From 3537a5eb9b64f20fc322bc7df955ace5c7aa905a Mon Sep 17 00:00:00 2001 From: = Date: Thu, 27 Jun 2024 13:06:04 +0530 Subject: [PATCH] feat: switch to tabs instead of seperate pages for aws secret manager assume and access key --- .../cloud/aws-secret-manager-assume-role.mdx | 144 ----------------- .../integrations/cloud/aws-secret-manager.mdx | 152 ++++++++++++++++++ docs/mint.json | 1 - 3 files changed, 152 insertions(+), 145 deletions(-) delete mode 100644 docs/integrations/cloud/aws-secret-manager-assume-role.mdx diff --git a/docs/integrations/cloud/aws-secret-manager-assume-role.mdx b/docs/integrations/cloud/aws-secret-manager-assume-role.mdx deleted file mode 100644 index d4cd8370c0..0000000000 --- a/docs/integrations/cloud/aws-secret-manager-assume-role.mdx +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: "AWS Secrets Manager Assume Role" -description: "Learn how to sync secrets from Infisical to AWS Secrets Manager without sharing any user credentials." ---- - -Prerequisites: - -- Set up and add envars to [Infisical Cloud](https://app.infisical.com) - - - To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration. - - - - Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console. - - - Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles: -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAssumeAnyRole", - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::*:role/*" - } - ] -} -``` - - - Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys. - - ![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png) - ![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png) - ![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png) - - - 1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**. - 2. Set the secret key as **CLIENT_SECRET_AWS_INTEGRATION**. - - - - - - - 1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console. - ![IAM Role Creation](../../images/integrations/aws/integration-aws-iam-assume-role.png) - - 2. Select **AWS Account** as the **Trusted Entity Type**. - 3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead. - 4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security. - - - - ![IAM Role Permissions](../../images/integrations/aws/integration-aws-iam-assume-permission.png) - Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager: - - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowSecretsManagerAccess", - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue", - "secretsmanager:CreateSecret", - "secretsmanager:UpdateSecret", - "secretsmanager:DescribeSecret", - "secretsmanager:TagResource", - "secretsmanager:UntagResource", - "kms:ListKeys", - "kms:ListAliases", - "kms:Encrypt", - "kms:Decrypt" - ], - "Resource": "*" - } - ] - } - ``` - - - - ![Copy IAM Role ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png) - - - - 1. Navigate to your project's integrations tab in Infisical. - 2. Click on the **AWS Secrets Manager** tile. - ![Select AWS Secrets Manager](../../images/integrations.png) - - 3. Select the **AWS Assume Role** option. - ![Select Assume Role](../../images/integrations/aws/integration-aws-iam-assume-select.png) - - 4. Provide the **AWS IAM Role ARN** obtained from the previous step. - - Select how you want to integration to work by specifying a number of parameters: - - - The environment in Infisical from which you want to sync secrets to AWS Secrets Manager. - - - The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager. - - - The region that you want to integrate with in AWS Secrets Manager. - - - How you want the integration to map the secrets. The selected value could be either one to one or one to many. - - - The secret name/path in AWS into which you want to sync the secrets from Infisical. - - - ![integration create](../../images/integrations/aws/integrations-aws-secret-manager-create.png) - - Optionally, you can add tags or specify the encryption key of all the secrets created via this integration: - - - The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API. - - - The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it. - - ![integration options](../../images/integrations/aws/integrations-aws-secret-manager-options.png) - - Then, press `Create Integration` to start syncing secrets to AWS Secrets Manager. - - - Infisical currently syncs environment variables to AWS Secrets Manager as - key-value pairs under one secret. We're actively exploring ways to help users - group environment variable key-pairs under multiple secrets for greater - control. - - - Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days. - - - - diff --git a/docs/integrations/cloud/aws-secret-manager.mdx b/docs/integrations/cloud/aws-secret-manager.mdx index 4b46840b05..64df1df321 100644 --- a/docs/integrations/cloud/aws-secret-manager.mdx +++ b/docs/integrations/cloud/aws-secret-manager.mdx @@ -3,6 +3,156 @@ title: "AWS Secrets Manager" description: "Learn how to sync secrets from Infisical to AWS Secrets Manager." --- + + +Infisical will assume the provided role in your AWS account securely, without the need to share any credentials. + +Prerequisites: + +- Set up and add envars to [Infisical Cloud](https://app.infisical.com) + + + To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration. + +If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2. + +The following steps are for instances not deployed on AWS + + + Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console. + + + Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles: +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAssumeAnyRole", + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::*:role/*" + } + ] +} +``` + + + Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys. + + ![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png) + ![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png) + ![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png) + + + 1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**. + 2. Set the secret key as **CLIENT_SECRET_AWS_INTEGRATION**. + + + + + + + 1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console. + ![IAM Role Creation](../../images/integrations/aws/integration-aws-iam-assume-role.png) + + 2. Select **AWS Account** as the **Trusted Entity Type**. + 3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead. + 4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security. + + + + ![IAM Role Permissions](../../images/integrations/aws/integration-aws-iam-assume-permission.png) + Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager: + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowSecretsManagerAccess", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:CreateSecret", + "secretsmanager:UpdateSecret", + "secretsmanager:DescribeSecret", + "secretsmanager:TagResource", + "secretsmanager:UntagResource", + "kms:ListKeys", + "kms:ListAliases", + "kms:Encrypt", + "kms:Decrypt" + ], + "Resource": "*" + } + ] + } + ``` + + + + ![Copy IAM Role ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png) + + + + 1. Navigate to your project's integrations tab in Infisical. + 2. Click on the **AWS Secrets Manager** tile. + ![Select AWS Secrets Manager](../../images/integrations.png) + + 3. Select the **AWS Assume Role** option. + ![Select Assume Role](../../images/integrations/aws/integration-aws-iam-assume-select.png) + + 4. Provide the **AWS IAM Role ARN** obtained from the previous step. + + Select how you want to integration to work by specifying a number of parameters: + + + The environment in Infisical from which you want to sync secrets to AWS Secrets Manager. + + + The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager. + + + The region that you want to integrate with in AWS Secrets Manager. + + + How you want the integration to map the secrets. The selected value could be either one to one or one to many. + + + The secret name/path in AWS into which you want to sync the secrets from Infisical. + + + ![integration create](../../images/integrations/aws/integrations-aws-secret-manager-create.png) + + Optionally, you can add tags or specify the encryption key of all the secrets created via this integration: + + + The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API. + + + The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it. + + ![integration options](../../images/integrations/aws/integrations-aws-secret-manager-options.png) + + Then, press `Create Integration` to start syncing secrets to AWS Secrets Manager. + + + Infisical currently syncs environment variables to AWS Secrets Manager as + key-value pairs under one secret. We're actively exploring ways to help users + group environment variable key-pairs under multiple secrets for greater + control. + + + Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days. + + + + + + +Infisical will access your account using the provided AWS access key and secret key. + Prerequisites: - Set up and add envars to [Infisical Cloud](https://app.infisical.com) @@ -105,3 +255,5 @@ Prerequisites: + + diff --git a/docs/mint.json b/docs/mint.json index d8410e27af..ac2a536c0a 100644 --- a/docs/mint.json +++ b/docs/mint.json @@ -299,7 +299,6 @@ "pages": [ "integrations/cloud/aws-parameter-store", "integrations/cloud/aws-secret-manager", - "integrations/cloud/aws-secret-manager-assume-role", "integrations/cloud/aws-amplify" ] },