Skip to content

Configure secret store

The Tenzir Platform provides a secret store for each workspace. All Tenzir Nodes connected to the workspace can access its secrets. You can manage secrets using the CLI or the web interface. Alternatively, you can use an external secret store.

Read more about how secrets work in our explanations page.

To add a new secret to the Platform’s secret store:

Add value to the Platform's secret store
tenzir-platform secret add geheim --value=1528F9F3-FAFA-45B4-BC3C-B755D0E0D9C2

Refer to the CLI reference for more details on updating or deleting secrets.

To manage secrets from the web interface, go to the Workspace Settings screen by clicking the gear icon in the workspace selector.

Screenshot

You can configure the Tenzir Platform to provide access to secrets stored in an external secret store instead of using it own store. This access is read-only.

To add AWS Secrets Manager as an external secret store, use the CLI:

Add AWS Secrets Manager as external secret store
tenzir-platform secret store add aws \
--region='eu-west-1' \
--assumed-role-arn='arn:aws:iam::1234567890:role/tenzir-platform-secrets-access' \
--prefix=tenzir/
  • The Tenzir Platform must have permissions to read secrets under the specified prefix from the external store.
  • The platform must be able to assume the specified role in AWS.

See the CLI reference for more details.

Last updated: