Cycloid Credentials manager uses the opensource engine Vault technology to store secrets that you need.

Centrally stores, accesses, and distributes secrets like API keys, AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

WARNING

By default a Vault credential exists, to be able to access your credentials. This is both used by our API and potentially by your pipelines to securely fetch your secrets without exposing them. Please do not remove it.

Default view

Why ?

The two reasons to use it are:

  • You want to use a Cycloid feature which require external access. Example: Pricing feature on AWS require AWS IAM access key.
  • You want to securely provide sensitive information to a stack. Example: Database password or SSH key to access to a private git repository.

What ?

Credentials path is composed of a type and name. path can be seen as the credential full name to use. Each path contain one or several fields. And each fields are composed of a key and a value.

Path and field name are closely linked together. To give an example, I want to provide a database password to my application. To satisfy that, I could define a Cycloid credential of type raw, named db_password containing the field named password and secret as value.

The generated path would be raw_db_password.

TIP

The path is automatically generated based on your secret name and type, but if you desire to set a different one, please click on the grey lock next to it.

To use it into a Cycloid pipeline, you will refer to it using the format <cred path>.<cred field name>. So, you would write ((raw_db_password.password)) in your pipeline.

Another example for an application which requires a login and password, you could create as well raw_app_creds containing fields login and password to reflect to:

raw_app_creds.login = foo
raw_app_creds.password = bar
1
2

Read Vault in the pipeline section to have more details about how to use Cycloid credentials into a pipeline.

We recommend you to also read Organize data in vault section to see the different ways to store credentials before starting to create your own.

Types of credentials

You can create credentials of 3 different types:

  1. AWS
  2. Git (SSH keys)
  3. Raw

AWS

These are used in various situations: fetching logs for the application, from cloudwatch, reading the billing status of your application, managing resources via terraform, etc.

The format is pretty simple, at it is composed of the access key and the secret key.

AWS

Git

The Git credentials are in fact SSH private keys, as they are mostly used to access git repositories storing either: pipeline/ansible/terraform configuration or your own application code.

The key has to be a valid SSH private key otherwise you will receive an error.

GIT

Raw

Raw credential type are basically any number of key/values that you want. That allows to store most type of credentials in the way that you would like: whether http authentication, database password, ansible-vault password, etc.

RAW