdm.secrets.external.<secrets_manager_alias>.credentials.scope

Optional. Provides the scope to send when calling accessSecretVersion. The default value is https://www.googleapis.com/auth/cloud-platform.

Google Cloud credentials are first checked in the credential file, then credential value, then the environment variable.