Overview

The External Secret Syncer is a marketplace application that can be used to continuously sync externally-stored secrets/parameters with Control Plane secrets. If you store your secrets externally, you can use this app to automatically keep Control Plane configuration options up to date.

Supported External Services

Setup

Prerequisies

  1. Have a secret/parameter set up in one of the external services supported
  2. Get an IAM account ready that allow read permissions for the desired secret

Steps

  1. Click the ESS application on the Console marketplace
  2. Configure the options for your external secrets. See configuration
  3. (optional) Add cloud access to identity if available, instead of supplying keys in configuration.

Configuration

providers:
  - name: my-vault # unique across all providers
    syncInterval: 20s # override the default interval of 30s
    vault:
      address: https://myvault.com:6443 # required for vault
      token: <my vault token> # required for vault
  - name: my-param-store
    awsParameterStore:
      region: us-west-2
      enpoint: <endpoint> # optional
      accessKeyId: <access key ID> # optional
      secretAccessKey: <secret access key> # optional
  - name: my-secret-manager
    awsSecretManager:
      region: us-west-2
      enpoint: <endpoint> # optional
      accessKeyId: <access key ID> # optional
      secretAccessKey: <secret access key> # optional
  - name: my-1password
    onePassword:
      serviceAccountToken: <token> # can use OP_SERVICE_ACCOUNT_TOKEN env instead
      integrationName: my-ess # defaults to syncer.cpln.io
      integrationVersion: v1.0.0 # defaults to ESS version
  - name: my-doppler
    doppler:
      accessToken: <token>
secrets:
  - name: hello # creates a dictionary secret named "hello" with these key-value pairs
    provider: my-vault
    syncInterval: 1m # override vault specific sync interval for this secret
    dictionary:
      PORT:
        path: /v1/secret/data/app
        parse: data.port
        default: 5432
      PASSWORD:
        path: /v1/secret/data/app
        parse: data.password
        default: 'no pass'
  - name: hello2 # creates an opaque secret named "hello2" containing the value of "user" key in /path/to/secret
    provider: my-secret-manager
    opaque:
      path: /path/to/secret
      parse: user
  - name: hello3 # creates an opaque secret named "hello3" containing the full /path/to/secret payload
    provider: my-secret-manager
    opaque: /path/to/secret # stores whole aws secret (potentially JSON) in opaque secret
    encoding: base64 # decode the secret from base64 to plaintext (utf-8)
  - name: one-password-secret
    provider: my-1password
    opaque: /vault/item/password # format /<vault>/<item>/[section/]<field>
  - name: doppler-secret
    provider: my-doppler
    opaque: /project/config/secret # format /<project>/<config>/<secret>
Vault KV engine secrets look like:
{
  "data": {
    "PORT": "1234"
  },
  "metadata": {
    "created_time": "2025-03-11T20:05:41.865209462Z",
    "custom_metadata": null,
    "deletion_time": "",
    "destroyed": false,
    "version": 1
  }
}
If you use parse, make sure to start with data to get the secret content

Secret

A secret generated by ESS will look like: 
kind: secret
name: hello
description: hello
tags:
  syncer.cpln.io/lastError: '' # if ESS is experiencing an error, it will populate this tag
  syncer.cpln.io/source: //gvc/<gvc name>/workload/<name of ess workload>
type: dictionary
data:
  PORT: '1234'
  PASSWORD: 'no pass' # if USERNAME was not found on the secret, the default is used