--- title: Secret Agent operator description: The open source Secret Agent operator generates all the secrets needed for ForgeOps deployments except for the DS master key and TLS key. When directory instances are created, certificate manager is called to generate these two keys. component: forgeops version: 2026.1 page_id: forgeops:prepare:security/secret-agent canonical_url: https://docs.pingidentity.com/forgeops/2026.1/prepare/security/secret-agent.html keywords: ["Security", "Secret Agent Operator"] section_ids: secret_generation: Secret generation cloud-secret-management: Cloud secret management password-changes: Administration password changes --- # Secret Agent operator The open source Secret Agent operator generates all the secrets needed for ForgeOps deployments except for the DS master key and TLS key. When directory instances are created, certificate manager is called to generate these two keys. In addition to generating secrets, the operator also integrates with Google Cloud Secret Manager, AWS Secrets Manager, and Azure Key Vault to manage secrets, providing cloud backup and retrieval for secrets. The Secret Agent operator runs as a Kubernetes deployment that must be available before you can install AM, IDM, and DS. ## Secret generation By default, the operator examines your namespace to determine whether it contains all the secrets that it manages for Ping Identity Platform deployments. If any of the secrets it manages are not present, the operator generates them. Refer to the Secret Agent project README for information about: * [Importing your own secrets](https://github.com/ForgeRock/secret-agent#importing-your-own-secrets) * [Secret Agent naming conventions](https://github.com/ForgeRock/secret-agent#naming-convention-for-cloud-backups) * [Modifying the Secret Agent configuration](https://github.com/ForgeRock/secret-agent#secret-agent-configuration-schema) ## Cloud secret management Configuring the Secret Agent operator to integrate with a cloud secret manager, such as Google Cloud Secret Manager, AWS Secret Manager, or Azure Key Vault, changes the operator's behavior: * First, the operator examines your namespace to determine whether it contains all the secrets it manages for Ping Identity Platform deployments. * If any of the secrets it manages are not in your namespace, the operator checks to refer to if the missing secrets are available in the cloud secret manager: * If any of the secrets missing from your namespace are available in the cloud secret manager, the operator gets them from the cloud secret manager and adds them to your namespace. * If missing secrets are not available in the cloud secret manager, the Secret Agent operator generates them. Configure cloud secret management when you have multiple Ping Identity Platform deployments that need to use the same secrets. Refer to the Secret Agent project README for information about how to configure the Secret Agent operator for cloud secret management using these cloud secret managers: * [Google Cloud Secret Manager](https://github.com/ForgeRock/secret-agent#set-up-cloud-backup-with-gcp-secret-manager) * [AWS Secret Manager](https://github.com/ForgeRock/secret-agent#set-up-cloud-backup-with-aws-secret-manager) * [Azure Key Vault](https://github.com/ForgeRock/secret-agent#set-up-cloud-backup-with-azure-key-vault) ## Administration password changes ForgeOps deployments use these administration passwords: * The AM and IDM administration user, `amadmin` * The AM application store service account, `uid=am-config,ou=admins,ou=am-config` * The AM CTS service account, `uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens` * The shared identity repository service account, `uid=am-identity-bind-account,ou=admins,ou=identities` * The DS root user, `uid=admin` Some organizations have a requirement to change administration passwords from time to time. Follow these steps if you need to change the administration passwords: 1. Set the value of the `secretsManagerPrefix` key to `prod` in your [Secret Agent configuration](https://github.com/ForgeRock/secret-agent#naming-convention-for-cloud-backups). You can set the value of the `secretsManagerPrefix` key to any prefix you like. These steps use `prod` as an example prefix. 