Replace Hashicorp Vault with AKeyless for secrets management

[Copilot]

Migrates secrets management from Hashicorp Vault to AKeyless. Maintains backward compatibility through existing IVaultManager interface.

Core Implementation Changes

API Endpoints:

• Auth: POST /v1/auth/{method}/login → POST /auth (unified endpoint with access-type parameter)
• Secrets: GET /v1/secret/data/{path} → POST /get-secret-value
• Headers: X-Vault-Token → Authorization: Bearer

Authentication Method Mapping:

Vault	AKeyless	Config
AppRole (role_id + secret_id)	API Key	@accessId + @accessKeySecret
Kubernetes JWT	Kubernetes	@accessId + k8s token
Client Certificate	Certificate	@accessId + cert files
Token	Token	@client-secret (unchanged)

Class Refactoring:

• CVault → CAKeyless
• CVaultSet → CAKeylessSet
• CVaultManager → CAKeylessManager
• VaultAuthType → AuthType

Configuration Schema

Removed:

• @kind (kv_v1/kv_v2 distinction)
• @appRoleId, @appRoleSecret

Added:

• @accessId - AKeyless access identifier
• @accessKeySecret - k8s secret name containing access key

Response Parsing

// Vault: nested data structure
{ "data": { "data": { "key": "value" } } }

// AKeyless: flat structure with full path as key
{ "/category/name": { "key": "value" } }

Parser now matches secrets by path suffix to handle namespace variations.

Documentation

• Migration guide with API mapping and troubleshooting
• Setup guides for Kubernetes and API Key authentication
• ECL code examples and key rotation procedures

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.akeyless.io
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

We need to replace our Hashicorp Vault security code and replace it with AKeyless. Can you identify all places that use Hashicorp code and how the calls correspond to the AKeyless. Can create a branch in my repo call MyAKeyless and make code changes to all files replacing Hashicorp vault calls with AKeyless calls so I get the same functionality

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.