Secrets are used to store strongly-encrypted information. All secrets can be injected into containers through the use of environment variables.
In addition to optionally being injected into containers as environment variables, secrets are also used for:
NOTE: A workload identity MUST be granted the reveal permission on a secret to have its value injected at runtime.
The AWS secret type enables a workload to consume services from AWS. It is used in cases where an identity isn't used.
For example, when an Org does not wish to create a cloud account, or to create cloud access policy as part of an identity definition.
The recommended approach to consuming services from AWS is not to use a AWS secret, but rather to:
In cases where an Org wishes to not leverage the identity feature, in order to use an AWS secret, simply read the secret from the environment variable and convey its set of values to AWS using any AWS API you wish.
The AWS secret schema consists of:
For an existing AWS user, these values are obtained from the AWS IAM Dashboard.
Refer to these instruction to create a new AWS IAM user in your AWS account.
Used to store Azure SDK credentials.
When creating a Cloud Account using the Azure SDK, a JSON file is generated containing the credentials. This file is uploaded and automatically stored as an Azure-SDK secret.
Sample Azure-SDK secret content:
copy{"subscriptionId": "2cd2674e-4f89-4a1f-b420-7a1361b46ef7","tenantId": "292f5674-78b0-488b-9ff8-6d30d77f38d9","clientId": "649746ce-d862-49d5-a5eb-7d5aad90f54e","clientSecret": "CONFIDENTIAL"}
If the client secret has been compromised or needs to be updated, the content of the secret can be updated using the console or CLI and will be used by the associated Cloud Accounts.
deployment URL
and code
will be saved.The Docker secret type is used when a container pulls an image from a private Docker compatible repository, such as a Org's private repository at Control Plane, Docker Hub, or Azure Container Registry.
An authorized user then assigns a secret of this type to a GVC Pull Secret.
Workloads in the GVC can then pull their image using the secret.
The contents of a Docker secret follows this syntax:
copy{"auths": {"REPOSITORY_URL": {"username": "USERNAME","password": "PASSWORD"}}}
To create a Docker secret targeting a private repository hosted at Control Plane, a Service Account at the source Org, bound with the pull permission is required.
Example:
copy{"auths": {"ORG_NAME.registry.cpln.io": {"username": "<token>","password": "SERVICE_ACCOUNT_KEY"}}}
Note: The username
is the literal string <token>
.
To create a Docker secret targeting Docker Hub, a Docker username and password (which has permissions to pull the images) are required.
There are two ways to create the secret content:
Username & Password
Keys
Example:
copy{"auths": {"https://index.docker.io/v1/": {"username": "USERNAME","password": "PASSWORD"}}}
auth
Key
When using a password, the value of the auth
key is the base64 encoded result of the string USERNAME:PASSWORD
.
Example:
copy{"auths": {"https://index.docker.io/v1/": {"auth": "BASE_64_ENCODING(USERNAME:PASSWORD)"}}}
When using a Docker Access Token, the
value of the auth
key is the base64 encoded result of the string USERNAME:DOCKER_ACCESS_TOKEN
.
Example:
copy{"auths": {"https://index.docker.io/v1/": {"auth": "BASE_64_ENCODING(USERNAME:DOCKER_ACCESS_TOKEN)"}}}
When performing the base64 encoding, remember to include the colon ( : ) when concatenating the username and password/token.
The base64
utility can be used to easily encode the string.
Example: echo -n USERNAME:PASSWORD | base64
To create a Docker secret targeting the Azure Container Registry, the following properties are required:
An Azure Service Principal
is recommended as the identity used to pull images.
Refer to this article to create an Azure Service Principal that only has the pull permission.
REGISTRY_NAME.azurecr.io
and can be obtained from the Azure Container Registry
section of the Azure Portal.To increase the expiration length of the password, use the --years
flag when running the az ad sp create-for-rbac
command during
the creation of a Service Principal.
Example:
copy{"auths": {"REGISTRY_NAME.azurecr.io": {"username": "APP_ID","password": "PASSWORD"}}}
To create a Docker secret targeting GitHub, a GitHub personal access token (which has the read:packages
scope) is required.
