Skip to content
Riptides Docs

CredentialSource

CredentialSource defines where and how credentials are obtained for workloads. It supports a wide range of credential types including Kubernetes secrets, cloud IAM federation (AWS, GCP, Azure), HashiCorp Vault, JWT minting, OAuth2 flows, and OCI.

  • API Group: core.riptides.io
  • Version: v1alpha1
  • Kind: CredentialSource
  • Plural: credentialsources

Spec

Section titled “Spec”

Exactly one credential type must be specified in the spec. The following sections describe each supported type.

kubernetes

Section titled “kubernetes”

Retrieves a credential from a Kubernetes Secret.

FieldTypeRequiredDescription
typestringYesCredential type. Valid options: BearerToken.
secretRef.namestringYesName of the Kubernetes Secret.
secretRef.keystringYesKey within the Secret that contains the credential value.

aws

Section titled “aws”

Obtains temporary AWS credentials via OIDC federation (STS AssumeRoleWithWebIdentity).

FieldTypeRequiredDescription
roleArnstringYesThe ARN of the IAM role to assume (e.g., arn:aws:iam::123456789012:role/my-role).
audiencearray of stringNoAudiences for the OIDC token presented to AWS STS.
lifetimestringNoRequested session duration (e.g., 3600s).
idTokenLifetimestringNoLifetime of the intermediate OIDC ID token (e.g., 300s).
idTokenClaimsobjectNoAdditional claims to include in the OIDC ID token.

gcp

Section titled “gcp”

Obtains GCP credentials via Workload Identity Federation.

FieldTypeRequiredDescription
oidcProviderIdstringYesFull resource name of the GCP Workload Identity Pool provider.
serviceAccountstringNoGCP service account email to impersonate. If omitted, uses the federated identity directly.
scopesarray of stringNoOAuth2 scopes to request (e.g., https://www.googleapis.com/auth/cloud-platform).
lifetimestringNoRequested token lifetime (e.g., 3600s).
audiencearray of stringNoAudiences for the OIDC token.
idTokenLifetimestringNoLifetime of the intermediate OIDC ID token.
idTokenClaimsobjectNoAdditional claims to include in the OIDC ID token.

azure

Section titled “azure”

Obtains Azure AD credentials via federated identity.

FieldTypeRequiredDescription
clientIdstringYesAzure AD application (client) ID.
tenantIdstringYesAzure AD tenant ID.
scopestringYesThe scope to request (e.g., https://management.azure.com/.default).
audiencearray of stringNoAudiences for the OIDC token.
idTokenLifetimestringNoLifetime of the intermediate OIDC ID token.
idTokenClaimsobjectNoAdditional claims to include in the OIDC ID token.

vault

Section titled “vault”

Retrieves credentials from HashiCorp Vault. Riptides authenticates to Vault using a JWT and then reads from a specified secrets engine path.

FieldTypeRequiredDescription
addressstringYesVault server URL (e.g., https://vault.example.com).
rolestringYesVault auth role name.
pathstringYesVault secrets engine path to read from (e.g., secret/data/myapp).
jwtAuthMethodPathstringNoPath to the JWT auth method in Vault (e.g., jwt_prod). If omitted, uses the default JWT auth path.
audiencearray of stringNoAudiences for the JWT token presented to Vault.
pollIntervalstringNoHow often to refresh the credential from Vault (e.g., 60s).
idTokenLifetimestringNoLifetime of the JWT used for Vault authentication.
idTokenClaimsobjectNoAdditional claims in the JWT for Vault auth.
typeobjectNoSpecifies how to handle the secret returned by Vault. See below.

vault.type

Section titled “vault.type”

Defines the format of the credential returned by Vault and how Riptides should process it. Exactly one sub-field may be set:

  • token — The Vault response contains a token or API key.

    • source (string, required) — The key in the Vault response JSON that contains the token value (e.g., api_key).

  • aws — The Vault response contains AWS credentials (from the AWS secrets engine). No additional configuration needed.

  • gcp — The Vault response contains GCP credentials. One of:

    • accessToken — Treat the response as a GCP access token. No additional fields.
    • serviceAccountKey — Treat the response as a GCP service account key.
      • scopes (array of string) — OAuth2 scopes to request when minting an access token from the key.

  • azure — The Vault response contains Azure credentials.

