helm-external-secrets/docs/provider-akeyelss.md

Akeyless Vault

External Secrets Operator integrates with Akeyless API.

Authentication

The API requires an access-id, access-type and access-Type-param. the supported auth-methods are their params:

accessType	accessTypeParam
api_key	The access key.
k8s	The k8s configuration name
aws_iam	-
gcp	The gcp audience
azure_ad	azure object id

form more information about Akeyless Authentication Methods

Akeless credentials secret

Create a secret containing your credentials:

apiVersion: v1
kind: Secret
metadata:
  name: akeylss-secret-creds
type: Opaque
stringData:
  accessId: "p-XXXX"
  accessType:  # k8s/aws_iam/gcp/azure_ad/api_key
  accessTypeParam:  # can be one of the following: k8s-conf-name/gcp-audience/azure-obj-id/access-key

Update secret store

Be sure the akeyless provider is listed in the Kind=SecretStore and the akeylessGWApiURL is set (def: "https://api.akeless.io".

{% include 'akeyless-secret-store.yaml' %}

Creating external secret

To get a secret from Akeyless and secret it on the Kubernetes cluster, a Kind=ExternalSecret is needed.

{% include 'akeyless-external-secret.yaml' %}

Using DataFrom

DataFrom can be used to get a variable as a JSON string and attempt to parse it.

{% include 'akeyless-external-secret-json.yaml' %}

Getting the Kubernetes secret

The operator will fetch the project variable and inject it as a Kind=Secret.

kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d

kubectl get secret akeyless-secret-to-create-json -o jsonpath='{.data}'