Example:
copy{"auths": {"ghcr.io": {"username": "controlplane","password": "PERSONAL_ACCESS_TOKEN"}}}
The Elastic Container Registry (ECR) secret type is used when a workload pulls a container image from a private AWS ECR repository.
This secret type is used when configuring a GVC's Pull Secret. Workloads that are connected to that GVC will have access to the secret when pulling the image.
The ECR secret consists of:
Multiple repositories can be added to the same ECR secret.
To obtain the keys required to create an ECR secret, from the AWS IAM Dashboard:
Elastic Container Registry
service with the Read
action on the specific repositories.Amazon ECR helper links:
Google Container Registry
.copy{"type": "service_account","project_id": "PROJECT_ID","private_key_id": "PRIVATE_KEY_ID","private_key": "PRIVATE_KEY_CERTIFICATE","client_email": "CLIENT_EMAIL","client_id": "CLIENT_ID","auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "X509_CERTIFICATE_URL"}
Sample secret key:
copy-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,9A26BB15304B18E7ZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6LdIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBTgQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguHte2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2IRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbwuXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3qopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1sLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQyvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZYZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8aZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswmiW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBTC/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0WD7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOjVe0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWrWjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvhtxx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtWRyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3hWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv-----END RSA PRIVATE KEY-----
Sample public key:
copy-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHivbaAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCOBhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22mXMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0ZrryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3NxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3XwIDAQAB-----END PUBLIC KEY-----
Passphrase:
copycpln
Opaque secrets are used to securely store any text.
When creating or updating an opaque secret, an option is available to perform a base64 decode at runtime.
To access the stored text, an environment variables' value must be set to one of the following:
cpln://secret/SECRET_NAME.payload
cpln://secret/SECRET_NAME
(without the .payload)
encoding
property will be set to base64
.
It is the responsibility of the user to perform the base64 decode.Example values returned:
base64: "{\"payload\":\"VGhpcyBpcyBhbiBvcGFxdWUgaW4gYmFzZTY0\",\"encoding\":\"base64\"}"
plain text: "{\"payload\":\"The is an opaque secret in plain text\",\"encoding\":\"plain\"}"
deployment URL
and code
will be saved.Sample key:
copy-----BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/gZhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYDYjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1Z8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6UwrFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198amspmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBfLzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC/1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCytvig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPrKY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJD/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oDLyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsTFGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8zljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QCHnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYonaH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTtgFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl/LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RRS1hFKnRRcrVqA+HjWnZ//BGi-----END PRIVATE KEY-----
Sample certificate:
copy-----BEGIN CERTIFICATE-----MIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcxEDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5pbzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlvMR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1UdDgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9Ly8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArsDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4ChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qDwAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZYxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdDu2ZCis/EwXsqRJPkIPnL-----END CERTIFICATE-----
Sample chain certificate:
copyNone. The above key and certificate were self-signed.
The permissions below are used to define policies together with one or more of the four principal types:
Permission | Description | Implies |
---|---|---|
create | Create new secrets | |
delete | Delete secrets | |
edit | Modify existing secrets | view, reveal |
manage | Full access | create, delete, edit, manage, reveal, use, view |
reveal | Reveal the plaintext of the secret | view |
use | Refer to this secret from other entities (gvcs, cloudaccounts, etc) | view |
view | Read-only access excluding plaintext |
The plaintext of a secret can be viewed only if you or an identity has the reveal
permission.
For example, when using a secret as the value of an environment variable for a container, the identity
assigned to the workload must have the reveal
permission set on the assigned secret using a policy.
When configuring the environment variable, the value of the variable will be in the following
format: cpln://secret/SECRET_NAME
. The image running within the container will be able to access the plaintext of the secret by
referring to the name of the configured environment variable.
A secret is used with a:
To allow a non-administrator user the ability to use a secret with one of the above objects, the user must be granted the use
permission.
For example, if the image assigned to a container belongs to a private Docker registry, a pull secret for that registry must be added
to the associated GVC. The user that is configuring this application must have the use
permission set on the secret
(using a policy) to be able to add it as a pull secret.
If a secret value is updated, any workload referencing that secret will need to be redeployed.
Displays the permissions granted to principals for the secret.
To view the CLI documentation for secrets, click here