The Secret Management Service acts as a centralized component responsible for securely retrieving and serving Secrets to other PlainID components. By default, this service is not included in the Policy Authorization Agent (PAA) deployment and must be explicitly enabled and configured.
This guide walks you through enabling the Secret Management Service within your PAA deployment by modifying the values-custom.yaml file. You will learn how to activate the service, configure core parameters such as ports and logging, and define one or more Secret Stores that the service will use to fetch Secrets like private keys, tokens, and credentials.
Proper configuration of the Secret Management Service ensures secure, seamless access to sensitive data while enabling advanced features like secret rotation and multi-store management. The example and settings below illustrate typical configuration options and serve as a foundation to tailor the service to your environment’s needs.
Configuring the Secret Management Service
By default, the Secret Management Service is not included in the PAA deployment. To enable it, add a secretsMgmt section to the values-custom.yaml file and follow the configuration instructions.
Enabling and Configuring the Service
After adding to the values-custom.yaml file the secret-mgmt section, set it as enabled: true and define additional configuration parameters, such as ports, logging, and most importantly, secretStore definitions.
Enabling and Configuring the Service
After adding to the values-custom.yaml file the secret-mgmt section, set it as enabled: true and define additional configuration parameters, such as ports, logging, and most importantly, secretStore definitions.
To use managed stores defined in the Platform in the PAA Store Manager, ensure that that the redisIntegration is set to enabled: true.
Example:
secretsMgmt:
enabled: true
## Enable Redis integration to use cloud secret stores
redisIntegration:
enabled: false ## set to true if using managed stores
replicaCount: 1
command: []
# Allows you to add any config files to /app/config
plainIDConfig:
config.yaml:
server:
port: 8080
# Which IP is allowed to make requests to secret-mgmt
bindIp: 0.0.0.0
management:
port: 8081
log:
level: "info" #debug,trace
format: "json"
logTo: "console" # rolling, file
rabbitmq:
enabled: false
gin:
mode: release # debug, release
# Secret Store configuration
secretStore:
- id: fileSecret
type: File
isDefault: true
decoder: Base64
details:
path: /app/config/filename.txt
# Examples below for HashiCorp Vault based Secret Store
# - id: vault
# type: Vault
# isDefault: true
# decoder: None # Base64, None
# details:
# PathPrefix: prefix
# defaultPath: vault_
# skipVerify: true
# url: vault
# timeout: 3s
# enginePath: custom
#
# Authentication method should use a Token
# auth:
# method: Token # Token, Kubernetes
# tokenValue: token
# tokenFileName: ${ VAULT_TOKEN } - instead of token value
#
# OR Authentication method should use vault Kubernetes authentication
# auth:
# method: Kubernetes
# path: /var/path-to-file/file.txt
# role: secrets-mgmt
# Examples below for Environment Variables based on the Secret Store
# - id: ENV_VAR_SECRET
# type: Environment
# isDefault: false
# decoder: Base64
# details:
# name: ENV_VAR_SECRET
Optional Settings for the Secret Management Service
| Section | Parameter | Value | Description |
|---|---|---|---|
| server | port | 8080 |
The port number that the server listens to for incoming requests. |
| server | bindIp | 0.0.0.0 |
The IP address authorized to make requests to the Secret management service. Use 0.0.0.0 to allow connections from every IP address on the local machine |
| management | port | 8081 |
The port number that the management service listens to for incoming requests. |
| log | level | info |
The Application logging level. |
| log | format | json |
The Application logging format. |
| log | logTo | console |
The logging output destination. |
| gin | mode | release |
The mode that Gin (the HTTP framework) should run in. |
The Environment Variable Store allows secrets to be retrieved from environment variables—commonly used for simpler, local, or container-based deployments. This store is often used for private keys or credentials that are injected at runtime via deployment configurations or Kubernetes manifests.
Environment Variable Secret Store-specific Parameters
To configure a Secret Store that reads private keys from Environment Variables, use the following configuration:
| Parameter | Value | Description |
|---|---|---|
| type | Environment |
Set the type of the Secret store to Environment Variables |
| details.name | ENV_VAR_SECRET |
The name of the Environment Variable from which to obtain the private key |
Example
The following example is based on the general store and store-specific parameters.
secretsMgmt:
...
plainIDConfig:
...
# Secret Store configuration
secretStore:
- id: ENV_VAR_SECRET
type: Environment
isDefault: true
decoder: Base64
details:
name: ENV_VAR_SECRET
Error Logging for External Secret Providers
Errors from external secret providers are now logged in a consistent structure. This standardization improves troubleshooting and observability by making it easier to collect, filter, and monitor provider-related issues.
Format
ERROR "secret provider error from {store type} - {error context}: {provider inner error}"
Log Components
| Component | Description |
|---|---|
| store type | The type of secret store (e.g., Vault, AKV, AWS Secrets Manager, etc.). |
| error context | The specific failure scenario (e.g., connection error, timeout). |
| provider inner error | The detailed error message returned by the external provider. |
Example
log.Errorf("secret provider error from Vault - unable to connect to vault: %s", clientErr)