Calendar Favorite 1 Streamline Icon:  Mark Your Calendars: The next VSecM Contributor Sync will be on... Thursday, 2024-07-25 at 8:00am Pacific time.
Rating Star 1 Streamline Icon:  Star VMware Secrets Manager to show your support. Help us reach out to even more people with this amazing tech.

Retrieving Secrets Via VSecM SDK

Link Situation Analysis

If you are the creator of an app, and you have access to its source code, it would be beneficial to retrieve the secrets the app needs whenever it needs them through the VSecM SDK.

Fetching secrets using VSecM SDK will also enable you to…

  • Rotate the app’s secrets without needing to restart or evict the app.
  • Get meta-information about the secrets that are otherwise inaccessible.

Link High-Level Diagram

Open the images in a new tab to see the full-size versions:

High-Level Diagram

High-Level Diagram

Link Implementation

We’ll define the ClusterSPIFFEID and “SPIRE Agent Socket” for our workload, similar to the Mounting Secrets as Volumes use case.

Link Prepare Kubernetes Manifests

Here’s the ClusterSPIFFEID:

kind: ClusterSPIFFEID
  name: example
  spiffeIDTemplate: "spiffe://\
    /ns/{{ .PodMeta.Namespace }}\
    /sa/{{ .PodSpec.ServiceAccountName }}\
    /n/{{ .PodMeta.Name }}"
      app: example-app
    - "k8s:ns:example-apps"
    - "k8s:sa:example-sa"

Here’s our deployment manifest:

apiVersion: apps/v1
kind: Deployment
  name: example
  namespace: example-apps
    app: example
  replicas: 1
      app: example-app
        app: example-app
      serviceAccountName: example-sa
      - name: example-container
        image: example-app:0.1.0
        - name: spire-agent-socket
          mountPath: /spire-agent-socket
          readOnly: true
          value: "/opt/app/credentials/secrets.json"
          value: "unix:///spire-agent-socket/spire-agent.sock"
      - name: spire-agent-socket
          driver: ""
          readOnly: true
      - name: credentials-volume
          medium: Memory

Link Application Code

Since we have access to source code, our application can directly fetch its secrets as follows:

package main

import (
	"" // <- SDK

func main() {
	d, err := sentry.Fetch()

	if err != nil {
		fmt.Println("Failed to read the secrets file. Try again.")

	if d.Data == "" {
		fmt.Println("no secret yet... Check again later.")

		"secret: updated: %s, created: %s, value: %s\n",
		d.Updated, d.Created, d.Data,

Want an SDK in Your Favorite Language?

VMware Secrets Manager only has an official Go SDK at this time. If you have application code in another language, you can contribute to the following SDK initiatives:

Link The Benefit of Using VSecM SDK

VSecM SDK gives direct control of VSecM Safe to your workload.

The advantage of this approach is: you are in charge. The downside of it is: Well, you are in charge 🙂.

But, jokes aside, your application will have to be more tightly bound to VMware Secrets Manager without a sidecar.

However, when you use a sidecar, your application does not have any idea of VMware Secrets Manager’s existence. From its perspective, it is merely reading from a file that something magically updates every once in a while. This “separation of concerns” can make your application architecture more adaptable to changes.

As in anything, there is no one true way to do it. Your approach will depend on your project’s requirements.

Link Conclusion

Integrating VSecM Go SDK into application development workflows offers a robust and dynamic approach to handling secrets management. By leveraging the capabilities of VSecM SDK, developers can ensure that their applications have secure and efficient access to necessary secrets, facilitating smoother operations and bolstering security.

The ability to rotate secrets without impacting the application’s availability and access meta-information about the secrets are critical benefits that can significantly enhance the security posture of any application.

The VSecM SDK, while currently officially supporting only Go, highlights a significant moment of growth and opportunity within the developer community. This moment isn’t a limitation but a clarion call to action.

Such collaboration not only diversifies the toolkit available to developers but also strengthens the bonds within the community, fostering an environment where innovation thrives on the principles of security and efficiency.

By contributing to the development of the VSecM SDK in various programming languages, you are not merely coding; you are pioneering a movement towards a more secure, efficient, and community-driven approach in application development.

Link List of Use Cases in This Section

edit this page ✏️