-
Notifications
You must be signed in to change notification settings - Fork 739
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: updated docs on usage of aws sm integration with assume role
- Loading branch information
Showing
9 changed files
with
161 additions
and
6 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+73.4 KB
docs/images/integrations/aws/integration-aws-iam-assume-permission.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified
BIN
-80.5 KB
(35%)
docs/images/integrations/aws/integrations-aws-secret-manager-auth.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
144 changes: 144 additions & 0 deletions
144
docs/integrations/cloud/aws-secret-manager-assume-role.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,144 @@ | ||
| --- | ||
| title: "AWS Secrets Manager Assume Role" | ||
| description: "Learn how to sync secrets from Infisical to AWS Secrets Manager without sharing any user credentials." | ||
| --- | ||
|
|
||
| Prerequisites: | ||
|
|
||
| - Set up and add envars to [Infisical Cloud](https://app.infisical.com) | ||
|
|
||
| <Accordion title="Self-Hosted Users"> | ||
| To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration. | ||
|
|
||
| <Steps> | ||
| <Step title="Create an IAM User"> | ||
| Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console. | ||
| </Step> | ||
| <Step title="Create an Inline Policy"> | ||
| Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles: | ||
| ```json | ||
| { | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Sid": "AllowAssumeAnyRole", | ||
| "Effect": "Allow", | ||
| "Action": "sts:AssumeRole", | ||
| "Resource": "arn:aws:iam::*:role/*" | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
| </Step> | ||
| <Step title="Obtain the IAM User Credentials"> | ||
| Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys. | ||
|
|
||
|  | ||
|  | ||
|  | ||
| </Step> | ||
| <Step title="Set Up Integration Keys"> | ||
| 1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**. | ||
| 2. Set the secret key as **CLIENT_SECRET_AWS_INTEGRATION**. | ||
| </Step> | ||
| </Steps> | ||
| </Accordion> | ||
|
|
||
| <Steps> | ||
| <Step title="Create the Managing User IAM Role for AWS Secrets Manager"> | ||
| 1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console. | ||
|  | ||
|
|
||
| 2. Select **AWS Account** as the **Trusted Entity Type**. | ||
| 3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead. | ||
| 4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security. | ||
| </Step> | ||
|
|
||
| <Step title="Add Required Permissions for the IAM Role"> | ||
|  | ||
| Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager: | ||
|
|
||
| ```json | ||
| { | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Sid": "AllowSecretsManagerAccess", | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "secretsmanager:GetSecretValue", | ||
| "secretsmanager:CreateSecret", | ||
| "secretsmanager:UpdateSecret", | ||
| "secretsmanager:DescribeSecret", | ||
| "secretsmanager:TagResource", | ||
| "secretsmanager:UntagResource", | ||
| "kms:ListKeys", | ||
| "kms:ListAliases", | ||
| "kms:Encrypt", | ||
| "kms:Decrypt" | ||
| ], | ||
| "Resource": "*" | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
| </Step> | ||
|
|
||
| <Step title="Copy the AWS IAM Role ARN"> | ||
|  | ||
| </Step> | ||
|
|
||
| <Step title="Authorize Infisical for AWS Secrets Manager"> | ||
| 1. Navigate to your project's integrations tab in Infisical. | ||
| 2. Click on the **AWS Secrets Manager** tile. | ||
|  | ||
|
|
||
| 3. Select the **AWS Assume Role** option. | ||
|  | ||
|
|
||
| 4. Provide the **AWS IAM Role ARN** obtained from the previous step. | ||
| </Step> <Step title="Start integration"> | ||
| Select how you want to integration to work by specifying a number of parameters: | ||
|
|
||
| <ParamField path="Project Environment" type="string" required> | ||
| The environment in Infisical from which you want to sync secrets to AWS Secrets Manager. | ||
| </ParamField> | ||
| <ParamField path="Secrets Path" type="string" required> | ||
| The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager. | ||
| </ParamField> | ||
| <ParamField path="AWS Region" type="string" required> | ||
| The region that you want to integrate with in AWS Secrets Manager. | ||
| </ParamField> | ||
| <ParamField path="Mapping Behavior" type="string" required> | ||
| How you want the integration to map the secrets. The selected value could be either one to one or one to many. | ||
| </ParamField> | ||
| <ParamField path="AWS SM Secret Name" type="string" required> | ||
| The secret name/path in AWS into which you want to sync the secrets from Infisical. | ||
| </ParamField> | ||
|
|
||
|  | ||
|
|
||
| Optionally, you can add tags or specify the encryption key of all the secrets created via this integration: | ||
|
|
||
| <ParamField path="Secret Tag" type="string" optional> | ||
| The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API. | ||
| </ParamField> | ||
| <ParamField path="Encryption Key" type="string" optional> | ||
| The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it. | ||
| </ParamField> | ||
|  | ||
|
|
||
| Then, press `Create Integration` to start syncing secrets to AWS Secrets Manager. | ||
|
|
||
| <Info> | ||
| Infisical currently syncs environment variables to AWS Secrets Manager as | ||
| key-value pairs under one secret. We're actively exploring ways to help users | ||
| group environment variable key-pairs under multiple secrets for greater | ||
| control. | ||
| </Info> | ||
| <Info> | ||
| Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days. | ||
| </Info> | ||
|
|
||
| </Step> | ||
| </Steps> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters