From 2997fadb69cba4007096690df2b51eea9bcfc2fb Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Thu, 30 Oct 2025 14:41:39 -0400 Subject: [PATCH 1/3] Add Akeyless Secret Store Documentation Signed-off-by: Kobbi Gal --- .../supported-secret-stores/akeyless.md | 224 ++++++++++++++++++ 1 file changed, 224 insertions(+) create mode 100644 daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md new file mode 100644 index 00000000000..3415649f690 --- /dev/null +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -0,0 +1,224 @@ +--- +type: docs +title: "Akeyless" +linkTitle: "Akeyless" +description: Information about the Akeyless secret store component configuration. +--- + +## Create the Akeyless component + +To setup Akeyless secret store create a component of type `secretstores.akeyless`. See [this guide]({{% ref "setup-secret-store.md#apply-the-configuration" %}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{% ref component-secrets.md %}}) to retrieve and use the secret with Dapr components. + + +## Component Format + +```yaml +schemaVersion: v1 +type: secretstores +name: akeyless +version: v1 +status: beta +title: "Akeyless Secret Store" +urls: + - title: Reference + url: https://docs.dapr.io/reference/components-reference/supported-secret-stores/akeyless/ +authenticationProfiles: + - title: API Key + description: Authenticate using an API key. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - name: accessKey + required: true + description: The Akeyless API key. + example: "ABCD1233...=" + type: string + sensitive: true + - title: JWT + description: Authenticate using a JSON Web Token. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - name: jwt + required: true + description: The JSON Web Token. + example: "eyJ..." + type: string + sensitive: true + - title: AWS IAM + description: Authenticate using AWS IAM. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - title: Kubernetes + description: Authenticate using Kubernetes. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - name: k8sAuthConfigName + required: true + description: The name of the k8s auth config. + example: "k8s-auth-config" + type: string + - name: k8sGatewayUrl + required: true + description: The gateway URL that where the k8s auth config is located. + example: "http://gw.akeyless.svc.cluster.local:8000" + type: string + - name: k8sServiceAccountToken + required: true + description: The service account token. + example: "eyJ..." + type: string + sensitive: true +metadata: + - name: gatewayUrl + required: false + description: | + The URL to the Akeyless Gateway API. Default is https://api.akeyless.io. + default: "https://api.akeyless.io" + example: "https://your.akeyless.gw" + type: string +``` + +## Spec metadata fields + +| Field | Required | Details | Example | +|--------------------|:--------:|-------------------------------------------------------------------------|---------------------| +| `gatewayUrl` | N | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io. | `http://gw-release.akeyless.svc.cluster.local:8000/api/v2` | +| `accessID` | Y | The Akeyless Access ID of the authentication method | `p-1234567890` | +| `accessKey` | N | Fill in when using an API Key (`access_key`) authentication method. | `ABCD1233...=` | +| `jwt` | N | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method | `eyJ...` | +| `k8sAuthConfigName` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method | `my-k8s-auth-conf` | +| `k8sGatewayUrl` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will default to value set for `akeylessGWApiURL`. | `http://gw-release.akeyless.svc.cluster.local:8000/api/v2` | +| `k8sServiceAccountToken` | N | Fill in a `base64`-encoded string of the JWT when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will read from k8s token in container filesystem | `ej...` | + + +## Authentication Methods + +We currently support the following authentication methods: + +### [API Key](https://docs.akeyless.io/docs/api-key) + + + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "https://api.akeyless.io" + - name: accessId + value: "p-123..." + - name: accessKey + value: "ABCD1233...=" +``` + +### [AWS IAM](https://docs.akeyless.io/docs/aws-iam) + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "https://api.akeyless.io" + - name: accessId + value: "p-123..." +``` + +### [OAuth2.0/JWT](https://docs.akeyless.io/docs/oauth20jwt) + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "https://api.akeyless.io" + - name: accessId + value: "p-123..." + - name: jwt + value: "eyJ..." +``` + +### [Kubernetes](https://docs.akeyless.io/docs/kubernetes-auth) + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "http://release-gw.akeyless.svc.cluster.local:8000/api/v2" + - name: accessID + value: "p-123..." + - name: k8sAuthConfigName + value: "my-k8s-auth-config" + - name: k8sGatewayUrl + value: "http://release-gw.akeyless.svc.cluster.local:8000/api/v2" + - name: k8sServiceAccountToken + value: "eyJ..." +``` + +{{% alert title="Warning" color="warning" %}} +The above examples use secrets as plain strings. It is recommended to use a local secret store such as [Kubernetes secret store]({{% ref kubernetes-secret-store.md %}}) or a [local file]({{% ref file-secret-store.md %}}) to bootstrap secure key storage. +{{% /alert %}} + + +## Retrieve secrets + +You can retrieve secrets from Akeyless using the Dapr secrets API: + +```bash +curl http://localhost:3500/v1.0/secrets/akeyless/my-secret +``` + +This returns the secret value stored in Akeyless with the name `my-secret`. + +## Setup Akeyless instance + +To get started with Akeyless: + +1. Sign up for an Akeyless account at [https://www.akeyless.io](https://www.akeyless.io) +2. Create an Access ID and configure your preferred authentication method. +3. Set up your secrets in the Akeyless. +4. Configure the Dapr component using one of the authentication methods above. + +For more detailed setup instructions, refer to the [Akeyless documentation](https://docs.akeyless.io/). + +## Related links + +- [Secrets building block]({{% ref secrets %}}) +- [How-To: Retrieve a secret]({{% ref "howto-secrets.md" %}}) +- [How-To: Reference secrets in Dapr components]({{% ref component-secrets.md %}}) +- [Secrets API reference]({{% ref