HomePlatformSDKRelease Notesllms.txt
Launching the Platform/Self-hosted: On-prem/Prerequisites

Secret management

Configure secret management for your self-hosted platform

Overview

Platform Options

  • HashiCorp Vault
  • GCP Secret Manager
  • AWS Secret Manager

Key Features

  • Secrets management
  • Encryption key storage
  • Secure credentials handling
  • Private key management

Deployment options

GCP Secret Manager Setup

Enable the Secret Manager API

  • Go to Google Cloud Console
  • Navigate to Secret Manager
  • Enable the Secret Manager API for your project

Create Service Account

  • Navigate to IAM & Admin > Service Accounts
  • Create a new service account
  • Grant the following roles:
    • Secret Manager Admin

Download Credentials

  • Create and download a JSON key for the service account
  • Keep this file secure - you'll need it during platform installation

GCP Secret Manager provides:

  • Fully managed service
  • Automatic replication
  • Fine-grained IAM controls
  • Audit logging

Helm Chart Values:

# values.yaml for Helm installation
gcpSecretManager:
  # -- Enable Google Secret Manager integration
  enabled: true
  # -- The Google Cloud project ID
  projectId: "your-project-id"
  # -- The Google Cloud service account credentials JSON
  credentials: |
    {
      // Your service account JSON key
    }

Make sure to:

  1. Enable Google Secret Manager in your Helm values
  2. Use the same project ID and credentials as in your platform configuration
  3. Properly format the service account JSON credentials

Information collection

Required values for platform installation

Choose one of the following configurations for your Helm values:

For GCP Secret Manager:

  • GCP Project ID
  • Service Account JSON key
# Values.yaml
vault:
  enabled: false
awsSecretManager:
  enabled: false
gcpSecretManager:
  enabled: true
  projectId: "your-project-id"
  credentials: |
    {
      // Your service account JSON key
    }

For HashiCorp Vault:

  • Vault address/endpoint
  • Role ID
  • Secret ID
  • Namespace (if using HCP Vault: admin)
# Values.yaml
googleSecretManager:
  enabled: false
awsSecretManager:
  enabled: false
vault:
  enabled: true
  address: "https://vault-cluster.hashicorp.cloud:8200"
  namespace: "admin" # Required for HCP Vault
  roleId: "your-role-id"
  secretId: "your-secret-id"

For AWS Secret Manager:

  • AWS Region
  • AWS Access Key ID
  • AWS Secret Access Key
# Values.yaml
vault:
  enabled: false
gcpSecretManager:
  enabled: false
awsSecretManager:
  enabled: true
  region: "your-aws-region"
  accessKeyId: "your-access-key-id"
  secretAccessKey: "your-secret-access-key"

Make sure to:

  1. Enable only one secret management solution
  2. Explicitly disable all other secret management options by setting enabled: false
  3. Provide all required values for your chosen solution

Validation

# Set environment variables
export GOOGLE_APPLICATION_CREDENTIALS="path/to/service-account.json"
export PROJECT_ID="your-project-id"

# Verify access
gcloud secrets list --project=$PROJECT_ID

Troubleshooting

GCP Secret Manager Issues

  • Verify service account permissions
  • Check credentials file format
  • Confirm API is enabled
  • Validate project ID

Vault Issues - Verify Vault address - Check network access - Confirm TLS

settings - Validate namespace (HCP)

AWS Secret Manager Issues

  • Verify IAM permissions
  • Check access key validity
  • Confirm region setting
  • Validate network access

Need help? Contact [email protected] if you encounter any issues.

Storage

Setup and configure S3-compatible storage for your self-hosted platform

Metrics and logs

Configure monitoring and logging for your self-hosted platform

On this page