This document provides step-by-step instructions for configuring Secret Management Stores within the PlainID platform. Secret stores provide secure storage and retrieval of sensitive credentials and configuration data.
- When setting up a store based on its Store Type, additional configuration parameters may be available/required to define its specific operation.
- Authentication must be defined properly using the specific credentials for that store to be able to connect with a Secret Store and fetch secrets from it . Refer to Authentication to Secret Store Provider for more information.
Secret Stores defined for PAA usage are configured to authenticate to the store provider using the secret key pattern {{storeId=<storeID>,key=<secretKeyName>}}. The credentials referred to through this secret key are fetched once when the SM service initiates and are refetched when a change in the definition is made by the user in the UI.
Secret Rotation when authenticating to a Secret Provider is currently not supported
To learn more about Secret Stores and how to manage them, refer to Managing Secret Stores
For more details revolving around the technical aspects of the Secret Management capability, refer to Secret Management Configuration.
Authentication to Secret Store Provider
Authentication to the Secret Store must be set up so that, at Runtime, the provider can be reached and secrets can be retrieved. To securely set up the credentials for the Store Provider store's credentials field(s) need to be set up using a reference to a secret key:
-
For Cloud used stores, set the credentials and will be stored securely in the PlainID Internal Cloud Vault.
For PAA-managed stores, configure a reference to a secret key that holds the required sensitive credentials: -
Option 1: Environment Variable Reference: Use the predefined Environment Variable pattern:
storeId=ENV_VARwith a secret key referring to an Environment Variable defined in the PAA SM configuration.- Environment Variables must follow the pattern:
ENV_VAR_<some_env_var_name>.- Example:
{{storeId=ENV_VAR,key=ENV_VAR_CredsOfAKV1}}
- Example:
- Environment Variables must follow the pattern:
-
Option 2: Store Reference
- Define a secret key that references another store using the template:
{{storeId=<storeID>,key=<secretKeyName>}}- Example: You can reference another store manually defined in the PAA SM configuration that holds credentials for other stores:
{{storeId=AWS_Dev,key=CredsOfAKV1}}
- Example: You can reference another store manually defined in the PAA SM configuration that holds credentials for other stores:
- This type of nested reference can be applied up to three levels deep.
- Define a secret key that references another store using the template:
Store Types
Configure your chosen secret store type using the instructions below:
HashiCorp Vault
To configure the HashiCorp Vault:
- Select HashiCorp Vault from the Store Type dropdown
- Toggle Cloud Platform Enabled (Yes/No) based on your usage requirements
- If Cloud Platform Enabled is set to No, select which PAAs the store is used by from the multi-select dropdown
- In the Additional Details section, input the following. For more details on Additional Detail and Authentication fields, refer to the Hashicorp Input Fields table below:
- Input the Vault URL used to make requests for fetching secrets
- Input the Secrets Engine Path prefix.
- Input the Path Prefix for secret storage.
- Set the Timeout value for connections in seconds.
- In the Authentication section, select your Authentication Method:
- Input your token if the Vault is used as a cloud secret provider.
- Input a secret key.
- Click Create.
HashiCorp Input Fields
| Field | Description | Value / Default |
|---|---|---|
| Vault URL | The Vault URL used to send requests for fetching secrets. | — |
| Secrets Engine Path | The Secrets Engine Path prefix. | secret |
| Path Prefix | The Path Prefix for secret storage. | / |
| Timeout | Timeout value for connections (in seconds). | 60 |
| Token | Token used if Vault is configured as a cloud secret provider. The token value is masked in the UI. | — |
| Secret Key Reference | A secret key reference, which can point to another store or to an Environment Variable (ENV_VAR_<some_name>). Example: {{storeId=ENV_VAR,key=ENV_VAR_CredsOfAKV1}} or {{storeId=AWS_Dev,key=CredsOfAKV1}}. |
— |
Azure Key Vault
To configure the Azure Key Vault:
- Select Azure Key Vault from the Store Type dropdown
- Toggle Cloud Platform Enabled (Yes/No) based on your usage requirements
- If Cloud Platform Enabled is set to No, select which PAAs the store is used by from the multi-select dropdown
- In the Additional Details section, input the following. For more details on Additional Detail and Authentication fields, refer to the Azure Key Vault Input Fields table below:
- Input the Key-Vault Name.
- In the Authentication section:
- Input the Tenant ID for Azure token URL
- Input the Client ID for token generation
- Input the Client Secret for token generation.
