--- title: "Configuration template" description: "Complete YAML configuration template for the Aerospike Secret Agent, including service and secret manager settings." --- # Configuration template > For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt) > > All documentation pages available in markdown. The following template shows all available options for the Secret Agent configuration file. You must configure at least one service listener and exactly one secret manager. ```yaml service: # at least one service is required tcp: endpoint: 0.0.0.0:3005 # mandatory tls: # optional cert-file: PATH_TO_CERT_FILE key-file: PATH_TO_KEY_FILE ca-file: PATH_TO_CA_FILE # optional, needed for mutual TLS only uds: socket-path: PATH_TO_SOCKET # mandatory http: endpoint: 0.0.0.0:8080 # mandatory secrets: # optional; enables REST secrets API url-base-path: /manage/rest # optional; default /manage/rest; length ≥ 2, start with /, no trailing / metrics: # optional prometheus: # optional url-base-path: /manage/rest # optional; same validation as secrets labels: # optional LABEL_NAME_1: LABEL_VALUE_1 LABEL_NAME_2: LABEL_VALUE_2 LABEL_NAME_3: LABEL_VALUE_3 https: endpoint: 0.0.0.0:8443 # mandatory tls: # mandatory for https cert-file: PATH_TO_CERT_FILE # mandatory key-file: PATH_TO_KEY_FILE # mandatory ca-file: PATH_TO_CA_FILE # optional; for mutual TLS secrets: # optional; same as service.http.secrets url-base-path: /manage/rest # optional metrics: # optional; same as service.http.metrics prometheus: url-base-path: /manage/rest # optional labels: # optional LABEL_NAME_1: LABEL_VALUE_1 LABEL_NAME_2: LABEL_VALUE_2 LABEL_NAME_3: LABEL_VALUE_3 secret-manager: # exactly one secret manager is required aws: region: REGION # mandatory access-key-id: ACCESS_KEY_ID # optional secret-access-key: SECRET_ACCESS_KEY # optional assume-role: ROLE_ARN # optional convert-to-base64: TRUE_OR_FALSE # optional (default is false) resources: # mandatory RESOURCE_NAME_1: ARN_1 RESOURCE_NAME_2: ARN_2 RESOURCE_NAME_3: ARN_3 gcp: credential-file: PATH_TO_CREDENTIAL_FILE # optional impersonate: SERVICE_ACCOUNT # optional convert-to-base64: TRUE_OR_FALSE # optional (default is false) resources: # mandatory RESOURCE_NAME_1: RESOURCE_PATH_WITH_VERSION_1 RESOURCE_NAME_2: RESOURCE_PATH_WITH_VERSION_2 RESOURCE_NAME_3: RESOURCE_PATH_WITH_VERSION_3 vault: endpoint: VAULT_ENDPOINT # mandatory ca-file: PATH_TO_CA_FILE # optional ca-path: PATH_TO_CA_DIRECTORY # optional namespace: VAULT_NAMESPACE # optional # token-file or username,password-file or tls-auth-mount,client-cert-file,client-key-file is required token-file: PATH_TO_TOKEN_FILE username: USERNAME password-file: PATH_TO_PASSWORD_FILE tls-auth-mount: MOUNT client-cert-file: PATH_TO_CLIENT_CERT_FILE client-key-file: PATH_TO_CLIENT_KEY_FILE convert-to-base64: TRUE_OR_FALSE # optional (default is false) resources: # mandatory RESOURCE_NAME_1: mount: MOUNT_1 # mandatory secret: SECRET_1 # mandatory version: VERSION_1 # optional (default is 0) RESOURCE_NAME_2: mount: MOUNT_2 # mandatory secret: SECRET_2 # mandatory version: VERSION_2 # optional (default is 0) RESOURCE_NAME_3: mount: MOUNT_3 # mandatory secret: SECRET_3 # mandatory version: VERSION_3 # optional (default is 0) file: convert-to-base64: TRUE_OR_FALSE # optional (default is false) resources: # mandatory RESOURCE_NAME_1: PATH_TO_JSON_FILE_1 RESOURCE_NAME_2: PATH_TO_JSON_FILE_2 RESOURCE_NAME_3: PATH_TO_JSON_FILE_3 log: # optional file: PATH_TO_LOG_FILE # optional (default is stdout) level: LEVEL # optional; "error", "warn", "info", "debug", "trace" (default "info"). At trace level, HTTP/HTTPS listeners log Prometheus and Secrets base URLs at startup. ```