    • tenantId (string, required) — Azure AD tenant ID.
    • scopes (array of string) — Scopes for minting the access token.

jwt

Section titled “jwt”

Mints a JWT credential using the workload’s SPIFFE identity. Useful for service-to-service authentication where the consumer expects a JWT.

FieldTypeRequiredDescription
audiencearray of stringYesAudiences to include in the JWT aud claim.
lifetimestringNoToken lifetime (e.g., 60s).
claimsobjectNoAdditional custom claims to include in the JWT payload.

oa2cc

Section titled “oa2cc”

Obtains an access token using the OAuth2 Client Credentials grant.

FieldTypeRequiredDescription
tokenEndpointUrlstringYesToken endpoint URL of the authorization server.
secretRef.namestringYesKubernetes Secret containing the client credentials.
secretRef.keystringYesKey within the Secret.
scopesarray of stringNoOAuth2 scopes to request.
authStylestringNoHow to send client credentials. Valid options: HEADER, BODY.
additionalParamsmap of stringNoAdditional parameters to include in the token request.

oa2ac

Section titled “oa2ac”

Obtains an access token using the OAuth2 Authorization Code grant.

FieldTypeRequiredDescription
authorizationEndpointUrlstringYesAuthorization endpoint URL.
tokenEndpointUrlstringYesToken endpoint URL.
secretRef.namestringYesKubernetes Secret containing the client credentials.
secretRef.keystringYesKey within the Secret.
scopesarray of stringNoOAuth2 scopes to request.
usePkcebooleanNoEnable PKCE (Proof Key for Code Exchange).
authStylestringNoHow to send client credentials. Valid options: HEADER, BODY.
additionalParamsmap of stringNoAdditional parameters for the token request.

oci

Section titled “oci”

Obtains credentials from Oracle Cloud Infrastructure (OCI) Identity Domains.

FieldTypeRequiredDescription
regionstringYesOCI region (e.g., us-ashburn-1).
clientIdstringYesOIDC client ID.
clientSecretstringYesOIDC client secret.
identityDomainUrlstringYesOCI Identity Domain URL.
tenancyOcidstringYesOCI tenancy OCID.
idTokenLifetimestringNoLifetime of the intermediate OIDC ID token.
idTokenClaimsobjectNoAdditional claims in the OIDC ID token.

Status

Section titled “Status”
FieldTypeDescription
statestringCurrent state of the credential source. Valid values: AVAILABLE, UNAVAILABLE.
messagestringHuman-readable message providing additional detail about the current state.

Examples

Section titled “Examples”

Kubernetes BearerToken from a Secret

Section titled “Kubernetes BearerToken from a Secret”
apiVersion: core.riptides.io/v1alpha1
kind: CredentialSource
metadata:
  name: my-api-bearer
  namespace: riptides-system
spec:
  kubernetes:
    type: BearerToken
    secretRef:
      name: my-api-key
      key: token

AWS IAM role via OIDC federation

Section titled “AWS IAM role via OIDC federation”
apiVersion: core.riptides.io/v1alpha1
kind: CredentialSource
metadata:
  name: aws-cred-source
  namespace: riptides-system
spec:
  aws:
    roleArn: arn:aws:iam::123456789012:role/my-workload-role

GCP Workload Identity Federation

Section titled “GCP Workload Identity Federation”
apiVersion: core.riptides.io/v1alpha1
kind: CredentialSource
metadata:
  name: gcp-cred-source
  namespace: riptides-system
spec:
  gcp:
    oidcProviderId: //iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/my-pool/providers/my-provider
    serviceAccount: my-service@my-project.iam.gserviceaccount.com
    scopes:
      - https://www.googleapis.com/auth/cloud-platform
    lifetime: 3600s

JWT credential

Section titled “JWT credential”
apiVersion: core.riptides.io/v1alpha1
kind: CredentialSource
metadata:
  name: my-jwt-svid
  namespace: riptides-system
spec:
  jwt:
    audience:
      - https://api.example.com
    claims:
      custom: value
    lifetime: 60s

HashiCorp Vault (token type)

Section titled “HashiCorp Vault (token type)”
apiVersion: core.riptides.io/v1alpha1
kind: CredentialSource
metadata:
  name: vault-api-keys
  namespace: riptides-system
spec:
  vault:
    address: https://vault.example.com
    role: my-api-keys
    path: secret/creds/my-role
    jwtAuthMethodPath: jwt_prod
    audience:
      - vault.example.com
    type:
      token:
        source: api_key
Section titled “Related Resources”