Secrets providers reference
COMMERCIAL FEATURE: Access the Env
, CyberArkProvider
, and VaultProvider
secrets provider datatypes in the packaged Sensu Go distribution.
For more information, read Get started with commercial features.
Sensu’s secrets management eliminates the need to expose secrets like usernames, passwords, and access keys in your Sensu configuration.
With Sensu’s secrets management, you can obtain secrets from one or more external secrets providers, refer to external secrets, and consume secrets via backend environment variables.
Only Sensu backends have access to request secrets from a secrets provider.
Secrets are only transmitted over a transport layer security (TLS) WebSocket connection.
Unencrypted connections must not transmit privileged information.
For checks, hooks, and dynamic runtime assets, you must enable mutual TLS (mTLS).
Sensu will not transmit secrets to agents that do not use mTLS.
The Sensu Go commercial distribution includes a secrets provider, Env
, that exposes secrets from environment variables on your Sensu backend nodes.
You can also use the CyberArkProvider
and VaultProvider
secrets providers.
You can configure any number of CyberArkProvider
and VaultProvider
secrets providers.
However, you can only have a single Env
secrets provider: the one that is included with the Sensu Go commercial distribution.
Secrets providers are cluster-wide resources and compatible with generic functions.
Env secrets provider example
Sensu’s Env
secrets provider exposes secrets from backend environment variables.
The Env
secrets provider is automatically created with an empty spec
when you start your Sensu backend.
Using the Env
secrets provider may require you to synchronize environment variables in Sensu backend clusters.
Read Use secrets management to learn how to configure the Env
secrets provider.
---
type: Env
api_version: secrets/v1
metadata:
name: env
spec: {}
{
"type": "Env",
"api_version": "secrets/v1",
"metadata": {
"name": "env"
},
"spec": {}
}
CyberArkProvider secrets provider example
The CyberArkProvider
secrets provider is a vendor-specific implementation for CyberArk Conjur secrets management.
---
type: CyberArkProvider
api_version: secrets/v1
metadata:
name: cyberark
spec:
client:
account: sensu.io
appliance_url: http://localhost:8480
login: host/Sensu/sensuBackend
api_key: CONJUR_API_KEY
timeout: 1s
tls:
ca_cert: "/etc/ssl/certs/conjur_ca_cert.pem"
ttl: 60s
{
"type": "CyberArkProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "cyberark"
},
"spec": {
"client": {
"account": "sensu.io",
"appliance_url": "http://localhost:8480",
"login": "host/Sensu/sensuBackend",
"api_key": "CONJUR_API_KEY",
"timeout": "1s",
"tls": {
"ca_cert": "/etc/ssl/certs/conjur_ca_cert.pem"
},
"ttl": "60s"
}
}
}
VaultProvider secrets provider example
The VaultProvider
secrets provider is a vendor-specific implementation for HashiCorp Vault secrets management.
---
type: VaultProvider
api_version: secrets/v1
metadata:
name: vault
spec:
client:
address: https://vaultserver.example.com:8200
token: VAULT_TOKEN
version: v1
tls:
ca_cert: "/etc/ssl/certs/vault_ca_cert.pem"
max_retries: 2
timeout: 20s
rate_limiter:
limit: 10
burst: 100
{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "vault"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}
Secrets provider configuration
You can use the enterprise/secrets/v1 API endpoints to create, view, and manage your secrets provider configuration.
For example, to retrieve the list of secrets providers:
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers \
-H "Authorization: Key $SENSU_API_KEY"
Secrets provider specification
NOTE: The attribute descriptions in this section use the CyberArkProvider
and VaultProvider
datatypes.
Review the Env secrets provider example for an example definition for the Env
datatype.