secrets_api.md %}}) \ No newline at end of file From c30e9cf9003944610efc323a8145914c93032365 Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Tue, 11 Nov 2025 13:18:26 -0500 Subject: [PATCH 2/3] added metadata params path,secrets_type to bulk Signed-off-by: Kobbi Gal --- .../supported-secret-stores/akeyless.md | 145 ++++++++++-------- 1 file changed, 80 insertions(+), 65 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md index 3415649f690..5f8a8a6805b 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -13,6 +13,7 @@ To setup Akeyless secret store create a component of type `secretstores.akeyless ## Component Format ```yaml +# yaml-language-server: $schema=../../component-metadata-schema.json schemaVersion: v1 type: secretstores name: akeyless @@ -22,67 +23,6 @@ title: "Akeyless Secret Store" urls: - title: Reference url: https://docs.dapr.io/reference/components-reference/supported-secret-stores/akeyless/ -authenticationProfiles: - - title: API Key - description: Authenticate using an API key. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - name: accessKey - required: true - description: The Akeyless API key. - example: "ABCD1233...=" - type: string - sensitive: true - - title: JWT - description: Authenticate using a JSON Web Token. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - name: jwt - required: true - description: The JSON Web Token. - example: "eyJ..." - type: string - sensitive: true - - title: AWS IAM - description: Authenticate using AWS IAM. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - title: Kubernetes - description: Authenticate using Kubernetes. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - name: k8sAuthConfigName - required: true - description: The name of the k8s auth config. - example: "k8s-auth-config" - type: string - - name: k8sGatewayUrl - required: true - description: The gateway URL that where the k8s auth config is located. - example: "http://gw.akeyless.svc.cluster.local:8000" - type: string - - name: k8sServiceAccountToken - required: true - description: The service account token. - example: "eyJ..." - type: string - sensitive: true metadata: - name: gatewayUrl required: false @@ -91,6 +31,46 @@ metadata: default: "https://api.akeyless.io" example: "https://your.akeyless.gw" type: string + - name: accessId + required: true + description: | + The Akeyless Access ID. Currently supported authentication methods are: API keys (`access_key`, default), JWT (`jwt`) and AWS IAM (`aws_iam`). + example: "p-123456780wm" + type: string + - name: jwt + required: false + description: | + If using the JWT authentication method, specify it here. + example: "eyJ..." + type: string + sensitive: true + - name: accessKey + required: false + description: | + If using the API key (access_key) authentication method, specify it here. + example: "ABCD1233...=" + type: string + sensitive: true + - name: k8sAuthConfigName + required: false + description: | + If using the k8s auth method, specify the name of the k8s auth config. + example: "k8s-auth-config" + type: string + - name: k8sGatewayUrl + required: false + description: | + The gateway URL that where the k8s auth config is located. + example: "http://gw.akeyless.svc.cluster.local:8000" + type: string + - name: k8sServiceAccountToken + required: false + description: | + If using the k8s auth method, specify the service account token. If not specified, + we will try to read it from the default service account token file. + example: "eyJ..." + type: string + sensitive: true ``` ## Spec metadata fields @@ -112,8 +92,6 @@ We currently support the following authentication methods: ### [API Key](https://docs.akeyless.io/docs/api-key) - - ```yaml apiVersion: dapr.io/v1alpha1 kind: Component @@ -197,13 +175,50 @@ The above examples use secrets as plain strings. It is recommended to use a loca ## Retrieve secrets -You can retrieve secrets from Akeyless using the Dapr secrets API: +Once configured, you can retrieve secrets using the Dapr secrets API: ```bash +# Get a single secret curl http://localhost:3500/v1.0/secrets/akeyless/my-secret + +# Get all secrets (static, dynamic, rotated) from root (/) path +curl http://localhost:3500/v1.0/secrets/akeyless/bulk + +# Get all secrets static secrets +curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static + +# Get all static and dynamic secrets from a specific path (/my/org) +curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static,dynamic&metadata.path=/my/org ``` -This returns the secret value stored in Akeyless with the name `my-secret`. +Or using the Dapr SDK. The example below retrieves all static secrets from path `/path/to/department`: + +```go +log.Println("Starting test application") + client, err := dapr.NewClient() + if err != nil { + log.Printf("Error creating Dapr client: %v\n", err) + panic(err) + } + log.Println("Dapr client created successfully") + const daprSecretStore = "akeyless" + + defer client.Close() + ctx := context.Background() + akeylessBulkMetadata := map[string]string{ + "path": "/path/to/department", + "secrets_type": "static", + } + secrets, err := client.GetBulkSecret(ctx, daprSecretStore, akeylessBulkMetadata) + if err != nil { + log.Printf("Error fetching secrets: %v\n", err) + panic(err) + } + log.Printf("Found %d secrets: ", len(secrets)) + for secretName, secretValue := range secrets { + log.Printf("Secret: %s, Value: %s", secretName, secretValue) + } +``` ## Setup Akeyless instance From 899d0c928aaa2e0aaf9de95f094a8cf08245738d Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Tue, 11 Nov 2025 13:25:09 -0500 Subject: [PATCH 3/3] added note about failing retrieval of secret when using bulk api Signed-off-by: Kobbi Gal --- .../components-reference/supported-secret-stores/akeyless.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md index 5f8a8a6805b..2b58e099f67 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -220,6 +220,10 @@ log.Println("Starting test application") } ``` +{{% alert title="Failing Retrieval in Bulk" color="info" %}} +When retrieving secrets using the bulk API, all successfully-retrieved secrets will be returned and failed ones will be logged in the component log. +{{% /alert %}} + ## Setup Akeyless instance To get started with Akeyless: