1. Overview
This article describes all supported methods for application-to-application credential delivery, rotation, and lifecycle management. These capabilities are natively embedded into the Segura platform and require no additional licensing.
| Capability | Method | Supported |
|---|---|---|
| Config file injection | Agentless (SSH/WinRM) or agent-based | Yes |
| Kubernetes secrets | Native K8s API, CSI Driver, Sidecar, ESO | Yes |
| API credential fetch | REST API, OAuth2, mTLS, JWT-SVID, cloud WI | Yes |
| Agent-based AAPM | Lightweight cross-platform agent, local HTTP/CLI | Yes |
| SDK & CLI | 8 languages + CLI tool | Yes |
| CI/CD integration | 8 platforms, OIDC federation | Yes |
| GitOps | Argo CD, Flux, External Secrets Operator | Yes |
| Workload identity | SPIFFE/SPIRE, AWS IRSA, Azure MI, GCP WI | Yes |
| AI Agent / NHI | RPA bots, serverless, microservices + UEBA | Yes |
| SIEM/SOAR | Syslog, webhooks, REST, native connectors | Yes |
2. Injection into Configuration Files
Segura automatically injects and updates secrets into configuration files across diverse environments, eliminating hardcoded credentials.
Supported File Formats
| Format | Extension | Notes |
|---|---|---|
| YAML | .yaml / .yml | Full nested key support |
| JSON | .json | Nested paths supported |
| XML | .xml | XPath-based token replacement |
| ENV / dotenv | .env | KEY=VALUE format |
| INI | .ini | Section-aware |
| Properties | .properties | Java standard |
| Custom templates | Any | Token-based placeholders: {{SECRET_NAME}} |
Injection Triggers
- Credential rotation event
- Scheduled interval
- On-demand API call
- Deployment hook (pre/post deploy)
- Webhook from external system
Delivery Modes
- Agentless via SSH (Linux/Unix) or WinRM (Windows) — no endpoint agent required
- Agent-based — for air-gapped, OT, or restricted environments
Additional Features
- Automatic rollback on injection failure
- JIT injection — secrets are never stored in code repositories
- Version control and atomic updates for configuration integrity
- Flexible templates with variable mapping, transformation rules, and conditional logic
API Reference
POST /api/v2/injection/config-file
3. Kubernetes Secrets Injection
Segura supports four delivery patterns for Kubernetes secret management, covering cloud-native, GitOps, and hybrid environments.
Delivery Pattern 1 — Native Kubernetes Secrets API
- Supports Opaque, TLS, Docker Config, ConfigMaps, and environment variables
- Multi-cluster and multi-namespace support
- Policy-driven pod restart on secret rotation
- RBAC and namespace policy enforcement
Delivery Pattern 2 — Secrets Store CSI Driver
- Memory-backed tmpfs volume mounting
- SecretProviderClass resource for declarative configuration
- JWT-based workload authentication
- Zero-downtime rotations where possible
Delivery Pattern 3 — Sidecar Injection
- Init container and sidecar patterns for secret delivery at pod startup
- Compatible with GKE, EKS, AKS, and OpenShift
Delivery Pattern 4 — External Secrets Operator (ESO)
- GitOps-compatible ExternalSecret and ClusterExternalSecret resources
- Synced from Segura vault to Kubernetes Secrets
- Argo CD and Flux integration
- ClusterSecretStore for multi-cluster secret federation
Authentication Methods
| Method | Use Case |
|---|---|
| Kubernetes Service Account (JWT) | In-cluster workload identity |
| mTLS client certificate | High-assurance environments |
| OAuth 2.0 client credentials | Standard service authentication |
| SPIFFE JWT-SVID | Zero-static-credentials workload identity |
| AWS IRSA | EKS workload identity |
| Azure Managed Identity | AKS workload identity |
| GCP Workload Identity | GKE workload identity |
API Reference
POST /api/v2/injection/k8s-secret
4. Vault API — Fetching Credentials On Demand
Applications retrieve secrets on demand via the Segura REST API. All requests are logged for real-time monitoring, risk analytics, and compliance.
