Skip to content

Configuration template

The following template shows all available options for the Secret Agent configuration file. You must configure at least one service listener and exactly one secret manager.

service: # at least one service is required
  tcp:
    endpoint: 0.0.0.0:3005 # mandatory
    tls: # optional
      cert-file: PATH_TO_CERT_FILE
      key-file: PATH_TO_KEY_FILE
      ca-file: PATH_TO_CA_FILE # optional, needed for mutual TLS only
  uds:
    socket-path: PATH_TO_SOCKET # mandatory
  http:
    endpoint: 0.0.0.0:8080 # mandatory
    secrets: # optional; enables REST secrets API
      url-base-path: /manage/rest # optional; default /manage/rest; length ≥ 2, start with /, no trailing /
    metrics: # optional
      prometheus: # optional
        url-base-path: /manage/rest # optional; same validation as secrets
        labels: # optional
          LABEL_NAME_1: LABEL_VALUE_1
          LABEL_NAME_2: LABEL_VALUE_2
          LABEL_NAME_3: LABEL_VALUE_3
  https:
    endpoint: 0.0.0.0:8443 # mandatory
    tls: # mandatory for https
      cert-file: PATH_TO_CERT_FILE # mandatory
      key-file: PATH_TO_KEY_FILE # mandatory
      ca-file: PATH_TO_CA_FILE # optional; for mutual TLS
    secrets: # optional; same as service.http.secrets
      url-base-path: /manage/rest # optional
    metrics: # optional; same as service.http.metrics
      prometheus:
        url-base-path: /manage/rest # optional
        labels: # optional
          LABEL_NAME_1: LABEL_VALUE_1
          LABEL_NAME_2: LABEL_VALUE_2
          LABEL_NAME_3: LABEL_VALUE_3


secret-manager: # exactly one secret manager is required
  aws:
    region: REGION # mandatory
    access-key-id: ACCESS_KEY_ID # optional
    secret-access-key: SECRET_ACCESS_KEY # optional
    assume-role: ROLE_ARN # optional
    convert-to-base64: TRUE_OR_FALSE # optional (default is false)
    resources: # mandatory
      RESOURCE_NAME_1: ARN_1
      RESOURCE_NAME_2: ARN_2
      RESOURCE_NAME_3: ARN_3
  gcp:
    credential-file: PATH_TO_CREDENTIAL_FILE # optional
    impersonate: SERVICE_ACCOUNT # optional
    convert-to-base64: TRUE_OR_FALSE # optional (default is false)
    resources: # mandatory
      RESOURCE_NAME_1: RESOURCE_PATH_WITH_VERSION_1
      RESOURCE_NAME_2: RESOURCE_PATH_WITH_VERSION_2
      RESOURCE_NAME_3: RESOURCE_PATH_WITH_VERSION_3
  vault:
    endpoint: VAULT_ENDPOINT # mandatory
    ca-file: PATH_TO_CA_FILE # optional
    ca-path: PATH_TO_CA_DIRECTORY # optional
    namespace: VAULT_NAMESPACE # optional


    # token-file or username,password-file or tls-auth-mount,client-cert-file,client-key-file is required
    token-file: PATH_TO_TOKEN_FILE
    username: USERNAME
    password-file: PATH_TO_PASSWORD_FILE
    tls-auth-mount: MOUNT
    client-cert-file: PATH_TO_CLIENT_CERT_FILE
    client-key-file: PATH_TO_CLIENT_KEY_FILE


    convert-to-base64: TRUE_OR_FALSE # optional (default is false)
    resources: # mandatory
      RESOURCE_NAME_1:
        mount: MOUNT_1 # mandatory
        secret: SECRET_1 # mandatory
        version: VERSION_1 # optional (default is 0)
      RESOURCE_NAME_2:
        mount: MOUNT_2 # mandatory
        secret: SECRET_2 # mandatory
        version: VERSION_2 # optional (default is 0)
      RESOURCE_NAME_3:
        mount: MOUNT_3 # mandatory
        secret: SECRET_3 # mandatory
        version: VERSION_3 # optional (default is 0)
  file:
    convert-to-base64: TRUE_OR_FALSE # optional (default is false)
    resources: # mandatory
      RESOURCE_NAME_1: PATH_TO_JSON_FILE_1
      RESOURCE_NAME_2: PATH_TO_JSON_FILE_2
      RESOURCE_NAME_3: PATH_TO_JSON_FILE_3


log: # optional
  file: PATH_TO_LOG_FILE # optional (default is stdout)
  level: LEVEL # optional; "error", "warn", "info", "debug", "trace" (default "info"). At trace level, HTTP/HTTPS listeners log Prometheus and Secrets base URLs at startup.
Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?