Secrets

​

Overview

Secrets are used to store strongly-encrypted information. All secrets can be injected into containers through the use of environment variables.

In addition to optionally being injected into containers as environment variables, secrets are also used for:

1. Image registry (Docker, ECR, and GCP) pull secrets, enabling workloads in a GVC to pull images from private repositories.
2. Enabling Control Plane to manage policies in Azure, using the Azure SDK and Azure Connector secret type.

​

Secret Types

• Amazon Web Services (AWS)
• Azure SDK
• Azure Connector
• Docker
• Dictionary
• ECR
• Google Cloud Platform (GCP)
• Keypair
• Opaque
• NATS Account
• TLS
• Username & Password

​

Amazon Web Services (AWS)

The AWS secret type enables a workload to consume services from AWS. It is used in cases where an identity isn’t used.

For example, when an Org does not wish to create a cloud account, or to create cloud access policy as part of an identity definition.

The recommended approach to consuming services from AWS is not to use a AWS secret, but rather to:

1. Create a cloud account.
2. Create an identity.
3. Defining a cloud access policy for the AWS account as part of the identity.

In cases where an Org wishes to not leverage the identity feature, in order to use an AWS secret, simply read the secret from the environment variable and convey its set of values to AWS using any AWS API you wish.

The AWS secret schema consists of:

• Secret Key
• Access Key
• Role ARN (Optional)
• External ID (Optional)

For an existing AWS user, these values are obtained from the AWS IAM Dashboard.

Refer to these instruction to create a new AWS IAM user in your AWS account.

​

Azure SDK

• Used to store Azure SDK credentials.

• When creating a Cloud Account using the Azure SDK, a JSON file is generated containing the credentials. This file is uploaded and automatically stored as an Azure-SDK secret.

• Sample Azure-SDK secret content:

  JSON

  {
    "subscriptionId": "2cd2674e-4f89-4a1f-b420-7a1361b46ef7",
    "tenantId": "292f5674-78b0-488b-9ff8-6d30d77f38d9",
    "clientId": "649746ce-d862-49d5-a5eb-7d5aad90f54e",
    "clientSecret": "CONFIDENTIAL"
  }
  

• If the client secret has been compromised or needs to be updated, the content of the secret can be updated using the console or CLI and will be used by the associated Cloud Accounts.

​

Azure Connector

• Used to store Azure Function App credentials.
• When creating a Cloud Account using the Azure Connector, the deployment URL and code will be saved.
• These values can be updated using the console or the CLI.

​

Docker

The Docker secret type is used when a container pulls an image from a private Docker compatible repository, such as a Org’s private repository at Control Plane, Docker Hub, or Azure Container Registry.

An authorized user then assigns a secret of this type to a GVC Pull Secret.

Workloads in the GVC can then pull their image using the secret.

The contents of a Docker secret follows this syntax:

{
  "auths": {
    "REPOSITORY_URL": {
      "username": "USERNAME",
      "password": "PASSWORD"
    }
  }
}

​

Control Plane

To create a Docker secret targeting a private repository hosted at Control Plane, a Service Account at the source Org, bound with the pull permission is required.

Example:

{
  "auths": {
    "ORG_NAME.registry.cpln.io": {
      "username": "<token>",
      "password": "SERVICE_ACCOUNT_KEY"
    }
  }
}

​

Docker Hub

To create a Docker secret targeting Docker Hub, a Docker username and password (which has permissions to pull the images) are required.

There are two ways to create the secret content:

1. Username & Password Keys

   Example:

   JSON

   {
     "auths": {
       "https://index.docker.io/v1/": {
         "username": "USERNAME",
         "password": "PASSWORD"
       }
     }
   }
   

2. auth Key

   • When using a password, the value of the auth key is the base64 encoded result of the string USERNAME:PASSWORD.

   Example:

   JSON

   {
     "auths": {
       "https://index.docker.io/v1/": {
         "auth": "BASE_64_ENCODING(USERNAME:PASSWORD)"
       }
     }
   }
   

   • When using a Docker Access Token, the value of the auth key is the base64 encoded result of the string USERNAME:DOCKER_ACCESS_TOKEN.

