Cloud Integration

In cloud environments, secrets are stored inside a native secret manager.

This documents describes the vals secrets to dynamically fetch secrets from cloud services directly.

This integration is also supported inside ArgoCD.

Prerequisites

helm-secrets 3.9.x or higher. (literal values requires 4.1+)
vals backend usage

Setup

vals needs to be setup correctly first. Download vals from GitHub and put the binary into your PATH. e.g. /usr/local/bin/. Alternatively, use the environment variable HELM_SECRETS_VALS_PATH to define the path of the vals binary.

Authentication

AWS

AWS supports a multiple mechanism for authentication:

Define AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
OIDC login flows / IAM Roles for services accounts
Default credential and config profiles in ~/.aws/credentials and ~/.aws/config
Instance profile credentials

Azure

Azure supports a multiple mechanism for authentication through environment variables

Client Credentials: Azure AD Application ID and Secret.
- AZURE_TENANT_ID: Specifies the Tenant to which to authenticate.
- AZURE_CLIENT_ID: Specifies the app client ID to use.
- AZURE_CLIENT_SECRET: Specifies the app secret to use.
Client Certificate: Azure AD Application ID and X.509 Certificate.
- AZURE_TENANT_ID: Specifies the Tenant to which to authenticate.
- AZURE_CLIENT_ID: Specifies the app client ID to use.
- AZURE_CERTIFICATE_PATH: Specifies the certificate Path to use.
- AZURE_CERTIFICATE_PASSWORD: Specifies the certificate password to use.
Resource Owner Password: Azure AD User and Password. This grant type is not recommended, use device login instead if you need interactive login.
- AZURE_TENANT_ID: Specifies the Tenant to which to authenticate.
- AZURE_CLIENT_ID: Specifies the app client ID to use.
- AZURE_USERNAME: Specifies the username to use.
- AZURE_PASSWORD: Specifies the password to use.
Azure Managed Service Identity: Delegate credential management to the platform. Requires that code is running in Azure, e.g. on a VM. Azure SDK handles all configurations. See Azure Managed Service Identity for more details.

Usage

Before running helm, the environment variable HELM_SECRETS_BACKEND=vals needs to be set or the command line option --backend=vals must be put in use.

This enables the vals integration in helm-secrets.

Vals needs cloud prover credentials to fetch secrets from the secret services. Be sure to have them in place before trying to use (for instance, use the cloud provider own CLI to fetch the same secrets).

helm-secrets can not fill the cloud provider secrets store through the encryption command.

⚠️ Vals reference strings must be declared in the "values" file (the YAML file being used by the Helm template to provide values), not in the resource itself!

This is how you are suppose to do. First create a Secret (or anyother resource you want) file, that we will call secret.yaml in this example:

---
apiVersion: v1
kind: Secret
metadata:
  name: '{{ .Chart.Name }}-secrets'
  labels:
    app.kubernetes.io/name: '{{ .Chart.Name }}-secrets'
    app.kubernetes.io/version: '{{ .Chart.AppVersion | toString }}'
    namespace: '{{ .Values.namespace }}'
    name: '{{ .Chart.Name }}'
    repository: '{{ .Chart.Home }}'
type: Opaque
data:
  supersecret: '{{ .Values.aws | b64enc }}'

The secret.yaml should be saved into the templates folder of your helm chart.

Next, create a values file named values.yaml and add the following snippet content:

aws: ref+awssecrets://mysecret/value

Finally, put everything together:

helm secrets template -f values.yaml .

That's it! You should see the resulting content from the template.

Supported Backends

vals support different backends. Click on the backend to gain more information.

Vault
AWS SSM Parameter Store
AWS Secrets Manager
AWS S3
GCP Secrets Manager
Google GCS
SOPS powered by sops
Terraform (tfstate) powered by tfstate-lookup
Echo
File
Azure Key Vault
EnvSubst
Gitlab CI Secrets

Example secret.yaml

vault: ref+vault://mykv/foo#/bar
aws: ref+awssecrets://mysecret/value
aws-ssm: ref+awsssm://foo/bar?mode=singleparam#/BAR
gcp: ref+gcpsecrets://PROJECT/SECRET[?version=VERSION]
azure: ref+azurekeyvault://my-vault/secret-a
sops: ref+sops://assets/values/vals/secrets.sops.yaml#/key
file: ref+file:///absolute/path/to/file[#/path/to/the/value]
service:
  port: ref+envsubst://$VAR1

Example literal values

export HELM_SECRETS_BACKEND=vals
helm secrets template bitnami/mysql --name-template mysql \
  --set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR

wrapper-less environment like ArgoCD through downloader syntax (--set-file only):

export HELM_SECRETS_BACKEND=vals
helm template bitnami/mysql --name-template mysql \
  --set-file auth.rootPassword=secrets+literal://ref+azurekeyvault://my-vault/secret-a

This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly