2021-08-19 14:33:36 +00:00
## Yandex Lockbox
External Secrets Operator integrates with [Yandex Lockbox ](https://cloud.yandex.com/docs/lockbox/ )
for secret management.
### Prerequisites
* [External Secrets Operator installed ](../guides-getting-started/#installing-with-helm )
* [Yandex.Cloud CLI installed ](https://cloud.yandex.com/docs/cli/quickstart )
### Authentication
At the moment, [authorized key ](https://cloud.yandex.com/docs/iam/concepts/authorization/key ) authentication is only supported:
* Create a [service account ](https://cloud.yandex.com/docs/iam/concepts/users/service-accounts ) in Yandex.Cloud:
```bash
yc iam service-account create --name eso-service-account
```
* Create an authorized key for the service account and save it to `authorized-key.json` file:
```bash
yc iam key create \
--service-account-name eso-service-account \
--output authorized-key.json
```
* Create a k8s secret containing the authorized key saved above:
```bash
kubectl create secret generic yc-auth --from-file=authorized-key=authorized-key.json
```
* Create a [SecretStore ](../api-secretstore/ ) pointing to `yc-auth` k8s secret:
```yaml
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
name: secret-store
spec:
provider:
yandexlockbox:
auth:
authorizedKeySecretRef:
name: yc-auth
key: authorized-key
```
2022-02-03 11:39:46 +00:00
**NOTE:** In case of a `ClusterSecretStore` , Be sure to provide `namespace` in all `authorizedKeySecretRef` with the namespace where the secret resides.
2021-08-19 14:33:36 +00:00
### Creating external secret
To make External Secrets Operator sync a k8s secret with a Lockbox secret:
* Create a Lockbox secret, if not already created:
```bash
yc lockbox secret create \
--name lockbox-secret \
--payload '[{"key": "password","textValue": "p@$$w0rd"}]'
```
* Assign the [`lockbox.payloadViewer` ](https://cloud.yandex.com/docs/lockbox/security/#roles-list ) role
for accessing the `lockbox-secret` payload to the service account used for authentication:
```bash
yc lockbox secret add-access-binding \
--name lockbox-secret \
--service-account-name eso-service-account \
--role lockbox.payloadViewer
```
Run the following command to ensure that the correct access binding has been added:
```bash
yc lockbox secret list-access-bindings --name lockbox-secret
```
* Create an [ExternalSecret ](../api-externalsecret/ ) pointing to `secret-store` and `lockbox-secret` :
```yaml
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: external-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: secret-store
kind: SecretStore
target:
name: k8s-secret # the target k8s secret name
data:
- secretKey: password # the target k8s secret key
remoteRef:
key: ** *** # ID of lockbox-secret
property: password # (optional) payload entry key of lockbox-secret
```
The operator will fetch the Yandex Lockbox secret and inject it as a `Kind=Secret`
```yaml
kubectl get secret k8s-secret -n < namespace > | -o jsonpath='{.data.password}' | base64 -d
```