Merged
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces the initial implementation of an Akeyless PAM (Privileged Access Management) Provider for Keyfactor, enabling retrieval of stored account credentials from Akeyless secrets.
Key Changes:
- Implements the
IPAMProviderinterface with support for access key authentication - Adds support for three static secret types:
static_text,static_json, andstatic_kv - Includes comprehensive documentation, configuration examples, and test console application
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| docsource/overview.md | Provides high-level overview of the Akeyless PAM Provider functionality |
| docsource/akeyless.md | Contains detailed documentation including authentication methods, secret types, configuration examples, and architecture diagrams |
| akeyless-pam/manifest.json | Defines the extension configuration for integrating the PAM provider with Keyfactor Platform |
| akeyless-pam/Models/AkeylessConfiguration.cs | Implements configuration model with validation for connection parameters and secret retrieval settings |
| akeyless-pam/Constants.cs | Defines constants for default authentication methods and API URLs |
| akeyless-pam/AkeylessPam.cs | Core implementation of the PAM provider including authentication, secret retrieval, and parsing logic |
| TestConsole/Program.cs | Test application demonstrating usage of all supported secret types |
| TestConsole/Dockerfile | Docker container configuration for running the test console |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 10 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
# Conflicts: # akeyless-pam/akeyless-pam.csproj
…ent abstraction - Introduce IAkeylessApiClient interface and AkeylessApiClient adapter to decouple V2Api SDK from AkeylessPam, enabling unit testing via Moq - Add internal constructor on AkeylessPam accepting a client factory - Call Validator.TryValidateObject after building AkeylessConfiguration, making IValidatableObject.Validate() active in production code - Fix AkeylessConfiguration.Validate() bug: StaticSecretFieldName was incorrectly required for static_json (optional per docs); now only required for static_kv - Add InternalsVisibleTo for both test assemblies and DynamicProxyGenAssembly2 - Add AkeylessPam.Unit.Tests (27 tests, xUnit + Moq, 86% line coverage) - Add AkeylessPam.Integration.Tests (15 tests, skip when credentials absent, DotEnvLoader reads .env for local dev) - Fix docs/docsource: wrong TypeFullName (Pam → AkeylessPam), inaccurate secret type descriptions, broken sequence diagram text, grammar fixes - Add CLAUDE.md and docsource/testing.md
…alise log levels - Remove Value from ParseKvSecret debug log (was logging actual secret values) - Replace malformed KV line content log with line index only - Fix warning message that incorrectly said 'defaulting to implicit' when code actually defaults to access_key - Fix GetAkeylessSecretAsync debug message that said 'fetch access token' instead of 'connecting to Akeyless' - Add AccessId (not key) to auth success/failure log entries for audit trail - Add structured success log after secret retrieval completes - Remove emoji from all log messages - Demote noisy Info logs to Debug: format detection, validation steps, config build steps, server config valid message - Add URL and auth type to configuration debug log for traceability - Add inline comments explaining intentional omissions of sensitive values
- Add net10.0 to TargetFrameworks alongside net8.0 - Add conditional Keyfactor.Logging reference for net10.0 - Update global.json SDK version to 10.0 (latestFeature rollforward) - Update CI workflows to use .NET 10 SDK - Fix integration-manifest.json schema URL and Url field description
- Add README.md to unit and integration test projects documenting all test cases with descriptions - Remove TestConsole project and solution reference (replaced by the integration test suite)
- Add class-level XML doc comments to InvalidClientConfigurationException and InvalidSecretConfigurationException - Replace ContainsKey+indexer with TryGetValue in ValidateRequiredParameter - Fix 'a Akeyless' -> 'an Akeyless' in overview.md and README.md - Fix 'Priviledged' -> 'Privileged' in README.md (x2) - Fix 'Creates a' -> 'Creates an' in BuildAkeylessConfiguration XML doc - Remove unused DefaultAuthMethodReadOnly from AkeylessConstants; update unit test to use DefaultAuthMethod
The Keyfactor Command UI can send a space character instead of an empty string for optional fields. Trim StaticSecretFieldName on assignment so whitespace-only values behave identically to empty (no field extraction).
- Replace temporary debug/print tests with proper assertions for the k8s-orchestrator secret (no secret values printed in output) - Add note to docsource/docs that the Command portal may show StaticSecretFieldName as required; enter a space to return the full JSON blob
- akeyless-pam/manifest.json: fix TypeFullName to AkeylessPam (was Pam) - integration-manifest.json: remove trailing comma from StaticSecretFieldName entry
- docsource/akeyless.md: add 'Granting an Auth Method Access to a Secret (CLI)' subsection with full akeyless CLI setup (create auth method, role, association, and access rule) - Makefile: copy manifest.json into each net*/ build output dir after build and build-release targets - .gitignore: ignore manifest.json copies produced in bin/ directories
- Log only instanceParameters key names (not values) at Trace level to prevent future credential-bearing keys from being auto-logged - Remove ex.Message from ApiException re-throw — SDK error bodies may echo back auth request content including access_key; use HTTP status code only - Remove Console.WriteLine calls in Debug_K8sOrchestratorSecret test that printed raw live secret values to stdout (visible in CI logs) - Remove raw secret value from assertion failure message in integration test to prevent exposure in test runner output Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR delivers the initial implementation of the Akeyless PAM Provider for Keyfactor Command and Universal Orchestrator.
What's included
Core provider (
akeyless-pam/)AkeylessPam.cs—IPAMProviderimplementation; entry point isGetPassword(), which authenticates to Akeyless and returns the requested secret valueAkeylessApiClient.cs/IAkeylessApiClient.cs— thin wrapper around theakeylessNuGet SDK (V2Api) for authentication and secret retrievalAkeylessConfiguration.cs— configuration model with parameter key constants, validation attributes, and supported secret typesConstants.cs— default values for auth type (access_key) and API URL (https://api.akeyless.io)manifest.json— Universal Orchestrator provider descriptorSupported secret types
static_textstatic_kvkey=valuelines; extracts field named byStaticSecretFieldNamestatic_jsonStaticSecretFieldNameTests
tests/AkeylessPam.Unit.Tests/) — no external dependencies, always runnabletests/AkeylessPam.Integration.Tests/) — skip automatically when Akeyless credentials are absenttests.yml) — runs unit and integration tests on push and PRsTooling & docs
Makefile— common targets:build,test,test-unit,test-integration,consoleREADME.md— full installation and configuration guideCHANGELOG.md— v1.0.0 feature listkeyfactor-starter-workflow.ymlto usedotnet10-supportbranch for .NET 10 build supportTest plan
dotnet test tests/AkeylessPam.Unit.Tests/dotnet test tests/AkeylessPam.Integration.Tests/Testsworkflow passes on this PR