Credentials
The CredentialController and PlatformCredentialService manage cloud provider credentials and service account secrets used by the infrastructure service. Credentials are stored securely in the PlatformCredentialRepository and never exposed in API responses.
Credential Management
Register Credential
Endpoint: POST /api/v1/infrastructure/credentials
curl -X POST http://localhost:8089/api/v1/infrastructure/credentials \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"name": "azure-production",
"provider": "AZURE",
"credentialType": "SERVICE_PRINCIPAL",
"description": "Azure production subscription credentials",
"metadata": {
"subscriptionId": "sub-12345",
"tenantId": "aad-tenant-id"
}
}'List Credentials
Endpoint: GET /api/v1/infrastructure/credentials
Returns credential metadata (name, provider, type, status) without exposing secret values.
Get Credential
Endpoint: GET /api/v1/infrastructure/credentials/:credentialId
Update Credential
Endpoint: PUT /api/v1/infrastructure/credentials/:credentialId
Delete Credential
Endpoint: DELETE /api/v1/infrastructure/credentials/:credentialId
Rotate Credential
Endpoint: POST /api/v1/infrastructure/credentials/:credentialId/rotate
Triggers credential rotation, generating new secrets and updating all dependent services.
Credential Types
| Type | Provider | Description |
|---|---|---|
SERVICE_PRINCIPAL | Azure | Azure AD service principal with client ID/secret |
MANAGED_IDENTITY | Azure | Azure managed identity (workload identity) |
IAM_ROLE | AWS | AWS IAM role with assume role policy |
ACCESS_KEY | AWS | AWS access key ID and secret |
SERVICE_ACCOUNT | GCP | GCP service account key |
WORKLOAD_IDENTITY | GCP | GCP workload identity federation |
KUBECONFIG | Kubernetes | Kubernetes cluster credentials |
DATABASE | Database | Database connection credentials |
PlatformCredential Entity
| Field | Type | Description |
|---|---|---|
id | UUID | Credential identifier |
name | String | Credential name |
provider | String | Cloud provider |
credentialType | String | Type of credential |
description | String | Human-readable description |
status | String | ACTIVE, ROTATING, EXPIRED, REVOKED |
expiresAt | Instant | Credential expiration date |
lastRotatedAt | Instant | Last rotation timestamp |
metadata | JSON | Non-sensitive metadata |
Security
Credential secret values are:
- Stored encrypted in the database
- Never returned in API responses
- Accessed only by the infrastructure service internally
- Rotated on a configurable schedule
- Audited on every access
Credential secrets are stored as Kubernetes secrets and referenced via secretKeyRef in Helm values. They are never hardcoded in configuration files. The PlatformCredentialService retrieves credentials from Kubernetes secrets at runtime.