Documentation
Solutions Guide

Secrets Management

Centralized secrets management with automatic rotation, fine-grained access control, and comprehensive auditing.

Estimated time: 25 minutes

What You Can Store

API keys and tokens
Database credentials
SSH private keys
TLS certificates
Cloud credentials
Service accounts
Encryption keys
OAuth secrets

Configuration Steps

1

Configure Secrets Backend

Set up the secrets storage backend.

tacctl create -f - <<EOF
kind: secrets_backend
metadata:
  name: production
spec:
  type: vault  # or aws-secrets-manager, gcp-secret-manager
  vault:
    addr: https://vault.company.com:8200
    token_path: /etc/tigeraccess/vault-token

  encryption:
    type: aes-256-gcm
    key_source: hsm
EOF
2

Store Secrets

Add secrets to the vault.

# Store a secret
tac secrets put prod/database/password --value=${DB_PASSWORD}

# Store from file
tac secrets put prod/api/key --file=./api-key.txt

# Store multiple values
tac secrets put prod/app/config \
  --data='{"db_host": "db.internal", "db_port": 5432}'

# List secrets
tac secrets ls prod/
3

Configure Access Control

Define who can access which secrets.

tacctl create -f - <<EOF
kind: role
metadata:
  name: app-developer
spec:
  allow:
    secrets:
      - path: "dev/*"
        operations: [read, list]
      - path: "staging/*"
        operations: [read]

  deny:
    secrets:
      - path: "prod/*"
EOF
4

Enable Dynamic Secrets

Generate secrets on-demand instead of storing static credentials.

tacctl create -f - <<EOF
kind: dynamic_secret
metadata:
  name: postgres-creds
spec:
  type: database
  database:
    connection_url: postgres://[email protected]:5432
    allowed_roles: [readonly, readwrite]

  lease:
    ttl: 1h
    max_ttl: 24h

  # Revoke on session end
  revoke_on_session_end: true
EOF
5

Use Secrets in Applications

Access secrets from your applications.

# CLI access
tac secrets get prod/database/password

# Application integration
import tigeraccess

client = tigeraccess.SecretsClient()
password = client.get("prod/database/password")

# Dynamic credential
creds = client.get_dynamic("postgres-creds", role="readonly")
# Returns: {"username": "v-app-abc123", "password": "..."}

Secrets Management Enabled

With secrets management configured, you have:

  • Centralized, encrypted secrets storage
  • Dynamic secrets with automatic revocation
  • Fine-grained access control
  • Complete audit trail of all access

Related Guides

Credential Rotation

Automatic rotation

Machine Identity

Workload secrets

PAM

Credential vaulting