- Input your secret if the Vault is used as a cloud secret provider (secret will be masked)
- Input a secret key using a reference to another store or to an
ENV_VAR_<some_name>.
- Click Create.
Azure Key Vault Input Fields
| Field | Description | Value / Default |
|---|---|---|
| Key Vault Name | The Key Vault endpoint URL, formatted as: https://<Keyvault_name>.vault.azure.net. |
— |
| Authentication Method | Authentication method for Azure Key Vault. This is automatically set to OAuth2 Client Credentials (only supported method). | OAuth2 Client Credentials |
| Tenant ID | The Azure Tenant ID used in the token URL. | — |
| Client ID | The Client ID used for token generation. | — |
| Client Secret | The Client Secret used for token generation. Optionally, provide a secret reference using another store or an environment variable ( ENV_VAR_<some_name>). The value is masked in the UI. |
— |
AWS Secrets Manager
Some Secret Providers allow connection using a Role instead of Authentication. This approach is supported for PAA SM using a K8s Role, like in the case of AWS Secret Manager, if the SM service deployed in PAA under a proper IAM Role is injected to K8s.
To configure the AWS Secrets Manager:
- Select AWS Secrets Manager from the Store Type dropdown
- Toggle Cloud Platform Enabled (Yes/No) based on your usage requirements
- If Cloud Platform Enabled is set to No, select which PAAs the store is used by from the multi-select dropdown
- In the Additional Details section, input the following. For more details on Additional Detail and Authentication fields, refer to the AWS Secrets Manager Input Fields table below:
- Region for AWS.
- In the Authentication section:
- If the Cloud Platform Enabled is toggled on, the Authentication Method will be automatically set to AWS Access Key. If Cloud Platform Enabled is toggled off and PAAs are selected, choose between AWS Access Key and IAM Roles for Service Accounts.
- Input the AccessKey ID
- Input the AccessKey Secret.
- Input your secret if the store is used as a cloud secret provider (secret will be masked)
- Input a secret key that references to another store or to an
ENV_VAR_<some_name>.
- Click Create.
AWS Secrets Manager Fields
| Field | Description | Value / Default |
|---|---|---|
| Region | The AWS region for Secrets Manager. | — |
| Authentication Method | Authentication method for AWS Secrets Manager. This is automatically set to AWS Access Key (only supported method). | AWS Access Key |
| Access Key ID | The AWS Access Key ID. | — |
| Access Key Secret | The AWS Access Key Secret. You can also provide a secret reference using another store or an environment variable ( ENV_VAR_<some_name>) (optional). The value is masked in the UI. |
— |
AWS IAM for RDS
To configure the AWS IAM for RDS:
Note: This store type is not available for Cloud Platform usage
- Select AWS IAM for RDS from the Store Type dropdown
- Select which PAAs the store is used by from the multi-select dropdown
- In the Additional Details section, input the Region for AWS. For more details on Additional Detail and Authentication fields, refer to the AWS Secrets Manager Input Fields table below.
- In the Authentication section, select your Authentication Method:
- If you selected AWS Access Key
- Input the AccessKey ID
- Input the AccessKey Secret.
- If you selected AWS Access Key
- If you selected IAM Roles for Service Accounts
- Input the Role Name for Kubernetes authentication (PAA deployments only)
- You can configure a K8s role as your credential context, allowing the store to authenticate using that role.
- Input the Role Name for Kubernetes authentication (PAA deployments only)
- Click Create.
AWS IAM for RDS Input Fields
| Field | Description | Value / Default |
|---|---|---|
| Region | The AWS region for RDS IAM authentication. | — |
| Authentication Method | The authentication method for RDS IAM. Options: - AWS Access Key - IAM Roles for Service Accounts (Kubernetes PAA deployments only). |
— |
| Access Key ID | (If using AWS Access Key) The AWS Access Key ID. | — |
| Access Key Secret | (If using AWS Access Key) The AWS Access Key Secret. | — |
| Role Name | (If using IAM Roles for Service Accounts) The Kubernetes role name used for authentication. This can be configured as the credential context in PAA deployments. |
— |
Configuring Secret Management Stores in the PlainID platform ensures secure handling of sensitive credentials and seamless integration with supported providers such as HashiCorp Vault, Azure Key Vault, and AWS Secret Manager. By defining proper authentication methods and referencing secrets consistently, you enable reliable Runtime access while maintaining centralized security controls.
For additional guidance on managing and monitoring these configurations, refer to the related documentation on Managing Secret Stores and Secret Management Configuration.