kubiya_secret
resource allows you to create and manage secrets in the Kubiya platform. Secrets store sensitive information like API keys, passwords, and tokens that can be securely accessed by Kubiya agents during execution.
Secrets provide a secure way to handle sensitive data in your automation workflows. They are encrypted at rest and only accessible to authorized agents during execution.
Prerequisites
Before using this resource, ensure you have:- A Kubiya account with API access
- An API key (generated from Kubiya dashboard under Admin → Kubiya API Keys)
- Proper security practices for handling sensitive data in Terraform
Quick Start
Configuration Examples
Configure an agent with multiple secrets for various services:
Advanced Configurations
SSH Private Key Storage
SSH Private Key Storage
Store SSH private keys securely (base64 encoded):
JWT Signing Secret
JWT Signing Secret
Store JWT signing secrets for authentication:
Certificate Storage
Certificate Storage
Store certificates and other binary data securely:
Arguments Reference
Required Arguments
The name of the secret. Must be unique within your organization and follow naming conventions.
The secret value. This is write-only and cannot be read back after creation. Always use sensitive variables for this field.
Optional Arguments
A description of the secret’s purpose and usage. Helps with documentation and management.
Attributes Reference
In addition to all arguments above, the following attributes are exported:The timestamp when the secret was created.
The email of the user who created the secret.
The
value
attribute is write-only and will not be included in the state file or outputs for security reasons.Import
Secrets can be imported using their name:The actual secret value cannot be read back after import for security reasons. You will need to update the value in your configuration to match the existing secret.
Best Practices
Security
- Never hardcode sensitive values directly in Terraform files
- Always use Terraform variables marked as
sensitive = true
- Ensure Terraform state is encrypted and stored securely
- Implement regular secret rotation policies
Access Control
- Only grant secret access to agents that require it
- Use descriptive names that indicate the secret’s purpose and environment
- Monitor secret access through Kubiya audit logs
- Keep production and non-production secrets separate
Data Handling
- Use base64 encoding for binary data like certificates or keys
- Maintain secure backups of critical secrets outside of Terraform
- Consider secret versioning for rotation strategies
- Document secret dependencies clearly
Maintenance
- Implement automated secret rotation where possible
- Regular audit of secret usage and access patterns
- Clean up unused secrets to reduce security surface
- Version control secret configurations (but not values)
Security Considerations
Important Security Notes:
- Secret values are encrypted at rest in the Kubiya platform
- Secrets are only accessible to authorized agents during execution
- Always use Terraform’s sensitive variable feature
- Never commit actual secret values to version control
State File Security:
- Terraform state files may contain sensitive information
- Use encrypted remote state backends (S3 with KMS, Azure Storage with encryption)
- Restrict access to state files to authorized personnel only
- Consider using Terraform Cloud or similar services for enhanced security
Common Patterns
Standard pattern for API integrations:
Compatibility
Requirements:
- Kubiya Terraform Provider version >= 1.0.0
- Terraform >= 1.0
- Secret values are write-only and cannot be read back after creation
- Secrets must exist before agents can reference them
Troubleshooting
Secret Access Issues
Secret Access Issues
- Verify the secret name exactly matches what’s configured in the agent
- Check that the agent has the secret listed in its secrets array
- Ensure the secret exists before the agent tries to use it
- Review agent logs for secret-related error messages
Import and Update Issues
Import and Update Issues
- Remember that secret values cannot be read back after creation
- When importing, you must specify the correct value in your configuration
- Changes to secret values will trigger recreation of the secret
- Test secret updates in non-production environments first
State File Security
State File Security
- Ensure your Terraform state backend is properly encrypted
- Use remote state with access controls
- Regularly audit who has access to Terraform state
- Consider using Terraform Cloud for enhanced state security