feat: switch to tabs instead of seperate pages for aws secret manager…

… assume and access key
Infisical · Jun 27, 2024 · 3537a5e · 3537a5e
1 parent d5b17a8
commit 3537a5e
Show file tree

Hide file tree

Showing 3 changed files with 152 additions and 145 deletions.
diff --git a/docs/integrations/cloud/aws-secret-manager-assume-role.mdx b/docs/integrations/cloud/aws-secret-manager-assume-role.mdx
diff --git a/docs/integrations/cloud/aws-secret-manager.mdx b/docs/integrations/cloud/aws-secret-manager.mdx
@@ -3,6 +3,156 @@ title: "AWS Secrets Manager"
 description: "Learn how to sync secrets from Infisical to AWS Secrets Manager."
 ---
 
+<Tabs>
+  <Tab title="Assume Role (Recommended)">
+Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.
+
+Prerequisites:
+
+- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+<Accordion title="Self-Hosted Users">
+  To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration.
+
+If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
+
+The following steps are for instances not deployed on AWS
+<Steps>
+    <Step title="Create an IAM User">
+      Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console.
+    </Step>
+    <Step title="Create an Inline Policy">
+      Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowAssumeAnyRole",
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Resource": "arn:aws:iam::*:role/*"
+    }
+  ]
+}
+```
+</Step>
+<Step title="Obtain the IAM User Credentials">
+  Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.
+
+  ![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
+  ![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
+  ![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
+</Step>
+<Step title="Set Up Integration Keys">
+  1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**.
+  2. Set the secret key as **CLIENT_SECRET_AWS_INTEGRATION**.
+</Step>
+</Steps>
+</Accordion>
+
+<Steps>
+    <Step title="Create the Managing User IAM Role for AWS Secrets Manager">
+    1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
+       ![IAM Role Creation](../../images/integrations/aws/integration-aws-iam-assume-role.png)
+
+    2. Select **AWS Account** as the **Trusted Entity Type**.
+    3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
+    4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security.
+  </Step>
+
+  <Step title="Add Required Permissions for the IAM Role">
+    ![IAM Role Permissions](../../images/integrations/aws/integration-aws-iam-assume-permission.png)
+    Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:
+
+    ```json
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AllowSecretsManagerAccess",
+          "Effect": "Allow",
+          "Action": [
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:CreateSecret",
+            "secretsmanager:UpdateSecret",
+            "secretsmanager:DescribeSecret",
+            "secretsmanager:TagResource",
+            "secretsmanager:UntagResource",
+            "kms:ListKeys",
+            "kms:ListAliases",
+            "kms:Encrypt",
+            "kms:Decrypt"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+    ```
+  </Step>
+
+  <Step title="Copy the AWS IAM Role ARN">
+    ![Copy IAM Role ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png)
+  </Step>
+
+  <Step title="Authorize Infisical for AWS Secrets Manager">
+    1. Navigate to your project's integrations tab in Infisical.
+    2. Click on the **AWS Secrets Manager** tile.
+       ![Select AWS Secrets Manager](../../images/integrations.png)
+
+    3. Select the **AWS Assume Role** option.
+       ![Select Assume Role](../../images/integrations/aws/integration-aws-iam-assume-select.png)
+
+    4. Provide the **AWS IAM Role ARN** obtained from the previous step.
+  </Step>  <Step title="Start integration">
+    Select how you want to integration to work by specifying a number of parameters:
+
+    <ParamField path="Project Environment" type="string" required>
+      The environment in Infisical from which you want to sync secrets to AWS Secrets Manager.
+    </ParamField>
+    <ParamField path="Secrets Path" type="string" required>
+      The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager.
+    </ParamField>
+    <ParamField path="AWS Region" type="string" required>
+      The region that you want to integrate with in AWS Secrets Manager.
+    </ParamField>
+    <ParamField path="Mapping Behavior" type="string" required>
+      How you want the integration to map the secrets. The selected value could be either one to one or one to many.
+    </ParamField>
+    <ParamField path="AWS SM Secret Name" type="string" required>
+      The secret name/path in AWS into which you want to sync the secrets from Infisical.
+    </ParamField>
+
+    ![integration create](../../images/integrations/aws/integrations-aws-secret-manager-create.png)
+
+    Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:
+
+    <ParamField path="Secret Tag" type="string" optional>
+      The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.
+    </ParamField>
+    <ParamField path="Encryption Key" type="string" optional>
+      The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it.
+    </ParamField>
+    ![integration options](../../images/integrations/aws/integrations-aws-secret-manager-options.png)
+
+    Then, press `Create Integration` to start syncing secrets to AWS Secrets Manager.
+
+    <Info>
+      Infisical currently syncs environment variables to AWS Secrets Manager as
+      key-value pairs under one secret. We're actively exploring ways to help users
+      group environment variable key-pairs under multiple secrets for greater
+      control.
+    </Info>
+    <Info>
+      Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days.
+    </Info>
+
+  </Step>
+</Steps>
+  </Tab>
+  <Tab title="Access Key">
+Infisical will access your account using the provided AWS access key and secret key.
+
 Prerequisites:
 
 - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
@@ -105,3 +255,5 @@ Prerequisites:
 
   </Step>
 </Steps>
+  </Tab>
+</Tabs>
diff --git a/docs/mint.json b/docs/mint.json
@@ -299,7 +299,6 @@
           "pages": [
             "integrations/cloud/aws-parameter-store",
             "integrations/cloud/aws-secret-manager",
-            "integrations/cloud/aws-secret-manager-assume-role",
             "integrations/cloud/aws-amplify"
           ]
         },