Skip to main content
This feature is available on:
  • AWS Managed Cluster
  • GCP Managed Cluster
Supported Secrets Providers:
  • AWS Secrets Manager
  • AWS Parameter Store
  • GCP Secret Manager

How it works

Qovery integrates with external secrets by deploying ESO (External Secrets Operator) in your cluster.

Configure a Secret Manager Access

You can configure a Secret Manager Access in the “Add-ons” section of your cluster.
Overview add Secret Manager Access
Creating or Editing a Secret Manager Access requires the cluster to be redeployed

Configure your AWS Managed Cluster

AWS Authentication

You can use the following authentication methods to use either AWS Secrets Manager or AWS Parameter Store:
This authentication gives you access to all secrets located in the same AWS account as your cluster.
AWS Automatic & AWS Role authentications are mutually exclusive.
This is the simplest and quickest way to use your external secrets inside your services.The following information is required:
  • The target AWS Region where your secrets live
  • The secret manager access name
Configure AWS Automatic authentication
Qovery automatically creates an AWS IAM Role with the following permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:GetParametersByPath",
        "ssm:DescribeParameters"
      ],
      "Resource": "*"
    }
  ]
}

Cross-Cloud Authentication (AWS Cluster → GCP)

You can target the following Secrets Providers using static credentials:
Qovery provides the following script to run in your GCP Console:
curl https://setup.qovery.com/create_secret_manager_credentials_gcp.sh | \
bash -s -- $GOOGLE_CLOUD_PROJECT qovery_secrets_manager_role qovery-secrets-manager-sa
The following information is required:
  • The key.json generated
  • Your GCP Project ID
  • The target GCP Region where your secrets live
  • The secret manager access name
AWS GCP Secret Manager

Configure your GCP Managed Cluster

This authentication gives you access to all secrets located in the same GCP account as your cluster.
You must add the Secret Manager Viewer role to the GCP service account associated with your Qovery cluster.
Add Secrets Manager Viewer permission
Qovery automatically creates the GCP IAM Service Account with the necessary permissions.The following information is required:
  • Your GCP Project ID
  • The target GCP Region where your secrets live
  • The secret manager access name
Automatic GCP Secret Manager authentication

Cross-Cloud Authentication (GCP Cluster → AWS)

The following information is required:
  • Your AWS Access Key
  • Your AWS Secret Access Key
  • The target AWS Region where your secrets live
  • The secret manager access name
You need to configure the following permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    }
  ]
}
You can restrict access to specific resources using wildcards.However, secretsmanager:ListSecrets must always target Resource: "*" — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available secrets when configuring an external secret.Example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": "arn:aws:secretsmanager:eu-west-3:XXXXXXXXXXXX:secret:staging*"
   },
   {
     "Effect": "Allow",
     "Action": [
       "secretsmanager:ListSecrets"
     ],
     "Resource": "*"
   }
 ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:GetParametersByPath",
        "ssm:DescribeParameters"
      ],
      "Resource": "*"
    }
  ]
}
You can restrict access to specific resources using wildcards.However, ssm:DescribeParameters must always target Resource: "*" — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available parameters when configuring an external secret.Example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:GetParametersByPath"
      ],
      "Resource": "arn:aws:ssm:eu-west-3:XXXXXXXXXXXX:parameter/staging*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:DescribeParameters"
      ],
      "Resource": "*"
    }
  ]
}

Reference the external secrets in your service

Once your cluster is deployed, you can link external secrets to any service:
  • Open your service
  • Navigate to the Variables tab
  • Select the External secrets tab
  • Click Add external secret
External Secrets path
Qovery automatically lists the secrets available in your Secrets Provider to simplify setup:
External Secrets list secrets available
You can filter results by prefix to narrow the list:
External Secrets list secrets available by prefix
To create an external secret, you need to:
  • Select the Secret Manager Access
  • Select the secret from your Secret Manager
  • Provide the environment variable key to inject
External Secrets details

Particular case: Terraform Service

Documentation coming soon.