mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity
external-secrets/docs/provider/alibaba.md
Victor Santos 96233b759a
docs(alibaba): add access key authentication (#2934) 
Signed-off-by: Victor Santos <vsantos.py@gmail.com>
2023-12-07 17:43:03 +01:00

104 lines
2.7 KiB
Markdown
Raw Blame History

## Alibaba Cloud Secrets Manager
External Secrets Operator integrates with [Alibaba Cloud Key Management Service](https://www.alibabacloud.com/help/en/key-management-service/latest/kms-what-is-key-management-service/) for secrets and Keys management.
### Authentication
We support Access key and RRSA authentication.
To use RRSA authentication, you should follow [Use RRSA to authorize pods to access different cloud services](https://www.alibabacloud.com/help/en/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control/) to assign the RAM role to external-secrets operator.
#### Access Key authentication
To use `accessKeyID` and `accessKeySecrets`, simply create them as a regular `Kind: Secret` beforehand and associate it with the `SecretStore`:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-sample
data:
accessKeyID: bXlhd2Vzb21lYWNjZXNza2V5aWQ=
accessKeySecret: bXlhd2Vzb21lYWNjZXNza2V5c2VjcmV0
```
```yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
alibaba:
regionID: ap-southeast-1
auth:
secretRef:
accessKeyIDSecretRef:
name: secret-sample
key: accessKeyID
accessKeySecretSecretRef:
name: secret-sample
key: accessKeySecret
```
#### RRSA authentication
When using RRSA authentication we manually project the OIDC token file to pod as volume
```yaml
extraVolumes:
- name: oidc-token
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 7200 # The validity period of the OIDC token in seconds.
audience: "sts.aliyuncs.com"
extraVolumeMounts:
- name: oidc-token
mountPath: /var/run/secrets/tokens
```
and provide the RAM role ARN and OIDC volume path to the secret store
```yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
alibaba:
regionID: ap-southeast-1
auth:
rrsa:
oidcProviderArn: acs:ram::1234:oidc-provider/ack-rrsa-ce123456
oidcTokenFilePath: /var/run/secrets/tokens/oidc-token
roleArn: acs:ram::1234:role/test-role
sessionName: secrets
```
### Creating external secret
To create a kubernetes secret from the Alibaba Cloud Key Management Service secret a `Kind=ExternalSecret` is needed.
```yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
name: secretstore-sample
kind: SecretStore
target:
name: example-secret
creationPolicy: Owner
data:
- secretKey: secret-key
remoteRef:
key: ext-secret
```
View git blame Copy permalink