Secret Usage with Backup and Restore
asbackup and asrestore support retrieving values from the Aerospike Secret Agent.
This makes it possible to use sensitive information like TLS certificates and passwords as arguments without storing them on the same machine as asbackup and asrestore.
In order to use secrets as arguments, the Secret Agent must be running and accessible by asbackup and asrestore.
Use the following options to connect to the Secret Agent.
Secret Agent options
asbackup and asrestore both support the same Secret Agent-related options.
| Option | Default | Description |
|---|---|---|
--sa-address=HOST[:PORT] | 127.0.0.1 | The Secret Agent's hostname or IP address to connect to. |
--sa-port=PORT | 3005 | The port to use to connect to the Secret Agent. |
--sa-timeout=MS | 1000 | The timeout used when connecting to and requesting secrets from the Secret Agent. |
--sa-cafile=TLS_CAPATH | The path to a trusted CA certificate file in PEM format. Used when authenticating with the Secret Agent. Using this option enables TLS for all connections with the Secret Agent. |
Secret arguments
asbackup and asrestore support using secrets for most of their options.
Exceptions include the options for the Secret Agent itself, and options that specify configuration files such as --only-config-file.
The format for using a secret as an argument is secrets[:<resource_name>]:<secret_key>.
See the Aerospike Secret Agent documentation for information about resource names, secret names, and how to set up the Secret Agent service.
Values stored in the Secret Agent must be base64 encoded. asbackup and asrestore decode them upon receipt.
Some options, like --tls-cafile, normally expect a file path as an argument.
When used as secrets, the data returned by the Secret Agent is used literally and not resolved as a file path.
Examples
This example uses the secret pass from Secret Agent resource resource1 as the asbackup password option.
asbackup --sa-address 127.0.0.1:3005 --password secrets:resource1:pass -n test --output-file -
Secrets can also be used from an Aerospike tools configuration file.
The following example configuration file causes asbackup and asrestoreto connect to the Secret Agent at secretagent:3006 using TLS and the certificate at path/to/cacert.pem.
asbackup and asrestore then connect to the Aerospike database using TLS and the certificate from the Secret Agent at resource "resource1" and secret "aerospike_cafile".
[secret-agent]
sa-address = "secretagent"
sa-port = "3006"
sa-cafile = "path/to/cacert.pem"
[asbackup]
tls-enable = true
tls-cafile = "secrets:resource1:aerospike_cafile"
[asrestore]
tls-enable = true
tls-cafile = "secrets:resource1:aerospike_cafile"
The following configuration file causes asbackup and asrestore to get the Aerospike host from the Secret Agent.
[secret-agent]
sa-address = "secretagent"
sa-port = "3006"
[cluster]
host = "secrets:resource1:aerospike_host"
The following example configures asbackup to encrypt backup data using an encryption key from the Secret Agent.
[secret-agent]
sa-address = "secretagent"
sa-port = "3006"
[asbackup]
encrypt = "aes256"
encryption-key-file = secrets:resource1:encrypt_key