Aerospike Secret Agent is an independent process which fetches secrets from external secret managers such as AWS Secrets Manager. Its purpose is to provide a unified interface to fetch secrets from different secret managers. Secret Agent acts as a proxy between the external secret managers and the processes which need to fetch secrets. Other processes can use Secret Agent to fetch secrets from different external secret managers with reusable code. Secret Agent uses native SDKs of the corresponding secret managers.
For more information about Secret Agent features and usage, see the main documentation page.
Installation (Linux only)
Download the Secret Agent package.
Use one of the following commands, based on your preferred package manager:
sudo dpkg -i aerospike-secret-agent_<VERSION_NUMBER>-1ubuntu20.04_amd64.deb
sudo rpm -i aerospike-secret-agent_<VERSION_NUMBER>-1.el8.x86_64.rpm
<VERSION_NUMBER>with the current Secret Agent version number, and adjust the Linux architecture designation as needed.
Edit the Secret Agent configuration file
Edit your configuration file to match your system's configuration. The following is an example:
servicecontext defines how Secret Agent listens for requests. Secret Agent supports listening on TCP and UDS (Unix Domain Socket). You can specify the endpoint for TCP and path for UDS. Refer to the TCP configuration guide and UDS configuration guide for more details.
secret-managercontext specifies one or more external secrets managers. Within each specified secrets manager, use the additional options to provide authentication details. You can specify multiple resources for a secret manager as a map of key value pairs. The key is a user-defined name (alias) for the corresponding resource and should be unique. The process which fetches the secret uses this alias to fetch the secret from the corresponding resource.
If you use AWS Secrets Manager, the value is the Amazon Resource Name (ARN) of the secret. Refer to the AWS configuration guide for more details.
logcontext specifies the level and output of Secret Agent logging.
The following configuration options are available :
service: # at least one service is required
endpoint: 0.0.0.0:3005 # required if tcp is specified
tls: # optional
cert-file : <path-to-cert-file>
key-file : <path-to-key-file>
socket-path : <path-to-socket> # required if uds is specified
secret-manager: # exactly one secret manager is required
region: <region> # required
arn: # required
access-key-id: <access-key-id> # optional
secret-access-key: <secret-access-key> # optional
assume-role: <role-arn> # optional
log: # optional
file: <path-to-log-file> # optional (default is stdout)
level: <level> # optional : supported values are "error", "warn", "info", "debug", "trace" (default is "info")
Start the Secret Agent process
Start the Secret Agent process before starting Aerospike server.
systemctl start aerospike-secret-agent
Secret Agent runs as root by default when started as a
systemdservice. If you prefer to run Secret Agent as a non-root user, you can edit the
systemdservice file (
/etc/systemd/system/aerospike-secret-agent.service). Update the User and Group options in the
[Service]section as shown in the following example.
Description=Aerospike Secret Agent
ExecStart=/usr/local/bin/aerospike-secret-agent --config-file /etc/aerospike-secret-agent/config.yaml
Communicating with Secret Agent
Application code which communicates with Secret Agent should transmit requests and receive responses which conform to the Secret Agent specification.