--- title: "Deployment and Installation" slug: "deployment-and-installation" updated: 2025-11-05T07:13:08Z published: 2025-11-05T07:13:08Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # Deployment and Installation The Secret Management Service acts as a centralized component responsible for securely retrieving and serving Secrets to other PlainID components. By default, this service is not included in the Policy Authorization Agent (PAA) deployment and must be explicitly enabled and configured. This guide walks you through enabling the Secret Management Service within your PAA deployment by modifying the values-custom.yaml file. You will learn how to activate the service, configure core parameters such as ports and logging, and define one or more Secret Stores that the service will use to fetch Secrets like private keys, tokens, and credentials. Proper configuration of the Secret Management Service ensures secure, seamless access to sensitive data while enabling advanced features like secret rotation and multi-store management. The example and settings below illustrate typical configuration options and serve as a foundation to tailor the service to your environment’s needs. ## Configuring the Secret Management Service By default, the Secret Management Service is not included in the PAA deployment. To enable it, add a `secretsMgmt` section to the values-custom.yaml file and follow the configuration instructions. ### Enabling and Configuring the Service After adding to the values-custom.yaml file the `secret-mgmt` section, set it as `enabled: true` and define additional configuration parameters, such as ports, logging, and most importantly, `secretStore` definitions. **To use managed stores defined in the Platform in the PAA Store Manager**, ensure that that the `redisIntegration` is set to `enabled: true`. **Example**: ``` secretsMgmt: enabled: true ## Enable Redis integration to use cloud secret stores redisIntegration: enabled: false ## set to true if using managed stores replicaCount: 1 command: [] # Allows you to add any config files to /app/config plainIDConfig: config.yaml: server: port: 8080 # Which IP is allowed to make requests to secret-mgmt bindIp: 0.0.0.0 management: port: 8081 log: level: "info" #debug,trace format: "json" logTo: "console" # rolling, file rabbitmq: enabled: false gin: mode: release # debug, release # Secret Store configuration secretStore: - id: fileSecret type: File isDefault: true decoder: Base64 details: path: /app/config/filename.txt # Examples below for HashiCorp Vault based Secret Store # - id: vault # type: Vault # isDefault: true # decoder: None # Base64, None # details: # PathPrefix: prefix # defaultPath: vault_ # skipVerify: true # url: vault # timeout: 3s # enginePath: custom # # Authentication method should use a Token # auth: # method: Token # Token, Kubernetes # tokenValue: token # tokenFileName: ${ VAULT_TOKEN } - instead of token value # # OR Authentication method should use vault Kubernetes authentication # auth: # method: Kubernetes # path: /var/path-to-file/file.txt # role: secrets-mgmt # Examples below for Environment Variables based on the Secret Store # - id: ENV_VAR_SECRET # type: Environment # isDefault: false # decoder: Base64 # details: # name: ENV_VAR_SECRET ``` **Optional Settings for the Secret Management Service** | Section | Parameter | Value | Description | | --- | --- | --- | --- | | server | port | `8080` | The port number that the server listens to for incoming requests. | | server | bindIp | `0.0.0.0` | The IP address authorized to make requests to the Secret management service. Use 0.0.0.0 to allow connections from every IP address on the local machine | | management | port | `8081` | The port number that the management service listens to for incoming requests. | | log | level | `info` | The Application logging level. | | log | format | `json` | The Application logging format. | | log | logTo | `console` | The logging output destination. | | gin | mode | `release` | The mode that Gin (the HTTP framework) should run in. | The Environment Variable Store allows secrets to be retrieved from environment variables—commonly used for simpler, local, or container-based deployments. This store is often used for private keys or credentials that are injected at runtime via deployment configurations or Kubernetes manifests. ### Environment Variable Secret Store-specific Parameters **To configure a Secret Store that reads private keys from Environment Variables, use the following configuration**: | Parameter | Value | Description | | --- | --- | --- | | type | `Environment` | Set the type of the Secret store to Environment Variables | | details.name | `ENV_VAR_SECRET` | The name of the Environment Variable from which to obtain the private key | #### Example The following example is based on the [general store](/v1/docs/stores) and store-specific parameters. ``` secretsMgmt: ... plainIDConfig: ... # Secret Store configuration secretStore: - id: ENV_VAR_SECRET type: Environment isDefault: true decoder: Base64 details: name: ENV_VAR_SECRET ``` ## Error Logging for External Secret Providers Errors from external secret providers are now logged in a consistent structure. This standardization improves troubleshooting and observability by making it easier to collect, filter, and monitor provider-related issues. **Format** ``` ERROR "secret provider error from {store type} - {error context}: {provider inner error}" ``` **Log Components** | Component | Description | | --- | --- | | **store type** | The type of secret store (e.g., Vault, AKV, AWS Secrets Manager, etc.). | | **error context** | The specific failure scenario (e.g., connection error, timeout). | | **provider inner error** | The detailed error message returned by the external provider. | **Example** ``` log.Errorf("secret provider error from Vault - unable to connect to vault: %s", clientErr) ```