Secret management can be used in the following contents in RPI:
-
To manage application setting secrets.
-
To persist passwords that are stored in the RPI System Configuration interface.
To turn on secret management:
-
Ensure that applicable Cloud Identity (Azure, Google, or AWS) application settings are configured.
-
Within Secret Management application settings:
-
Select a secret management Provider (Azure KeyVault, Google Secret Manager, or AWS Secrets Manager).
-
Specify whether the secret manager will be used to manage application setting secrets and/or system configuration passwords.
-
-
If using Azure secret management, ensure that the Azure Key Vault Configuration settings are configured.
-
If using AWS Secrets Manager, by default, only secrets with the "rpi-app" tag will be used. This can be changed using the KeyVault__AmazonSettings__AppSettingsTag application setting.
When using an Azure KeyVault secret to override an application setting, the secret’s name must match the environment variable name, with any underscores replaced by hyphens (-) e.g., ConnectionStrings-OperationalDatabase. If using Google Secret Manager or AWS Secrets Manager, the character replacement is not required.
In addition, when using a secret manager and specifying passwords during tenant deployment, you can reference a secret using the format {{key-vault-key}}. If you specify a password using plain text, a secret is automatically created to persist the same.