Guides

Secrets Manager Integration

The Agent CLI supports integrating with all major secrets management systems, allowing you to securely store sensitive credentials outside of the bigeye_agent.yml configuration file.

How It Works

  1. Set up a secrets manager integration during the initial ./bigeye-agent install command or afterwards by running ./bigeye-agent configure secrets_manager.
  2. After configuring, the next time you add a connection via ./bigeye-agent add-connector, the Agent CLI will prompt you for the secret reference rather than the password.
  3. For each secret reference, the CLI:
    • Connects to your configured secrets manager
    • Fetches the secret value
    • Encrypts the value using the Bigeye agent's encryption
    • Writes the encrypted value to the appropriate configuration file
  4. The secret reference metadata is saved in bigeye_agent.yml for future updates.
  5. The actual secret value is never stored in plain text in bigeye_agent.yml.
  6. If you rotate passwords in the secrets manager, run ./bigeye-agent sync --refresh-credentials to re-fetch and re-encrypt all secrets.

Configuring a Secrets Manager

# During initial setup
./bigeye-agent install

# Or configure/reconfigure at any time
./bigeye-agent configure secrets_manager

Supported Secrets Managers

AWS Secrets Manager

secrets_manager:
  type: aws_secrets_manager
  region: us-east-1  # Optional, defaults to us-east-1

Authentication uses AWS credentials from:

  • Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
  • IAM role
  • AWS CLI configuration (~/.aws/credentials)

Azure Key Vault

secrets_manager:
  type: azure_key_vault
  vault_url: https://my-keyvault.vault.azure.net/

Authentication uses Azure credentials from:

  • Environment variables: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID
  • Managed Identity (for Azure VMs, App Services, etc.)
  • Azure CLI authentication

GCP Secret Manager

secrets_manager:
  type: gcp_secret_manager
  project_id: my-gcp-project  # Required

Authentication uses GCP credentials from:

  • Environment variable: GOOGLE_APPLICATION_CREDENTIALS (path to service account JSON)
  • Application Default Credentials (for GCE, Cloud Run, Cloud Functions, etc.)

HashiCorp Vault

secrets_manager:
  type: hashicorp_vault
  vault_addr: https://vault.example.com:8200  # Required (or use VAULT_ADDR env var)
  namespace: my-namespace  # Optional, for Vault Enterprise
  mount_point: secret  # Optional, defaults to 'secret' for KV v2

Authentication uses Vault credentials from:

  • Environment variable: VAULT_TOKEN
  • AppRole: VAULT_ROLE_ID and VAULT_SECRET_ID environment variables

Refreshing Credentials

After rotating passwords in your secrets manager:

./bigeye-agent sync --refresh-credentials

This re-fetches all secret references from the secrets manager, re-encrypts them, and updates the agent configuration files.

Updated 3 months ago