   Example:

   JSON

   {
     "auths": {
       "https://index.docker.io/v1/": {
         "auth": "BASE_64_ENCODING(USERNAME:DOCKER_ACCESS_TOKEN)"
       }
     }
   }
   

​

Azure Container Registry

To create a Docker secret targeting the Azure Container Registry, the following properties are required:

• Repository URL
• Service Principal ID
• Password

An Azure Service Principal is recommended as the identity used to pull images.

Refer to this article to create an Azure Service Principal that only has the pull permission.

• The format of the repository URI is: REGISTRY_NAME.azurecr.io and can be obtained from the Azure Container Registry section of the Azure Portal.
• The USERNAME is the ID GUID of the Service Principal (e.g., ed0a30b4-5cd0-44af-864a-cf825b0ceeb6).
• The PASSWORD is generated when creating the Service Principal. By default, the password expires after 1 year.

Example:

{
  "auths": {
    "REGISTRY_NAME.azurecr.io": {
      "username": "APP_ID",
      "password": "PASSWORD"
    }
  }
}

​

GitHub Container Registry

To create a Docker secret targeting GitHub, a GitHub personal access token (which has the read:packages scope) is required.

Example:

{
  "auths": {
    "ghcr.io": {
      "username": "controlplane",
      "password": "PERSONAL_ACCESS_TOKEN"
    }
  }
}

​

Dictionary

• Used to securely store key/value pairs that can be used by a workload’s environment variables.
• Multiple key/value pairs can be added to a single dictionary secret.

​

ECR

The Elastic Container Registry (ECR) secret type is used when a workload pulls a container image from a private AWS ECR repository.

This secret type is used when configuring a GVC’s Pull Secret. Workloads that are connected to that GVC will have access to the secret when pulling the image.

The ECR secret consists of:

• AWS Secret Key
• AWS Access Key
• AWS Role ARN (Optional; This role will be assumed after authentication with the IAM user’s programmatic access)
• ECR Repository URIs (e.g., AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPO_NAME)
• External ID (Optional)

To obtain the keys required to create an ECR secret, from the AWS IAM Dashboard:

1. Add a new IAM User with programmatic access.
2. Create an Access Token for the new user and take note/download the secret and access key.
3. Create a new IAM Policy for the Elastic Container Registry service with the Read action on the specific repositories.
4. Attach the new IAM Policy to the new IAM User.
5. Optionally, impersonate the IAM user with its credentials and try to pull an image locally as described here.
6. Create the ECR secret using either the UI Console or CLI.

​

Amazon ECR Helper Links

• ECR Dashboard
• Private registry concepts

​

Google Cloud Platform (GCP)

• Similar to a Docker and ECR secret, a GCP secret is used when a workload pulls a container image from a private Google Container Registry.
• This secret type is used when configuring a GVC Pull Secret. Workloads that are connected to that GVC will have access to the secret when pulling the image.
• Using the UI, the secret JSON text can be in a file that is uploaded or pasted into the textbox.
• Below is a sample of a GCP secret. The values can be obtained from your GCP account.

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "PRIVATE_KEY_ID",
  "private_key": "PRIVATE_KEY_CERTIFICATE",
  "client_email": "CLIENT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "X509_CERTIFICATE_URL"
}

​

Keypair

• Used to securely store a keypair that can be used by a workload’s environment variables.
• A keypair secret consists of:
  • Secret key
  • Public key
  • Passphrase (required if the secret key is encrypted)
• Using the UI, the secret and public key text can be in a file that is uploaded or pasted into the textbox.
• The keys will be validated and the secret will only be created or updated if they are valid PEM-encoded certificates.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9A26BB15304B18E7

ZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6L
dIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBT
gQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP
616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguH
te2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2
IRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbw
uXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+
1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3
qopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1
sLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQ
yvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY
6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR
0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZ
YZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8
aZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswm
iW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBT
C/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0W
D7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOj
Ve0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWr
Wjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN
6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvht
xx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtW
RyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3
hWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA
85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv
-----END RSA PRIVATE KEY-----

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHiv
baAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCO
BhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22m
XMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0Zr
ryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3
NxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3
XwIDAQAB
-----END PUBLIC KEY-----

cpln

​

Opaque

Opaque secrets are used to securely store any text.

