To connect identity systems, you will need to include service accounts, administrative credentials, API keys, and other secrets in your configurations. For example, an LDAP Connector will require an admin account and credential in order to lookup users or query for attributes, an Azure AD connector will require a client ID and secret, and your tls
configuration may require certificates and keys that are not kept on the local filesystem.
Maverics integrates with various secret management solutions, which store secrets that Orchestrator instances load when starting up. The current integrations include:
YAML file (e.g.,
secrets.yaml
)
If no secret management solution is specified, Maverics will default to loading secrets specified in plain text from the value entered in the Maverics Console.
connectors:
- name: ldap
type: ldap
serviceAccountPassword: ldapServiceAccountPassword
serviceAccountUsername: uid=mycorpadmin,ou=Admins,o=MyCorp,c=US
# ...
If Connector configurations are split out and incorporated using include
, secrets should be defined in connector-specific files (e.g. myAzureADconnector.yaml)
Each Connector requires different credentials, secrets, and keys. Check the Connectors reference for specifics about what you will need to collect and store in your secret management solution.
To declare a value as a secret in a maverics.yaml
config file, wrap the secret with angle brackets:
connectors:
- name: okta
type: okta
apiToken: <oktaAPIToken>
oauthClientID: <oktaOAuthClientID>
oauthClientSecret: <oktaOAuthClientSecret>
Secrets can be used instead of file paths for certificates and keys in the tls
section.
tls:
maverics:
certFile: <example.com.crt>
keyFile: <example.com.key>
If connecting to your secret provider involves traversing a network proxy, please see the network proxy documentation.