Secret usage with backup and restore
absctl backup and absctl restore support retrieving values from the Aerospike Secret Agent.
This makes it possible to use sensitive information like TLS certificates and passwords as arguments without storing them on the same machine as absctl.
To use secrets as arguments, the Secret Agent must be running and accessible by absctl.
Use the following options to connect to the Secret Agent.
Secret Agent options
absctl backup and absctl restore both support the same Secret Agent-related options.
| Option | Default | Description |
|---|---|---|
--sa-address=HOST[:PORT] | 127.0.0.1 | The Secret Agent’s hostname or IP address to connect to. |
--sa-port=PORT | 3005 | The port to use to connect to the Secret Agent. |
--sa-timeout=MS | 1000 | The timeout used when connecting to and requesting secrets from the Secret Agent. |
--sa-ca-file=TLS_CAPATH | The path to a trusted CA certificate file in PEM format. Used when authenticating with the Secret Agent. Using this option enables TLS for all connections with the Secret Agent. | |
--sa-cert-file=PATH | Path to a client certificate file for mutual TLS authentication. | |
--sa-key-file=PATH | Path to a client private key file for mutual TLS authentication. | |
--sa-tls-name=NAME | TLS name (SNI) for encrypted connections. | |
--sa-connection-type=TYPE | tcp | The type of connection to use (tcp or unix). |
--sa-is-base64 | false | Whether the secret values are Base64 encoded. |
Secret arguments
absctl backup and absctl restore support using secrets for cloud provider flags (Azure, GCS, S3), and the Aerospike Database login password.
Exceptions include the arguments for the Secret Agent itself, and arguments that specify configuration files such as --config.
The format for using a secret as an argument is secrets[:<resource_name>]:<secret_key>.
See the Aerospike Secret Agent documentation for information about resource names, secret names, and how to set up the Secret Agent service.
Using secrets from Secret Agent
This example uses the secret pass from Secret Agent resource resource1 as the absctl backup password argument.
absctl backup --sa-address 127.0.0.1:3005 --password secrets:resource1:pass -n test --output-file -Secrets can also be used from a YAML configuration file passed via the --config flag.
The following example configuration file causes absctl backup to connect to the Secret Agent at secretagent:3006 using TLS and the certificate at path/to/cacert.pem.
absctl backup then connects to Aerospike Database using TLS at resource “resource1” and secret “aerospike_cafile”.
cluster: seeds: - host: 172.4.25.1 port: 3000 user: "secrets:resource1:db_user" password: "secrets:resource1:db_password"secret-agent: address: "secretagent" port: 3006 ca-file: "path/to/cacert.pem"The following configuration file causes absctl backup to get the Aerospike host from the Secret Agent.
secret-agent: sa-address: "secretagent" sa-port: 3006host: "secrets:resource1:aerospike_host"