Guides
Start typing to search…

Secrets Manager Integration

Securely store credentials using external secrets managers

The Agent CLI supports integrating with all major secrets management systems, allowing you to securely store sensitive credentials outside of the bigeye_agent.yml configuration file.

How It Works

  1. Set up a secrets manager integration during the initial ./bigeye-agent install command or afterwards by running ./bigeye-agent configure secrets_manager.
  2. After configuring, the next time you add a connection via ./bigeye-agent add-connector, the Agent CLI will prompt you for the secret reference rather than the password.
  3. For each secret reference, the CLI:
    • Connects to your configured secrets manager
    • Fetches the secret value
    • Encrypts the value using the Bigeye agent's encryption
    • Writes the encrypted value to the appropriate configuration file
  4. The secret reference metadata is saved in bigeye_agent.yml for future updates.
  5. The actual secret value is never stored in plain text in bigeye_agent.yml.
  6. If you rotate passwords in the secrets manager, run ./bigeye-agent sync --refresh-credentials to re-fetch and re-encrypt all secrets.

Configuring a Secrets Manager

# During initial setup
./bigeye-agent install

# Or configure/reconfigure at any time
./bigeye-agent configure secrets_manager

Supported Secrets Managers

AWS Secrets Manager

secrets_manager:
  type: aws_secrets_manager
  region: us-east-1  # Optional, defaults to us-east-1

Authentication uses AWS credentials from:

  • Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
  • IAM role
  • AWS CLI configuration (~/.aws/credentials)

Azure Key Vault

secrets_manager:
  type: azure_key_vault
  vault_url: https://my-keyvault.vault.azure.net/

Authentication uses Azure credentials from:

  • Environment variables: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID
  • Managed Identity (for Azure VMs, App Services, etc.)
  • Azure CLI authentication

GCP Secret Manager

secrets_manager:
  type: gcp_secret_manager
  project_id: my-gcp-project  # Required

Authentication uses GCP credentials from:

  • Environment variable: GOOGLE_APPLICATION_CREDENTIALS (path to service account JSON)
  • Application Default Credentials (for GCE, Cloud Run, Cloud Functions, etc.)

HashiCorp Vault

secrets_manager:
  type: hashicorp_vault
  vault_addr: https://vault.example.com:8200  # Required (or use VAULT_ADDR env var)
  namespace: my-namespace  # Optional, for Vault Enterprise
  mount_point: secret  # Optional, defaults to 'secret' for KV v2

Authentication uses Vault credentials from:

  • Environment variable: VAULT_TOKEN
  • AppRole: VAULT_ROLE_ID and VAULT_SECRET_ID environment variables

Refreshing Credentials

After rotating passwords in your secrets manager:

./bigeye-agent sync --refresh-credentials

This re-fetches all secret references from the secrets manager, re-encrypts them, and updates the agent configuration files.

Updated about 6 hours ago