The External Secrets Enterprise product suite is a premium product.
It requires a specific subscription. Contact us for more information.
To use the SendGrid API Key Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

The SendGrid Generator automatically provisions scoped API keys for your applications using the SendGrid Admin API.
It eliminates the need for manually creating and managing API tokens in the SendGrid dashboard, enabling fine-grained access and secure rotation via ESO. This generator is especially useful when isolating credentials across services or tenants and when ensuring secure deletion of unused API tokens during cleanup.

Output Keys and Values

KeyDescription
apiKeyThe generated SendGrid API key (SG.x...)

Parameters

KeyDefaultDescription
dataResidencyglobalOptional value to control SendGrid’s data residency location ("global", "eu").
scopes[]List of scopes to apply to the API key. See SendGrid docs for options.
auth.secretRef.apiKeySecretRefRequiredSecret containing the Admin API Key with permission to manage API keys.

Set up

Requirements

  • You must have an existing SendGrid Admin API Key with permission to create and delete API keys.
  • The generator uses the /v3/api_keys endpoint to create and rotate keys.

Admin API Key Secret

Example of a Kubernetes secret holding your Admin API Key: 
apiVersion: v1
kind: Secret
metadata:
  name: sendgrid-admin-secret
  namespace: default
type: Opaque
data:
  api-key: <base64-encoded-admin-key>

Generator Config

apiVersion: generators.external-secrets.io/v1alpha1
kind: SendgridAuthorizationToken
metadata:
  name: sendgrid-generator
  namespace: default
spec:
  dataResidency: global
  scopes:
    - mail.send
    - alerts.create
  auth:
    secretRef:
      apiKeySecretRef:
        name: sendgrid-admin-secret
        key: api-key

ExternalSecret Config

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: sendgrid-credentials
  namespace: default
spec:
  refreshInterval: 12h
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: SendgridAuthorizationToken
          name: sendgrid-generator

Using the Generated Secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: email-service
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: email-service
  template:
    metadata:
      labels:
        app: email-service
    spec:
      containers:
        - name: app
          image: my-email-service:latest
          env:
            - name: SENDGRID_API_KEY
              valueFrom:
                secretKeyRef:
                  name: sendgrid-credentials
                  key: apiKey

Notes and Considerations

  • Only one API key is created per rotation cycle. Old keys are deleted during cleanup.
  • The dataResidency value is used to control which SendGrid API region is used (e.g., "eu" for EU data residency).
  • API keys are uniquely named using a generated label (e.g., Managed By ESO Generator: <name> <UID>).