---
title: "Integrate Secret management services with Aerospike on Kubernetes"
description: "Integrate AWS Secrets Manager or other services with Aerospike on Kubernetes using the Secret Agent sidecar."
---

# Integrate Secret management services with Aerospike on Kubernetes

> For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt)
> 
> All documentation pages available in markdown.

Aerospike Database can fetch sensitive configuration values from secret management services by using [Aerospike Secret Agent](https://aerospike.com/docs/database/tools/secret-agent). The agent runs as a sidecar and proxies requests between Aerospike Database and a secret management service such as AWS Secrets Manager.

### Add Aerospike Secret Agent sidecar

```yaml
spec:

  podSpec:

    sidecars:

      - name: secret-agent

        image: aerospike/aerospike-secret-agent:1.2.3

        args:

          - -config-file=/etc/aerospike/secret-agent/config.yaml  # This path can be changed to match the secret-agent secret mount path
```

### Create Aerospike Secret Agent configuration secret

Aerospike Secret Agent requires a configuration file `config.yaml` to configure the listening port, TLS, socket and to connect to secrets management services.

The following is an example configuration file:

config.yaml

```yaml
service:

  tcp:

    endpoint: 0.0.0.0:3005

secret-manager:

  aws:

    region: us-west-1

    resources:

      TestingSecret: arn:aws:secretsmanager:us-west-1:999999999999:secret:TestingSecret-tN6s2j  # Secret ARN

    # Static access keys are shown for a simple test setup only.

    # For production, use workload identity or an equivalent short-lived credential flow.

    access-key-id: ACCESS_KEY_ID

    secret-access-key: SECRET_ACCESS_KEY

log:

  level: info
```

For all configuration parameters, see [Aerospike Secret Agent](https://github.com/aerospike/aerospike-secret-agent/blob/main/config/template.yaml). Do not use static AWS access keys for production deployments. Prefer workload identity, IAM roles for service accounts, or another short-lived credential mechanism supported by your Kubernetes platform.

Create a Kubernetes secret using the previously shown configuration file `config.yaml` in the namespace where Aerospike Cluster will be created.

Terminal window

```shell
kubectl -n NAMESPACE create secret generic aerospike-agent-secret --from-file=config.yaml
```

### Add Aerospike Secret Agent mount configuration in AKO CR

Add volume mount configuration in the AKO CR to mount the secret created previously.

```yaml
storage:

  filesystemVolumePolicy:

    cascadeDelete: true

    initMethod: deleteFiles

  blockVolumePolicy:

    cascadeDelete: true

  volumes:

    - name: aerospike-agent-secret

      source:

        secret:

          secretName: aerospike-agent-secret

      sidecars:

        - containerName: secret-agent

          path: /etc/aerospike/secret-agent
```

### Add Secret Agent configuration in Aerospike Database

The following example shows how to configure Secret Agent in Aerospike Database so the server can communicate with the agent.

```yaml
aerospikeConfig:

  service:

    feature-key-file: secrets:TestingSecret:FeatureKey

    secrets-address-port: 127.0.0.1  3005

  security: {}

  network:

    service:

      port: 3000

    heartbeat:

      port: 3002

    fabric:

      port: 3001

  namespaces:

    - name: test

      replication-factor: 2

      storage-engine:

        type: device

        devices:

          - /test/dev/xvdf
```

The `service.secrets-address-port` parameter specifies the Secret Agent connection information. The `secrets-address-port` value uses the format `AGENT_IP AGENT_LISTEN_PORT TLS_NAME`. `TLS_NAME` is optional and required only if TLS is configured for Secret Agent.

To fetch secret values for the supported configuration parameters from the external secret manager, you must specify that configuration value in `secrets:[resource:]key` format.

| Parameter | Required | Description |
| --- | --- | --- |
| `secrets:` | Required | Mandatory prefix that tells the system to fetch the value from an external secret manager. |
| `resource` | Required (as of Secret Agent 1.3.0, the agent always validates the resource name). | Name of the resource in the Secret Agent configuration file. The secret is retrieved from the path associated with this resource. See the Secret Agent [configuration documentation](https://aerospike.com/docs/database/tools/secret-agent/) for details. |
| `key` | Required | Identifies the specific secret entry.  
\- **AWS**: A single secret can contain multiple key–value pairs. `key` selects which pair to use.  
\- **GCP**: A secret contains a single value. `key` is cross-checked to ensure it matches part of the resource path. |

In the previous example, `TestingSecret` is an alias for a resource in the Secret Agent configuration file. `FeatureKey` identifies the base64-encoded feature-key file stored in the external secret manager.

For more information, see [Aerospike Secret Management Services](https://aerospike.com/docs/database/manage/security/secrets).