Secret Managers
Several ways to provide database credential are supported.
Raw
Database credentials can be provided as raw unencrypted values:
{
"type": "raw",
"value": "${SOURCE_PASSWORD}"
}Where:
-
type: The password provider type -
value: raw password value
Google Secret Manager
Database credentials can be requested from Google Secret Manager:
{
"type": "gcp",
"project": "${GCP_PROJECT_ID}",
"secret": "${SECRET_ID}",
"version": "${VERSION_ID}"
}Where:
-
type: The password provider type -
project: GCP project ID -
secret: Secret Manager secret ID -
version: (optional, default – latest) Secret Manager secret version ID
|
Note
|
AWS Secrets Manager
Database credentials can be requested from AWS Secrets Manager:
{
"type": "aws",
"secret": "${SECRET_ID}",
"version": "${VERSION_ID}"
}Where:
-
type: The password provider type -
secret- The ARN or name of the secret to retrieve -
version(optional) - The unique identifier of the version of the secret to retrieve If you don’t specify the version, then theAWSCURRENTversion is used.
|
Note
|
Hashicorp Vault
Database credentials can be requested from Hashicorp Vault:
{
"type": "vault",
"storage": "${STORAGE_ID}",
"path": "${PATH_ID}",
"secret": "${SECRET_ID}",
"versioned": "${IS_VERSIONED}",
"version": "${VERSION_ID}"
}Where:
-
type: The password provider type -
storage: The name of the secret storage (e.g. "secret", "database", "cubbyhole", etc) -
path: The mount path of the secret -
secret: The name of the secret to retrieve -
versioned: Indicates if the current secret storage is versioned ("false" by default) -
version: The unique identifier of the version of the secret to retrieve. Using 0 as the default value for the current version
|
Note
|
For more information and examples, please refer to the Hashicorp Vault as a Secret Manager tutorial page.