Top-level attributes
api_version |
|
description |
Top-level attribute that specifies the Sensu API group and version. For secrets configuration in this version of Sensu, the api_version should always be secrets/v1 . |
required |
Required for secrets configuration in wrapped-json or yaml format. |
type |
String |
example |
{
"api_version": "secrets/v1"
}
|
metadata |
|
description |
Top-level scope that contains the secrets provider name and created_by field. Namespace is not supported in the metadata because secrets providers are cluster-wide resources. |
required |
true |
type |
Map of key-value pairs |
example |
metadata:
name: vault
created_by: admin
{
"metadata": {
"name": "vault",
"created_by": "admin"
}
}
|
spec |
|
description |
Top-level map that includes secrets provider configuration spec attributes. Read VaultProvider spec attributes and CyberArkProvider spec attributes for details. |
required |
Required for secrets configuration in wrapped-json or yaml format. |
type |
Map of key-value pairs |
CyberArkProvider example |
spec:
client:
account: sensu.io
appliance_url: http://localhost:8480
login: host/Sensu/sensuBackend
api_key: CONJUR_API_KEY
timeout: 1s
tls:
ca_cert: "/etc/ssl/certs/conjur_ca_cert.pem"
ttl: 60s
{
"spec": {
"client": {
"account": "sensu.io",
"appliance_url": "http://localhost:8480",
"login": "host/Sensu/sensuBackend",
"api_key": "CONJUR_API_KEY",
"timeout": "1s",
"tls": {
"ca_cert": "/etc/ssl/certs/conjur_ca_cert.pem"
},
"ttl": "60s"
}
}
}
|
VaultProvider example |
spec:
client:
address: https://vaultserver.example.com:8200
max_retries: 2
rate_limiter:
limit: 10
burst: 100
timeout: 20s
tls:
ca_cert: "/etc/ssl/certs/vault_ca_cert.pem"
token: VAULT_TOKEN
version: v1
{
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"max_retries": 2,
"rate_limiter": {
"limit": 10,
"burst": 100
},
"timeout": "20s",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"token": "VAULT_TOKEN",
"version": "v1"
}
}
}
|
type |
|
description |
Top-level attribute that specifies the resource type. |
required |
Required for secrets configuration in wrapped-json or yaml format. |
type |
String |
allowed values |
- Env if using Sensu’s secrets provider - CyberArkProvider if using CyberArk Conjur as the secrets provider - VaultProvider if using HashiCorpVault as the secrets provider |
example |
{
"type": "VaultProvider"
}
|
created_by |
|
description |
Username of the Sensu user who created the secrets provider or last updated the secrets provider. Sensu automatically populates the created_by field when the secrets provider is created or updated. |
required |
false |
type |
String |
example |
{
"created_by": "admin"
}
|
name |
|
description |
Provider name used internally by Sensu. |
required |
true |
type |
String |
example |
|
CyberArkProvider spec attributes
client |
|
description |
Map that includes CyberArkProvider client attributes. |
required |
true |
type |
Map of key-value pairs |
example |
client:
account: sensu.io
appliance_url: http://localhost:8480
login: host/Sensu/sensuBackend
api_key: CONJUR_API_KEY
timeout: 1s
tls:
ca_cert: "/etc/ssl/certs/conjur_ca_cert.pem"
ttl: 60s
{
"client": {
"account": "sensu.io",
"appliance_url": "http://localhost:8480",
"login": "host/Sensu/sensuBackend",
"api_key": "CONJUR_API_KEY",
"timeout": "1s",
"tls": {
"ca_cert": "/etc/ssl/certs/conjur_ca_cert.pem"
},
"ttl": "60s"
}
}
|
CyberArkProvider client attributes
account |
|
description |
Conjur account name. |
required |
true |
type |
String |
example |
{
"account": "sensu.io"
}
|
appliance_url |
|
description |
Conjur appliance URL (the HTTP or HTTPS endpoint CyberArk listens on). |
required |
true |
type |
String |
example |
appliance_url: http://localhost:8480
{
"appliance_url": "http://localhost:8480"
}
|
login |
|
description |
Conjur authentication login. The login includes host followed by the values provided for id and host in the Conjur policy: host/<POLICY_ID>/<POLICY_HOST> |
required |
true |
type |
String |
example |
