Getting Started

Processes (v2)

Processes (v1) - DEPRECATED

Triggers

Console

API

Plugins (v2)

Plugins (v1) - DEPRECATED

Templates

CLI

Community

Edit this page on GitHub

Home > docs > plugins v1 > Akeyless Task

Akeyless Task

The akeyless task allows workflows to interact with various Akeyeless API endpoints.

Usage

To enable the task in a Concord flow, it must be added as a dependency:

configuration:
  dependencies:
  - mvn://com.walmartlabs.concord.plugins:akeyless-task:2.5.0

This adds the task to the classpath and allows you to invoke the task in a flow:

flows:
  default:
    # full task call
    - task: akeyless
      in:
        action: getSecret
        path: "/my-secret"
    # shorthand, public method
    - expr: "${akeyless.getSecret('/my-secret')}"
      out: singleValue

Common Parameters

  • action - Action to perform. One of:
    • auth - Retrieves an API access token
    • createSecret - Create a static secret
    • deleteItem - Delete an item
    • getSecret - Get value for one secret path
    • getSecrets - Get value for multiple secret paths
    • updateSecret - Update a secret’s value
  • apiBasePath - Akeyless API URL
  • debug - optional boolean, enabled extra debug log output for troubleshooting
  • accessToken - API access token. Supersedes auth parameter
  • ignoreCache - optional boolean, ignores cache when getting secret data
  • auth - API authentication info. Used to generate an authentication token when accessToken is not provided. Only one method may be specified. Supported authentication methods are:
    • apiKey - Details for API Key authentication method
      • accessId - Access ID for API key authentication
      • accessKey - The API key
    • ldap - Details for LDAP authentication method
      • accessId - Access ID for LDAP authentication
      • credentials - the LDAP credentials
        • username - LDAP username
        • password - LDAP password

Task Output

The output of the full task call is saved into the result variable as map of secret paths and values.

configuration:
  arguments:
    myPath: "/my-secret"
flows:
  default:
    - task: akeyless
      in:
        action: getSecret
        path: "${myPath}"
    - log: "Don't log secret values: ${result[myPath]}"
    - log: "Same value: ${akeyless.getSecret('/my-secret')}"

The output of public method calls may different depending on the method called. See the documentation for the specific method for output details.

Authentication

Multiple authentication methods are supported. Only one authentication method can be used per task call.

API Key

Simple API Key authentication uses a single-value secret for the key value:

flows:
  default:
    task: akeyless
    in:
      auth:
        apiKey:
          # single-value (string) secrets
          accessId: { org: "my-org", name: "dev-akeyless-id" }
          accessKey: { org: "my-org", name: "dev-akeyless-key" }
      # ...

LDAP

LDAP authentication uses a username/password secret for the credentials:

flows:
  default:
    task: akeyless
    in:
      auth:
        ldap:
          accessId: { org: "my-org", name: "dev-akeyless-id" }
          # username/password secret
          credentials: { org: "my-org", name: "dev-akeyless-creds" }
      # ...

Setting Default Task Parameters

Set a akeylessParams variable to provide a default set of parameters to the task. This is helpful when the task is called multiple time and allows the use of the task’s public methods.

configuration:
  arguments:
    akeylessParams:
      apiBasePath: "https://api.akeyless.io"
      auth:
        ldap:
          accessId: { org: "my-org", name: "dev-akeyless-id" }
          credentials: { org: "my-org", name: "dev-akeyless-creds" }

flows:
  default:
    # public methods are more succinct
    - expr: "${akeyless.getSecret('/my-secret')}"
      out: secretData

    # or use the full call to override a default parameter
    - task: akeyless
      in:
        apiBasePath: # override apiBasePath here
        action: getSecret
        # ...

Get Access Token

Use the auth action to generate an access token from a given authentication method.

- task: akeyless
  in:
    action: auth
  out: result
# 'result' variable now contains:
# {
#   "accessToken" : "<the-actual-value>"
# }

Get Secret Data

Use the getSecret action to get the value of a single secret.

- task: akeyless
  in:
    action: getSecret
    path: "/my-secret"
# 'result' variable now contains:
# {
#   "/my-secret" : "<the-actual-value>"
# }

The task’s public can be used to retrieve only the data when default parameters are set.

- set: # value is just the secret string
    mySecretData: "${akeyless.getSecret('/my-secret')}"

Get Multiple Secrets

Use the getSecrets action to get the values of multiple secrets in one call.

- task: akeyless
  in:
    action: getSecrets
    paths:
      - "/my-first-secret"
      - "/subpath/my-second-secret"
# 'result' variable now contains:
# {
#   "/my-first-secret" : "<the-actual-value1>",
#   "/subpath/my-second-secret" : "<the-actual-value2>"
# }

Create a Secret

Use the createSecret action to create a static secret.

Available parameters:

  • path: name, including full path, of the secret
  • value: secret value
  • description: optional String, description of the secret
  • multiline: optional boolean, The provided value is a multiline value (separated by '\n'). Default is false
  • protectionKey: optional String, The name of a key used to encrypt the secret value (if empty, the account default protection key is used)
  • tags: optional list of String values, List of tags to apply to the secret
- task: akeyless
  in:
    action: createSecret
    path: "/path/to/my-secret"
    value: "don't hardcode this"
    description: "This is my super secret secret"

Update a Secret

Use the upateSecret action to update a secret.

Available parameters:

  • path: name, including full path, of the secret
  • value: secret value
  • multiline: optional boolean, The provided value is a multiline value (separated by '\n'). Default is false
  • protectionKey: optional String, The name of a key used to encrypt the secret value (if empty, the account default protection key is used)
  • keepPreviousVersion: optional boolean, when true keeps the previous version in the secret’s history. Default is true
- task: akeyless
  in:
    action: updateSecret
    path: "/my-secret"
    value: "aNewValue"
    multiline: false
    keepPreviousVersion: false  # default is true

Delete a Secret

Use the deleteItem action to delete an item.

Available parameters:

  • path: name, including full path, of the secret
  • deleteImmediately: optional boolean, when true deletes the item immediately. Default is true
  • deleteInDays: optional number, sets secrets to be deleted after the given number of days
  • version: optional number, specific version to delete. Default is all versions. 0=last version, -1=entire item with all versions
# delete all version of a secret
- task: akeyless
  in:
    action: deleteItem
    path: "/my-secret"

# delete on older version of a secret
- task: akeyless
  in:
    action: deleteItem
    path: "/my-secret"
    version: 2
    deleteImmediately: true # same as default

# mark secret for deletion in 15 days
- task: akeyless
  in:
    action: deleteItem
    path: "/my-secret"
    deleteInDays: 15

2011 - 2024 © Walmart Inc. All Rights Reserved.

Contribute to the site.

site footer image