Authentication Methods
| Method | Description |
|---|---|
| OAuth 1.0 | HMAC-signed token with IP allowlisting |
| OAuth 2.0 (client credentials) | Standard service-to-service flow |
| mTLS | Mutual TLS client certificate authentication |
| JWT-SVID (SPIFFE/SPIRE) | Zero-static-credentials workload identity |
| AWS IRSA | IAM Roles for Service Accounts — EKS native |
| Azure Managed Identity | AKS/Azure VM native identity |
| GCP Workload Identity | GKE native identity federation |
| API token + IP allowlist | Simple integration with network controls |
Dynamic Secrets
Dynamic secrets are ephemeral credentials generated on demand with an auto-revoke TTL, eliminating standing credentials.
- Database credentials (PostgreSQL, MySQL, MSSQL, Oracle)
- Cloud IAM roles (AWS, Azure, GCP)
- SSH certificates (signed, time-bound)
- API keys with scoped permissions
UEBA Integration
UEBA continuously monitors secret retrieval patterns. Anomalous access — such as unusual retrieval frequency, off-hours access, or access from unknown workloads — triggers SIEM alerts and optional automatic blocking.
API Reference
GET /api/v2/a2a/secrets/{id}
POST /api/v2/a2a/dynamic-secrets
5. Agent-Based AAPM
The Segura AAPM Agent is a lightweight agent for environments where direct vault connectivity is restricted — air-gapped networks, DMZs, OT environments, and isolated subnets.
Supported Platforms
| Platform | Notes |
|---|---|
| Windows (x64) | Service mode, WinRM compatible |
| Linux (x64, ARM) | Systemd service |
| macOS | LaunchDaemon |
| Containers (Docker, Kubernetes) | Sidecar or init container pattern |
| AIX | Legacy IBM environments |
| Solaris | Legacy Sun/Oracle environments |
Local Access Methods
- Local HTTP endpoint: http://localhost:8787/secret/{credential_id}
- CLI: segura-agent get-secret --id {credential_id}
- No network egress to vault required after agent registration
Key Features
- mTLS vault communication for secure agent-to-vault channel
- In-memory secret caching with configurable TTL
- Automatic rotation and renewal triggered by rotation events
- Offline/isolated mode with cryptographic integrity validation
- Event-driven rotation triggers: scheduled, on-demand, webhook
Example Usage
# Bash
SECRET=$(curl -s http://localhost:8787/secret/db_prod_password)
# PowerShell
$secret = Invoke-RestMethod -Uri "http://localhost:8787/secret/db_prod_password"
6. SDK & CLI Support
Segura provides native SDKs for eight programming languages and a full-featured CLI tool, enabling integration with virtually any application or automation workflow.
Native SDKs
| Language | Package Manager | Package Name |
|---|---|---|
| Java | Maven / Gradle | io.segura:segura-sdk |
| .NET / C# | NuGet | Segura.SDK |
| Python | PyPI | segura-sdk |
| Go | go get | github.com/segura-security/segura-go |
| Node.js | npm | @segura/sdk |
| PHP | Composer | segura/sdk |
| Ruby | RubyGems | segura-sdk |
| Rust | crates.io | segura_sdk |
All SDKs support: vault client, dynamic secrets, rotation callbacks, and cloud workload identity (AWS IRSA, Azure Managed Identity, GCP Workload Identity).
CLI Tool (segura-cli)
| Command | Description |
|---|---|
| segura-cli exec | Inject secrets as environment variables before process execution |
| segura-cli inject | Inject secrets into a configuration file template |
| segura-cli rotate | Trigger on-demand rotation of a credential |
| segura-cli audit | Query audit log for secret access events |
7. CI/CD Pipeline Integration
Segura integrates natively with major CI/CD platforms, enabling secure secret injection throughout build and deployment cycles without exposing credentials in pipeline configuration.
| Platform | Integration Method | Authentication |
|---|---|---|
| GitHub Actions | Native action (segura-security/action) | OIDC federation (no static secrets) |
| GitLab CI | CI/CD variable injection | OIDC federation |
| Jenkins | Jenkins plugin | OAuth 2.0 / mTLS |
| Azure DevOps | Task extension | Azure Managed Identity / OAuth 2.0 |
| CircleCI | Orb (segura/secrets) | OAuth 2.0 |
| Bitbucket Pipelines | Pipe | OAuth 2.0 |
| Bamboo | Plugin | OAuth 2.0 / API token |
| Tekton | Task + ClusterTask | Kubernetes Service Account / SPIFFE |
GitHub Actions Example (OIDC Federation)
jobs:
deploy:
permissions:
id-token: write
steps:
- uses: segura-security/action@v2
with:
vault-url: https://segura.company.com
secrets: |
db/prod/password > DB_PASSWORD
api/stripe/key > STRIPE_KEY
Policy Enforcement
- Block deployments with outdated or exposed secrets
- Dynamic provisioning and usage tracking of build-time secrets
- All pipeline secret access logged and auditable
8. GitOps Integration
Segura integrates with GitOps toolchains, enabling secret synchronization directly into Kubernetes clusters without storing secrets in Git repositories.
