Kubernetes Targets

You can define a K8s target to be used with dynamic secrets for the following supported K8s types:

EKS

To create EKS target define the following parameters:

-Name- A unique name for the target. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the target.

-Access Key ID- The access key ID of the IAM user to be used to connect to the EKS.

-Secret Access Key- The secret access key of the IAM user.

-Region- The region on which the cluster resides.

-EKS Cluster Name- The cluster name.

-EKS Cluster URL Endpoint- The URL of the cluster.

-EKS Cluster CA Certificate- A base64-encoded representation of the cluster CA certificate.

-n, --name                      *Target name
      --comment                    Comment about the target
      --eks-cluster-name          *EKS cluster name
      --eks-cluster-endpoint      *EKS cluster endpoint (i.e., https://<IP> of the cluster)
      --eks-cluster-ca-cert       *EKS cluster base-64 encoded certificate
      --eks-access-key-id          EKS access key ID
      --eks-secret-access-key      EKS secret access key
      --eks-region[=us-east-2]     EKS region
  -k, --key                        Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.
      --profile                    Use a specific profile from your akeyless/profiles/ folder
      --username                   Optional username for various authentication flows
      --password                   Optional password for various authentication flows
      --uid-token                  The universal identity token, Required only for universal_identity authentication
  -h, --help                       display help information
      --json[=false]               Set output format to JSON
      --no-creds-cleanup[=false]   Do not clean local temporary expired creds

GKE

To create GKE target define the following parameters:

-Name- A unique name for the target. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the target.

-GKE Cluster Name (optional)- The GKE cluster name. If no value is configured, this will default to gks-cluster-< service account name >.

-GKE Cluster CA Certificate - A base64-encoded representation of the cluster CA certificate.

-GKE Cluster URL Endpoint- The URL of the cluster.

-GKE Service Account Email- The email of the service account ([email protected]).

-GKE Service Account Key- The RSA private key generated for this service account to access. This must be a proper PEM encoded PKCS1 or PKCS8 private key. The input string must have actual new lines instead of \n characters.

-n, --name                       *Target name
      --comment                     Comment about the target
      --gke-account-email          *GKE service account email
      --gke-account-key-file-path   File path to GKE service account key
      --gke-account-key             GKE service account key
      --gke-cluster-endpoint       *GKE cluster endpoint, i.e., cluster URI https://<DNS/IP>.
      --gke-cluster-ca-cert        *GKE Base-64 encoded cluster certificate
      --gke-cluster-name            GKE cluster name
  -k, --key                         Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
      --profile                     Use a specific profile from your akeyless/profiles/ folder
      --username                    Optional username for various authentication flows
      --password                    Optional password for various authentication flows
      --uid-token                   The universal identity token, Required only for universal_identity authentication
  -h, --help                        display help information
      --json[=false]                Set output format to JSON
      --no-creds-cleanup[=false]    Do not clean local temporary expired creds

K8S Generic

To create a Generic K8s target define the following parameters:

-Name- A unique name for the target. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the target.

-k8s-cluster-endpoint- The DNS or IP address of the cluster, in https:// format.

-k8s-cluster-ca-cert- The Base-64 encoded cluster certificate.

-k8s-cluster-token- A JWT authentication token authorized to create service account tokens.

-n, --name                      *Target name
  -e, --k8s-cluster-endpoint      *K8S Cluster endpoint. https:// , <DNS / IP> of the cluster.
  -c, --k8s-cluster-ca-cert       *K8S Cluster certificate. Base 64 encoded certificate.
  -t, --k8s-cluster-token         *K8S Cluster authentication token.
  -k, --key                        Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.
      --comment                    Comment about the target
      --profile                    Use a specific profile from your akeyless/profiles/ folder
      --username                   Optional username for various authentication flows
      --password                   Optional password for various authentication flows
      --uid-token                  The universal identity token, Required only for universal_identity authentication
  -h, --help                       display help information
      --json[=false]               Set output format to JSON
      --no-creds-cleanup[=false]   Do not clean local temporary expired creds

Did this page help you?