External Secret Descriptor reference
External Secret descriptor
An external secret allows an Akka service to source secrets from an external secret manager.
| Field | Type | Description |
|---|---|---|
aws |
Configuration for AWS external secrets. |
|
azure |
Configuration for Azure KeyVault external secrets. |
|
gcp |
Configuration for GCP Secret Manager external secrets. |
AwsExternalSecret
AWS external secret configuration.
| Field | Type | Description |
|---|---|---|
objects |
[]AwsExternalSecretObject required |
The secret objects to mount from AWS. |
AwsExternalSecretObject
An AWS secret object that should be mounted as part of the external secret.
| Field | Type | Description |
|---|---|---|
name |
string required |
The name of the object. For Secrets Manager this is the SecretId parameter and can either be the friendly name or full ARN of the secret. For SSM Parameter Store, this is the name of the parameter and can be either the name or full ARN of the parameter. |
type |
string |
The type of the object, either |
alias |
string |
The filename of the object on disk, defaults to the object name. |
version |
string |
The version of the object, defaults to latest. |
versionLabel |
string |
The label of the version, defaults to latest. |
jmesPath |
If the secret is JSON, specifies what JSON key value pairs to extract from the secret and mount as individual secrets. |
|
filePermission |
int |
The permission of the file being mounted. Defaults to 0644. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. Note that YAML accepts both octal and decimal values, with octal values being specified by using a leading 0. Meanwhile JSON requires decimal values. If not specified, the volume’s default mode will be used. |
AwsExternalSecretJmesPath
| Field | Type | Description |
|---|---|---|
path |
string required |
JMES path to use for extracting the secret. |
alias |
string |
The filename for the extracted secret. |
filePermission |
int |
The permission of the file being mounted. Defaults to 0644. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. Note that YAML accepts both octal and decimal values, with octal values being specified by using a leading 0. Meanwhile JSON requires decimal values. If not specified, the volume’s default mode will be used. |
AzureExternalSecret
Azure KeyVault external secret configuration.
| Field | Type | Description |
|---|---|---|
keyVaultName |
string required |
The name of the KeyVault. |
tenantID |
string required |
The ID of the tenant that the KeyVault is in. |
clientID |
string required |
The ID of the client that was created to access the KeyVault via federated workload identity. |
cloudName |
string |
If using a non default cloud, the name of the cloud. |
objects |
[]AzureExternalSecretObject required |
The secret objects to mount from the KeyVault. |
AzureExternalSecretObject
An Azure KeyVault object that should be mounted as part of the external secret.
| Field | Type | Description |
|---|---|---|
name |
string required |
The name of the object in the KeyVault. |
type |
string required |
The type of object, either |
alias |
string |
The alias for the object. This will be the filename of the object when mounted into the Akka service’s container. Defaults to the object name. |
version |
string |
The version of the object to mount. Defaults to the latest. |
versionHistory |
int |
If set and non zero, specifies that multiple versions of the history should be mounted. In such cases, the object name/alias will be a folder, and the top N (where N is the versionHistory) versions of the secret will be placed in that folder as files. The file name for each version will be an integer, starting with 0 for the latest version, 1 for the next most recent, and so on. |
encoding |
string |
The encoding of the object. Valid types are |
format |
string |
The format of the object. Supported types are |
filePermission |
int |
The permission of the file being mounted. Defaults to 0644. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. Note that YAML accepts both octal and decimal values, with octal values being specified by using a leading 0. Meanwhile JSON requires decimal values. If not specified, the volume’s default mode will be used. |
GcpExternalSecret
GCP Secret Manager external secret configuration.
| Field | Type | Description |
|---|---|---|
projectId |
string required |
The GCP project ID that the secrets are in. |
location |
string |
If using regional secrets, the default location of the secrets. |
objects |
[]GcpExternalSecretObject required |
The secret objects to mount. |
GcpExternalSecretObject
A GCP Secret Manager object that should be mounted as part of the external secret.
| Field | Type | Description |
|---|---|---|
name |
string required |
The name of the secret in GCP Secret Manager. |
path |
string required |
The path that the object will be mounted at. |
version |
string |
The version of the secret to mount. Defaults to |
projectId |
string |
The project ID of the object, if different from the default project ID configured for the secret. |
location |
string |
If the object is a regional secret, the location of the object, if different from the default location configured for the secret. |
filePermission |
int |
The permission of the file being mounted. Defaults to 0644. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. Note that YAML accepts both octal and decimal values, with octal values being specified by using a leading 0. Meanwhile JSON requires decimal values. If not specified, the volume’s default mode will be used. |