Kubernetes Secrets Management - Secure Configuration Storage | Codiac CLI

You can manage Secrets just as you would any other configuration.

What you'll get

• Reference secrets from AWS Secrets Manager or Azure Key Vault via config set with #REF| syntax
• No secret values in Codiac; Codiac has read-only access to your existing secret stores
• Same config hierarchy (enterprise, environment, cabinet, asset) for secrets as for plain config

Prerequisites

tip

Codiac has read-only access to your existing Secrets and Secret stores. It cannot create, edit, or remove Secret values or the Secret store itself. See your cloud service provider for instructions on creating and managing Secrets and Secret stores.

info

Secrets are only stored in your running node, where they are protected with encryption at rest.

Prerequisites (expand)

• Basic Codiac Prerequisites
• A Secret Store set up with your cloud service provider and added to your Codiac account.
• A Secret saved in your external Secret Store.

Add

1. Use codiac config set with the #REF| syntax to add or edit a Secret:

codiac config set #REF|PROVIDER_VALUES

2. Replace PROVIDER_VALUES with the values required by your cloud service provider:

• AWS: #REF|awsKeyVault|SECRET_STORE_NAME|aws|AWS_ACCOUNT_ID|REGION|SECRET_NAME
• Azure: #REF|azKeyVault|SECRET_STORE_NAME|SECRET_NAME

3. For example, the command to apply a Secret named locker-combo from an AWS Key Vault named our-dev-secrets in us-west-1 is:

codiac config set #REF|awsKeyVault|our-dev-secrets|aws|123456789|us-west-1|locker-combo

The command to apply a Secret named locker-combo from an Azure Key Vault named our-dev-secrets is:

codiac config set #REF|azKeyVault|our-dev-secrets|locker-combo

tip

Do you have an existing configuration you want to copy over to a new asset? Use pipes!

What's next

• Manage secret stores – Connect AWS or Azure secret stores
• Manage configurations – Config hierarchy and #REF|
• Dynamic configuration – Config-on-deploy overview