Automatic Migration

Introduction

Automatic migration allows importing static secrets into Akeyless from other secrets management platforms. This feature is available as part of the Akeyless Gateway functionality.

Supported platforms

Currently, you can import static secrets from the following platforms:

General configuration

The following options are available when importing secrets from other secrets management platforms:

  • Name. This is an arbitrary name for the migration object.

  • Target location. This is where secrets are created in Akeyless.

For example, when importing secrets from Kubernetes, it may be a good idea to put them all under the
/kubernetes path. Or if there are multiple Kubernetes clusters, under /kubernetes/staging or similar.

After the migration, new secrets will be available under the specified path. If the location is not provided, the secrets will be created in the root / folder of your account.

  • Protect secrets with the following key. This required field allows selecting the encryption key for the protection of imported secrets. This property will enable you to use Zero-Knowledge Encryption.

πŸ“˜

Note

If there are existing secrets under the Target location, their values will be replaced in case of conflict. This can happen if you leave the "Target location" field blank and a new secret has the same name as the existing one.

πŸ‘

Tip

Before getting started, ensure that the platform where the secrets are stored is accessible over the network from the Akeyless Gateway server. Depending on the deployment, it might require adding an Akeyless Gateway IP address to a security group or a firewall.

Kubernetes

Akeyless supports secrets migration from Kubernetes Secrets using Kubernetes API.

Three types of authentication are available:

  • Bearer token
  • Certificate
  • Password

For any Kubernetes authentication method, the following options are available:

  • Cluster URL endpoint - This is the URL of the Kubernetes API server (including schema and port, for example, https://k8s-api.mycompany.com:6443.

  • Cluster CA Certificate - Optional Certificate Authority data in case the server is accessed over HTTPS. This value can be found in your ~/.kube/config file, under the certificate-authority-data property of the cluster with the existing secrets. There is no need to base64-decode this value. It should be used as-is. If no value is provided, an insecure connection is used, which is discouraged.

  • Namespace - Use this field to import secrets from a particular namespace only. By default, the secrets are imported from all namespaces.

  • Skip Control Plane Secrets - This flag allows us to avoid importing secrets from system namespaces (the ones that begin with kube-). If you need to import secrets from all namespaces, uncheck this flag.

πŸ‘

Tip

When choosing an authentication method to access your Kubernetes cluster, ensure that the credentials you provide have sufficient privileges to list and get secrets in the namespace(s) you selected.

Bearer token authentication
For servers that support Bearer Token authentication, use Token authentication method. Make sure that this token is not expired when used.

Certificate authentication
For servers that use client certificates for authentication, use Certificate authentication method when creating a new migration.

Password authentication
For servers that allow username/password authentication, use Password authentication method.

AWS Secrets Manager

To import secrets from AWS Secrets Manager, you need to provide access credentials of a user with sufficient permissions to get all secrets. The required configuration includes AWS Access Key ID, AWS Secret Access Key, and an AWS region.

Azure Key Vault

To import secrets from Azure Key Vault, you need to create an Azure AD app with a service principal. Access credentials and the unique Key Vault name must be provided in the configuration dialog.

GCP Secrets Manager

To import secrets from GCP Secrets Manager, you need to provide a GCP Service Account Key in the JSON format with sufficient permissions to get all secrets.

πŸ‘

Tip

GCP Service Account is a type of Google account intended to interact with non-human users. Authentication with this account is required to fetch information over Google APIs.

The minimum required permissions to access the secret payload can be acquired from the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor).

Hashicorp Vault

To import secrets from Hashicorp Vault into Akeyless, you need to create a new access token or use the existing one with sufficient permissions. You also need to provide a full URL of the Hashicorp Vault API server.

For migration from Hashicorp Vault Enterprise, the configuration of namespaces is available. A comma-separated list of namespaces must be imported to Akeyless Vault. For every provided namespace, all its child namespaces are imported as well.

Example: nmsp/subnmsp1/subnmsp2,nmsp/anothernmsp

Akeyless supports migration from the kv storage engine of versions 1 and 2. For v2 migrations, only the current version of a secret is imported in the case of multiple available versions.


Did this page help you?