2. Change the `amadmin` user's password: 1. Change to the bin directory in your `forgeops` repository clone. 2. Run the forgeops info command. Note the current password for the `amadmin` user. 3. If you've enabled [cloud secret management](#cloud-secret-management), delete the entry that contains the `amadmin` user's password from the cloud secret manager: > **Collapse: Google Cloud** > > List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the `AM-PASSWORDS-AMADMIN-CLEAR` password, and delete it. For example: > > ``` > $ gcloud secrets list --uri > $ gcloud secrets delete \ > https://secretmanager.googleapis.com/.../prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR > ``` > **Collapse: AWS** > > List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the `AM-PASSWORDS-AMADMIN-CLEAR` password, and delete it. For example: > > ``` > $ aws secretsmanager list-secrets --region=my-region > $ aws secretsmanager delete-secret --region=my-region \ > --force-delete-without-recovery \ > --secret-id arn:aws:secretsmanager:...:prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR-c3KfsL > ``` > **Collapse: Azure** > > Soft delete the secret that contains the `AM-PASSWORDS-AMADMIN-CLEAR` password from Azure Key Vault. For example: > > ``` > $ az keyvault secret delete --vault-name my-key-vault --name prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR > ``` > > Purge the soft deleted secret from Azure Key Vault. For example: > > ``` > $ az keyvault secret purge --vault-name my-key-vault --name prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR > ``` 4. Make the namespace where the platform is deployed the active namespace in your local Kubernetes context. 5. Delete the Kubernetes secret that contains the `amadmin` user's password from the namespace in which the platform is deployed: ``` $ kubectl patch secrets am-env-secrets --type=json \ --patch='[{"op":"remove", "path": "/data/AM_PASSWORDS_AMADMIN_CLEAR"}]' ``` 6. Restart AM by deleting all active AM pods: list all the pods in the namespace where you deployed the platform and then delete all the pods running AM. 7. After AM comes up, run the forgeops info command again to get the current administration passwords. Verify that the `amadmin` user's password has changed by comparing its previous value to its current value. 8. Verify that you can log in to the platform UI using the new password. 3. Change the AM application store service account's password: 1. Change to the bin directory in your `forgeops` repository clone. 2. Run the forgeops info command. Note the current password for the AM application store service account. 3. If you've enabled [cloud secret management](#cloud-secret-management), delete the entry that contains this account's password from the cloud secret manager: > **Collapse: Google Cloud** > > List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the `AM_STORES_APPLICATION_PASSWORD` password, and delete it. For example: > > ``` > $ gcloud secrets list --uri > $ gcloud secrets delete \ > https://secretmanager.googleapis.com/.../prod-ds-env-secrets-AM_STORES_APPLICATION_PASSWORD > ``` > **Collapse: AWS** > > List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the `AM_STORES_APPLICATION_PASSWORD` password, and delete it. For example: > > ``` > $ aws secretsmanager list-secrets --region=my-region > $ aws secretsmanager delete-secret --region=my-region \ > --force-delete-without-recovery \ > --secret-id arn:aws:secretsmanager:...:prod-ds-env-secrets-AM_STORES_APPLICATION_PASSWORD-1d4432 > ``` > **Collapse: Azure** > > Soft delete the secret that contains the `AM_STORES_APPLICATION_PASSWORD` password from Azure Key Vault. For example: > > ``` > $ az keyvault secret delete --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_APPLICATION_PASSWORD > ``` > > Purge the deleted secret from Azure Key Vault. For example: > > ``` > $ az keyvault secret purge --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_APPLICATION_PASSWORD > ``` 4. Make the namespace where the platform is deployed the active namespace in your local Kubernetes context. 