External Secrets Manager - Managing Secrets in AWS, GCP, K8s, and more

๐Ÿ“˜

Deeper Dive

For more in-depth information, check out our detailed documentation on the following topics:

External Secrets Manager

AWS External Secrets Manager

๐Ÿ‘

Need any help?

If something in this tutorial isn't working as expected, feel free to contact our support team via Slack.

Below is a text-only guide for users based on the above video

What is an External Secrets Manager?

While Akeyless is built to internally store, manage, and protect your secrets, it can also be used to manage secrets stored on other Secret Management services like AWS, Azure, GCP, or K8s. This can be done by creating an External Secrets Manager, that utilizes Targets in order to create local "windows" into the related services, effectively letting you manage them indirectly.

After connecting to your External Secrets source, you will be able to manage them from Akeyless, including viewing, adding, updating, and deleting secrets. The exact secret information that can be displayed in Akeyless varies between providers according to their unique attributes.

In this demo, we will show how to manage AWS Secret Manager secrets as well as Kubernetes secrets.

Managing AWS Secret Manager secrets using External Secrets Manager

Using Akeyless Console

Go to Secrets & Keys and choose New -> External Secrets Manager.

Then, choose the service you want to manage secrets from and click Next.

๐Ÿ“˜

Important Notes

Cloud Platform ESMs are available per region. On Kubernetes, they are available per namespace.

For Kubernetes ESMs, a clusterRole and clusterRoleBinding with correct permissions is necessary.

Next, enter the Name, Target, and Gateway and click Finish.

You will then see the details of the External Secrets Manager (ESM) on the right side and click on the "View All Secrets" button.

You will see a new pane open up that will show your secrets.

Next, choose New Secret and give it a Name and Value, then click Save.

Go to your external service (in this case, AWS) and you will see the new secret created.

To Update the secret value, in Akeyless, click on the 3 dots and choose Update.

Then, update your secret value by clicking on the eye symbol.

You can confirm the change in AWS as well.

To delete the secret, in Akeyless, click on the 3 dots and choose Delete and the enter the name of the secret.

Go back to your external service and confirm the secret was deleted.

Using Akeyless CLI

To create an ESM, use the following command and add the Name and Target.

akeyless create-esm -n <name> -a <target name> -u <gateway-url:8000>

To view the secrets saved on your ESM, use the following command.

akeyless esm list -n <esm name> -u <gateway-url:8000>

The output should look similar to this.

{
  "secrets_list": [
    {
      "secret_id": "<secret id>",
      "name": "<secret name>",
      "created": "<timestamp>",
      "type": "<type>",
      "status": <activity status, true/false>
    }
  ]
}

To view a secret from your ESM, use the following command.

akeyless esm get -n <esm name> -s <secret id or name> -u <gateway-url:8000>

The output should look similar to this.

{
  "value": "<base64 encoded value>",
  "metadata": {
    "created": "<timestamp>",
    "updated": "<timestamp>"
  }
}

To create a new secret in your ESM, use the following command.

akeyless esm create -n <esm name> -s <new secret name> -v <secret value> -u <gateway-url:8000>

To update an existing secret in your ESM, use the following command.

akelyess esm update -n <esm name> -s <secret id or name> -v <new secret value> -u <gateway-url:8000>

To delete an existing secret in your ESM, use the following command.

akelyess esm delete -n <esm name> -s <secret id or name> -u <gateway-url:8000>