Manage secrets

With secrets management in Aerospike Cloud, you can store sensitive values, such as authentication passwords, separate from your database configuration. When you reference a secret in a configuration value, Aerospike Cloud securely retrieves the secret from an encrypted vault and makes it available to the cluster nodes.

This approach isolates secret management from other configurations, enabling dedicated security procedures for sensitive properties.

Create a secret

Console

1. Navigate to Access manager > Secrets.

2. Click Add secret.

3. Enter a name for the secret.

   The name is used as the reference in your configuration. Choose something clear and specific to its purpose.

4. Enter the secret value.

5. Click Add secret.

After creating the secret, it appears in the secrets list.

API

1. Create a Cloud API key and retrieve a bearer token. See Using Cloud APIs for details.

2. Make a POST request to create the secret.

   curl -X POST "https://api.aerospike.com/v1/secrets" \
       -H "Authorization: Bearer BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       --data '{"name":"SECRET_NAME","value":"SECRET_VALUE"}'

   Replace the following placeholders:

   • BEARER_TOKEN: Your API bearer token
   • SECRET_NAME: A name for the secret (must comply with RFC 1035)
   • SECRET_VALUE: The sensitive value to store

To verify the secret was created, list secrets:

curl -X GET "https://api.aerospike.com/v1/secrets" \
    -H "Authorization: Bearer BEARER_TOKEN"

The response includes the secret metadata (name and creation date). The API does not return secret values in list responses.

Use secrets in your Aerospike Cloud configuration

To use a secret, specify the secret name as the value for the auth-password-file parameter in your cross-datacenter replication (XDR) configuration. This parameter provides the password for XDR destination authentication. You do not need to include a file path. Aerospike Cloud automatically mounts the secret at the appropriate location on the database nodes.

For example, if you create a secret named xdr-auth-password, reference it directly by name in your XDR configuration:

xdr:
  dcs:
    - name: dc1
      auth-password-file: xdr-auth-password

To apply configuration changes to your cluster, see Modify a cluster.

XDR authentication example

The following configuration uses a secret named xdr-auth-password for cross-datacenter replication (XDR) authentication:

YAML

xdr:
  dcs:
    - name: dc1
      auth-mode: internal
      auth-user: xdr-user
      auth-password-file: xdr-auth-password

JSON

{
  "xdr": {
    "dcs": [
      {
        "name": "dc1",
        "auth-mode": "internal",
        "auth-user": "xdr-user",
        "auth-password-file": "xdr-auth-password"
      }
    ]
  }
}

Delete a secret

Console

1. Navigate to Access manager > Secrets.

2. Find the secret you want to delete.

3. Click the three-dot menu next to the secret and select Delete secret.

4. Click Delete to confirm.

API

curl -X DELETE "https://api.aerospike.com/v1/secrets/SECRET_ID" \
    -H "Authorization: Bearer BEARER_TOKEN"

Replace SECRET_ID with the UUID of the secret (returned when you list secrets).

Related topics

• Modify a cluster to apply configuration changes.
• Configure advanced settings for your cluster.
• Review security practices for Aerospike Cloud.