When creating or updating an opaque secret, an option is available to perform a base64 decode at runtime.

To access the stored text, an environment variables’ value must be set to one of the following:

1. cpln://secret/SECRET_NAME.payload

   • If the option to perform a base64 decode at runtime is enabled, the decoded value will be returned.

2. cpln://secret/SECRET_NAME (without the .payload)

   • If the option to perform a base64 decode at runtime is enabled, the encoding property will be set to base64. It is the responsibility of the user to perform the base64 decode.

   Example values returned:

   base64: "{\"payload\":\"VGhpcyBpcyBhbiBvcGFxdWUgaW4gYmFzZTY0\",\"encoding\":\"base64\"}"

   plain text: "{\"payload\":\"The is an opaque secret in plain text\",\"encoding\":\"plain\"}"

​

NATS Account

• Used to store NATS Account credentials.
• When creating a Cloud Account using the Azure Connector, the deployment URL and code will be saved.
• These values can be updated using the console or the CLI.
• A NATS Account secret consists of:
  • Account ID
  • Private Key
• These properties will be validated and the secret will only be created or updated if they are valid.

​

TLS

• Used to securely store a Transport Layer Security (TLS) secret that can be used by a workload’s environment variables.
• A TLS secret consists of a:
  • Key
  • Certificate
  • Chain Certificate (optional if the certificate is self-signed or not part of the installed root certificates)
• Using the UI, the secret can be in a file that is uploaded or pasted into the textbox.
• The certificates will be validated and the secret will only be created or updated if they are valid PEM-encoded certificates

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4
XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvN
rsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWn
pvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88IN
bBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBi
L2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/l
jq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/g
Zhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX
3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYD
YjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1
Z8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6Uw
rFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198am
spmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBf
LzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC
/1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCyt
vig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPr
KY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJ
D/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oD
LyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsT
FGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8
zljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QC
HnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYon
aH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTt
gFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl
/LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RR
S1hFKnRRcrVqA+HjWnZ//BGi
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL
BQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH
DAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx
EDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p
bzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV
UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL
BgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv
MR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0
RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9
yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk
PsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr
aetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY
/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud
DgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9
Ly8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr
sDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4
ChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD
wAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M
5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ
YxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD
u2ZCis/EwXsqRJPkIPnL
-----END CERTIFICATE-----

None. The above key and certificate were self-signed.

​

Username & Password

• Used to securely store a username and password secret that can be used by a workload’s environment variables.
• The secret consists of:
  • Username
  • Password
  • Encoding (Base64 / Plain Text)
• The secret will only be created or updated if the username and password are valid strings.

​

Permissions

The permissions below are used to define policies together with one or more of the four principal types:

​

Reveal Permission

The plaintext of a secret can be viewed only if you or an identity has the reveal permission.

For example, when using a secret as the value of an environment variable for a container, the identity assigned to the workload must have the reveal permission set on the assigned secret using a policy.

When configuring the environment variable, the value of the variable will be in the following format: cpln://secret/SECRET_NAME. The image running within the container will be able to access the plaintext of the secret by referring to the name of the configured environment variable.

​

Use Permission

A secret is used with a:

• GVC’s pull secret
• Container’s environment variables
• Policy’s binding

To allow a non-administrator user the ability to use a secret with one of the above objects, the user must be granted the use permission.

For example, if the image assigned to a container belongs to a private Docker registry, a pull secret for that registry must be added to the associated GVC. The user that is configuring this application must have the use permission set on the secret (using a policy) to be able to add it as a pull secret.

​

Updating Secrets

If a secret value is updated, any workload referencing that secret will need to be redeployed.

​

Access Report

Displays the permissions granted to principals for the secret.

​

CLI

To view the CLI documentation for secrets, click here.