5. Delete the Kubernetes secret that contains the service account's password from the namespace where the platform is deployed: ``` $ kubectl patch secrets ds-env-secrets --type=json \ --patch='[{"op":"remove", "path": "/data/AM_STORES_APPLICATION_PASSWORD"}]' ``` 6. Remove your ForgeOps deployment. Be sure to reply `N` when you're prompted to delete PVCs, volume snapshots, and secrets: ``` $ cd /path/to/forgeops/bin $ ./forgeops delete "small" platform detected in namespace: "my-namespace". Uninstalling component(s): ['all'] from namespace: "my-namespace". OK to delete components? [Y/N] Y OK to delete PVCs? [Y/N] N OK to delete volume snapshots? [Y/N] N OK to delete secrets? [Y/N] N service "admin-ui" deleted ... ``` 7. Redeploy the platform: ``` $ forgeops apply --small --fqdn my-fqdn ``` 8. Review the administration passwords listed in the forgeops install command's' output. Verify that the AM application store service account's password has changed by comparing its previous value to its current value. 4. Change the CTS service account's password: 1. Change to the bin directory in your `forgeops` repository clone. 2. Run the forgeops info command. Note the current password for the identity repository service account. 3. If you've enabled [cloud secret management](#cloud-secret-management), delete the entry that contains this account's password from the cloud secret manager: > **Collapse: Google Cloud** > > List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the `AM_STORES_CTS_PASSWORD` password, and delete it. For example: > > ``` > $ gcloud secrets list --uri > $ gcloud secrets delete \ > https://secretmanager.googleapis.com/.../prod-ds-env-secrets-AM_STORES_CTS_PASSWORD > ``` > **Collapse: AWS** > > List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the `AM_STORES_CTS_PASSWORD` password, and delete it. For example: > > ``` > $ aws secretsmanager list-secrets --region=my-region > $ aws secretsmanager delete-secret --region=my-region \ > --force-delete-without-recovery \ > --secret-id arn:aws:secretsmanager:...:prod-ds-env-secrets-AM_STORES_CTS_PASSWORD-1d4432 > ``` > **Collapse: Azure** > > Delete the secret that contains the `AM_STORES_CTS_PASSWORD` password from Azure Key Vault. For example: > > ``` > $ az keyvault secret delete --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_CTS_PASSWORD > ``` > > Purge the deleted secret from Azure Key Vault. For example: > > ``` > $ az keyvault secret purge --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_CTS_PASSWORD > ``` 4. Make the namespace where the platform is deployed the active namespace in your local Kubernetes context. 5. Delete the Kubernetes secret that contains the service account's password from the namespace where the platform is deployed: ``` $ kubectl patch secrets ds-env-secrets --type=json \ --patch='[{"op":"remove", "path": "/data/AM_STORES_CTS_PASSWORD"}]' ``` 6. Remove your ForgeOps deployment. Be sure to reply `N` when you're prompted to delete PVCs, volume snapshots, and secrets: ``` $ cd /path/to/forgeops/bin $ ./forgeops delete "small" platform detected in namespace: "my-namespace". Uninstalling component(s): ['all'] from namespace: "my-namespace". OK to delete components? [Y/N] Y OK to delete PVCs? [Y/N] N OK to delete volume snapshots? [Y/N] N OK to delete secrets? [Y/N] N service "admin-ui" deleted ... ``` 7. Redeploy the platform: ``` $ forgeops apply --small --fqdn my-fqdn ``` 8. Review the administration passwords listed in the forgeops install command's' output. Verify that the CTS service account's password has changed by comparing its previous value to its current value. 5. Change the identity repository service account's password: 1. Change to the bin directory in your `forgeops` repository clone. 2. Run the forgeops info command. Note the current password for the identity repository service account. 3. If you've enabled [cloud secret management](#cloud-secret-management), delete the entry that contains this account's password from the cloud secret manager: > **Collapse: Google Cloud** > > List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the `AM_STORES_USER_PASSWORD` password, and delete it. For example: > > ``` > $ gcloud secrets list --uri > $ gcloud secrets delete \ > https://secretmanager.googleapis.com/.../prod-ds-env-secrets-AM_STORES_USER_PASSWORD > ``` > **Collapse: AWS** > > List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the `AM_STORES_USER_PASSWORD` password, and delete it. For example: > > ``` > $ aws secretsmanager list-secrets --region=my-region > $ aws secretsmanager delete-secret --region=my-region \ > --force-delete-without-recovery \ > --secret-id arn:aws:secretsmanager:...:prod-ds-env-secrets-AM_STORES_USER_PASSWORD-1d4432 > ``` > **Collapse: Azure** > > Soft delete the secret that contains the `AM_STORES_USER_PASSWORD` password from Azure Key Vault. For example: > > ``` > $ az keyvault secret delete --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_USER_PASSWORD > ``` > > Purge the deleted secret from Azure Key Vault. For example: > > ``` > $ az keyvault secret purge --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_USER_PASSWORD > ``` 4. Make the namespace where the platform is deployed the active namespace in your local Kubernetes context. 5. Delete the Kubernetes secret that contains the service account's password from the namespace where the platform is deployed: ``` $ kubectl patch secrets ds-env-secrets --type=json \ --patch='[{"op":"remove", "path": "/data/AM_STORES_USER_PASSWORD"}]' ``` 6. Remove your ForgeOps deployment. Be sure to reply `N` when you're prompted to delete PVCs, volume snapshots, and secrets: ``` $ cd /path/to/forgeops/bin $ ./forgeops delete "small" platform detected in namespace: "my-namespace". Uninstalling component(s): ['all'] from namespace: "my-namespace". OK to delete components? [Y/N] Y OK to delete PVCs? [Y/N] N OK to delete volume snapshots? [Y/N] N OK to delete secrets? [Y/N] N service "admin-ui" deleted ... ``` 7. Redeploy the platform: ``` $ forgeops apply --small --fqdn my-fqdn ``` 8. Review the administration passwords listed in the forgeops install command's' output. Verify that the identity repository service account's password has changed by comparing its previous value to its current value. 6. Change the DS root user's password: 1. Change to the bin directory in your `forgeops` repository clone. 2. Run the forgeops info command. Note the current password for the `uid=admin` account. 3. If you've enabled [cloud secret management](#cloud-secret-management), delete the entry that contains this account's password from the cloud secret manager: > **Collapse: Google Cloud** > > List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the `dirmanager-pw` password, and delete it. For example: > > ``` > $ gcloud secrets list --uri > $ gcloud secrets delete \ > https://secretmanager.googleapis.com/.../prod-ds-passwords-dirmanager-pw > ``` > **Collapse: AWS** > > List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the `dirmanager-pw` password, and delete it. For example: > > ``` > $ aws secretsmanager list-secrets --region=my-region > $ aws secretsmanager delete-secret --region=my-region \ > --force-delete-without-recovery \ > --secret-id arn:aws:secretsmanager:...:prod-ds-passwords-dirmanager-pw-2eeaa0 > ``` > **Collapse: Azure** > > Soft delete the secret that contains the `dirmanager-pw` password from Azure Key Vault. For example: > > ``` > $ az keyvault secret delete --vault-name my-key-vault --name prod-ds-passwords-dirmanager-pw > ``` > > Purge the deleted secret from Azure Key Vault. For example: > > ``` > $ az keyvault secret purge --vault-name my-key-vault --name prod-ds-passwords-dirmanager-pw > ``` 4. Make the namespace where the platform is deployed the active namespace in your local Kubernetes context. 5. Delete the Kubernetes secret that contains the service account's password from the namespace where the platform is deployed: ``` $ kubectl patch secrets ds-passwords --type=json \ --patch='[{"op":"remove", "path": "/data/dirmanager.pw"}]' ``` 6. Remove your ForgeOps deployment. Be sure to reply `N` when you're prompted to delete PVCs, volume snapshots, and secrets: ``` $ cd /path/to/forgeops/bin $ ./forgeops delete "small" platform detected in namespace: "my-namespace". Uninstalling component(s): ['all'] from namespace: "my-namespace". OK to delete components? [Y/N] Y OK to delete PVCs? [Y/N] N OK to delete volume snapshots? [Y/N] N OK to delete secrets? [Y/N] N service "admin-ui" deleted ... ``` 7. Redeploy the platform: ``` $ forgeops apply --small --fqdn my-fqdn ``` 8. Review the administration passwords listed in the forgeops install command's' output. Verify that the password for the `uid=admin` account has changed by comparing its previous value to its current value.