Automatic migration allows importing static secrets into Akeyless from other secrets management platforms. This feature is available as part of the Akeyless Gateway functionality.
Currently, you can import static secrets from the following platforms:
The following options are available when importing secrets from other secrets management platforms:
Name. This is an arbitrary name for the migration object.
Target location. This is where secrets are created in Akeyless.
For example, when importing secrets from Kubernetes, it may be a good idea to put them all under the
/kubernetes path. Or if there are multiple Kubernetes clusters, under
/kubernetes/staging or similar.
After the migration, new secrets will be available under the specified path. If the location is not provided, the secrets will be created in the root
/ folder of your account.
- Protect secrets with the following key. This required field allows selecting the encryption key for the protection of imported secrets. This property will enable you to use Zero-Knowledge Encryption.
If there are existing secrets under the Target location, their values will be replaced in case of conflict. This can happen if you leave the "Target location" field blank and a new secret has the same name as the existing one.
Before getting started, ensure that the platform where the secrets are stored is accessible over the network from the Akeyless Gateway server. Depending on the deployment, it might require adding an Akeyless Gateway IP address to a security group or a firewall.
Akeyless supports secrets migration from Kubernetes Secrets using Kubernetes API.
Three types of authentication are available:
- Bearer token
For any Kubernetes authentication method, the following options are available:
Cluster URL endpoint - This is the URL of the Kubernetes API server (including schema and port, for example, https://k8s-api.mycompany.com:6443.
Cluster CA Certificate - Optional Certificate Authority data in case the server is accessed over HTTPS. This value can be found in your
~/.kube/configfile, under the certificate-authority-data property of the cluster with the existing secrets. There is no need to base64-decode this value. It should be used as-is. If no value is provided, an insecure connection is used, which is discouraged.
Namespace - Use this field to import secrets from a particular namespace only. By default, the secrets are imported from all namespaces.
Skip Control Plane Secrets - This flag allows us to avoid importing secrets from system namespaces (the ones that begin with
kube-). If you need to import secrets from all namespaces, uncheck this flag.
When choosing an authentication method to access your Kubernetes cluster, ensure that the credentials you provide have sufficient privileges to list and get secrets in the namespace(s) you selected.
Bearer token authentication
For servers that support Bearer Token authentication, use Token authentication method. Make sure that this token is not expired when used.
For servers that use client certificates for authentication, use Certificate authentication method when creating a new migration.
For servers that allow username/password authentication, use Password authentication method.
To import secrets from AWS Secrets Manager, you need to provide access credentials of a user with sufficient permissions to get all secrets. The required configuration includes AWS Access Key ID, AWS Secret Access Key, and an AWS region.
To import secrets from Azure Key Vault, you need to create an Azure AD app with a service principal. Access credentials and the unique Key Vault name must be provided in the configuration dialog.
To import secrets from GCP Secrets Manager, you need to provide a GCP Service Account Key in the JSON format with sufficient permissions to get all secrets.
GCP Service Account is a type of Google account intended to interact with non-human users. Authentication with this account is required to fetch information over Google APIs.
The minimum required permissions to access the secret payload can be acquired from the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor).
To import secrets from Hashicorp Vault into Akeyless, you need to create a new access token or use the existing one with sufficient permissions. You also need to provide a full URL of the Hashicorp Vault API server.
For migration from Hashicorp Vault Enterprise, the configuration of namespaces is available. A comma-separated list of namespaces must be imported to Akeyless Vault. For every provided namespace, all its child namespaces are imported as well.
Akeyless supports migration from the
kv storage engine of versions 1 and 2. For v2 migrations, only the current version of a secret is imported in the case of multiple available versions.
Updated about 1 month ago