Argo CD
-
Native Argo CD plugin for vault-backed secret injection
-
Rotation-triggered sync — Argo CD re-syncs automatically when Segura rotates a secret
-
Compatible with Application and ApplicationSet resources
Flux + External Secrets Operator
- Flux integration via External Secrets Operator (ESO)
- SecretStore and ClusterSecretStore resources for Segura vault backend
- ExternalSecret and ClusterExternalSecret for cross-namespace and multi-cluster federation
ExternalSecret Example
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-credentials
spec:
secretStoreRef:
name: segura-vault
kind: ClusterSecretStore
target:
name: db-credentials
data:
- secretKey: password
remoteRef:
key: db/prod/password
9. Workload Identity & SPIFFE/SPIRE
Segura supports the SPIFFE (Secure Production Identity Framework for Everyone) standard, enabling zero-static-credentials workload identity for modern microservices architectures.
SPIFFE/SPIRE Support
- JWT-SVID — JSON Web Token SVID for API-based secret retrieval
- X.509-SVID — certificate-based identity for mTLS communication
- Zero-static-credentials pattern — workloads authenticate via identity, not stored secrets
- Compatible with Istio, Envoy, and Linkerd service meshes
Cloud Workload Identity Federation
| Provider | Mechanism | Environment |
|---|---|---|
| AWS | IAM Roles for Service Accounts (IRSA) | EKS, Lambda, EC2 |
| Azure | Managed Identity / Workload Identity | AKS, Azure Functions, VMs |
| GCP | Workload Identity Federation | GKE, Cloud Run, Cloud Functions |
10. AI Agent & NHI Support
Segura provides credential governance for non-human identities (NHI) — including AI agents, RPA bots, serverless functions, and microservices — with the same security controls applied to human privileged access.
Supported NHI Types
| NHI Type | Examples | Delivery Method |
|---|---|---|
| RPA bots | UiPath, Automation Anywhere, Blue Prism | API fetch or agent-based |
| AI agents | LLM-powered services, autonomous workflows | JIT API delivery |
| Serverless functions | AWS Lambda, Azure Functions, GCP Cloud Run | Cloud WI or API token |
| Microservices | Containerized services, Kubernetes workloads | SPIFFE/SPIRE or K8s SA |
| CI/CD runners | GitHub Actions, GitLab CI, Jenkins | OIDC federation |
Governance Features
- Scoped access — each NHI is granted only the secrets required for its task
- Ephemeral credentials — short-lived credentials auto-expire after use or TTL
- UEBA behavioral monitoring — baselines normal NHI access patterns and alerts on deviations
- Automated lifecycle management — provisioning, rotation, and revocation without manual intervention
- Full auditability — all NHI credential issuance, use, and revocation is logged with context
11. SIEM/SOAR Integration
All A2A secret access events are exported to SIEM and SOAR platforms for centralized monitoring, threat detection, and automated response.
Integration Methods
| Method | Details |
|---|---|
| Syslog (CEF/LEEF) | Splunk, QRadar, ArcSight, Elastic — standard format |
| Webhooks | HTTP POST to any endpoint on secret events |
| REST API | Pull-based event query via Segura API |
| Native connectors | Pre-built integrations for major SIEM platforms |
Automated SOAR Playbook Scenarios
- Anomaly detection — NHI or user retrieves secret outside normal pattern
- Access-outside-window — secret accessed outside approved time window
- NHI compromise — behavioral deviation triggers credential revocation and incident
- Excessive retrieval — secret queried above threshold, triggering investigation
- Unknown workload — unregistered identity attempts secret retrieval
Example Syslog Event
CEF:0|Segura|PAM|4.0|A2A\_SECRET\_ACCESS|Secret retrieved by NHI|5|
src=10.0.1.45 suser=svc\_rpa\_bot dst=segura-vault
cs1=db/prod/password cs1Label=SecretPath
cs2=ANOMALY cs2Label=RiskLevel
msg=Access outside baseline window
API Reference
GET /api/v2/a2a/events
POST /api/v2/a2a/webhooks