login: host/Sensu/sensuBackend
{
"login": "host/Sensu/sensuBackend"
}
|
timeout |
|
description |
Provider connection timeout (hard stop). |
required |
false |
type |
String |
example |
|
tls |
|
description |
TLS object. You may need to set up a Certificate Authority (CA) certificate if it is not already stored in your operating system’s trust store. To do this, set the TLS object and provide the ca_cert path. You may also need to set up client_cert , client_key , or cname . |
required |
false |
type |
Map of key-value pairs |
example |
tls:
ca_cert: "/etc/ssl/certs/conjur_ca_cert.pem"
client_cert: "/etc/ssl/certs/conjur_cert.pem"
client_key: "/etc/ssl/certs/conjur_key.pem"
cname: conjur_client.example.com
{
"tls": {
"ca_cert": "/etc/ssl/certs/conjur_ca_cert.pem",
"client_cert": "/etc/ssl/certs/conjur_cert.pem",
"client_key": "/etc/ssl/certs/conjur_key.pem",
"cname": "conjur_client.example.com"
}
}
|
ttl |
|
description |
The time-to-live (TTL) until CyberArkProvider secrets are considered stale. Sensu will cache secrets provider values for this duration. |
required |
false |
type |
String |
example |
|
VaultProvider spec attributes
client |
|
description |
Map that includes VaultProvider client attributes. |
required |
true |
type |
Map of key-value pairs |
example |
client:
address: https://vaultserver.example.com:8200
max_retries: 2
rate_limiter:
limit: 10
burst: 100
timeout: 20s
tls:
ca_cert: "/etc/ssl/certs/vault_ca_cert.pem"
token: VAULT_TOKEN
version: v1
{
"client": {
"address": "https://vaultserver.example.com:8200",
"max_retries": 2,
"rate_limiter": {
"limit": 10,
"burst": 100
},
"timeout": "20s",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"token": "VAULT_TOKEN",
"version": "v1"
}
}
|
VaultProvider client attributes
address |
|
description |
Vault server address. |
required |
true |
type |
String |
example |
address: https://vaultserver.example.com:8200
{
"address": "https://vaultserver.example.com:8200"
}
|
max_retries |
|
description |
Number of times to retry connecting to the Vault provider. |
required |
true |
type |
Integer |
default |
2 |
example |
|
rate_limiter |
|
description |
Maximum rate and burst limits for the enterprise/secrets/v1 API endpoint. Read rate_limiter attributes for more information. |
required |
false |
type |
Map of key-value pairs |
example |
rate_limiter:
limit: 10
burst: 100
{
"rate_limiter": {
"limit": 10,
"burst": 100
}
}
|
timeout |
|
description |
Provider connection timeout (hard stop). |
required |
false |
type |
String |
default |
60s |
example |
|
tls |
|
description |
TLS object. Vault only works with TLS configured. You may need to set up a Certificate Authority (CA) certificate if it is not already stored in your operating system’s trust store. To do this, set the TLS object and provide the ca_cert path. You may also need to set up client_cert , client_key , or cname . |
required |
false |
type |
Map of key-value pairs |
example |
tls:
ca_cert: "/etc/ssl/certs/vault_ca_cert.pem"
client_cert: "/etc/ssl/certs/vault_cert.pem"
client_key: "/etc/ssl/certs/vault_key.pem"
cname: vault_client.example.com
{
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem",
"client_cert": "/etc/ssl/certs/vault_cert.pem",
"client_key": "/etc/ssl/certs/vault_key.pem",
"cname": "vault_client.example.com"
}
}
|
token |
|
description |
Vault token to use for authentication. |
required |
true |
type |
String |
example |
{
"token": "VAULT_TOKEN"
}
|
version |
|
description |
HashiCorp Vault key/value store version. |
required |
true |
type |
String |
allowed values |
v1 and v2 |
example |
|
Rate limiter attributes
burst |
|
description |
Maximum amount of burst allowed in a rate interval for the enterprise/secrets/v1 API endpoint. |
required |
false |
type |
Integer |
example |
|
limit |
|
description |
Maximum number of secrets requests per second that can be transmitted to the backend with the enterprise/secrets/v1 API endpoint. |
required |
false |
type |
Float |
example |
|