Apono Integration Secret
Last updated
Last updated
Many integrations require granting Apono connector credentials to allow it to authenticate and connect. You can create secrets in different secrets managers (e.g. AWS, GCP, Azure) and specify them in the integration secret store. This allows the connector to safely and securely retrieve its credentials in order to connect to the desired integration resources.
Apono supports the following secret managers:
Use Apono to store your connector credentials for the desired integration resources.
Using the Apono secret store option is not recommended for production environments.
We suggest creating a secret in one of the supported cloud providers secret manager or in a Kubernetes secret. Storing secrets in a secret manager enables Apono to sync and provision cloud resources without the need to store credentials for a specific environment in Apono.
From your Integration configuration page expand Secret Store, click on the APONO tab and enter the required credentials information for the integration.
Use Kubernetes secret to store your connector credentials for the desired integration resources.
Apono connector installed in your Kubernetes cluster
Kubectl command-line interface
Run the following commands to create a secret from the Kubectl CLI.
Create the secret.
kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>Label the secret with apono-connector-read:true
kubectl label secret <SECRET_NAME> "apono-connector-read=true"Give the Apono connector permissions to the secret:
helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
--set-string apono.token=<APONO_TOKEN> \
--set-string apono.connectorId=<CONNECTOR_NAME> \
--set serviceAccount.manageClusterRoles=true \
--set allowedSecretsToRead={secret1\,secret2\,secret3} \
--namespace apono-connector Apono connector installed in your Kubernetes cluster
Terraform command-line interface
Use the following configuration to create a secret from the Terraform CLI.
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.32.0"
}
helm = {
source = "hashicorp/helm"
version = "2.15.0"
}
}
}
provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
resource "kubernetes_secret" "apono-k8s-secret" {
metadata {
name = "<SECRET_NAME>"
namespace = "<NAMESPACE>"
labels = {
"apono-connector-read" = "true"
}
}
data = {
<KEY1> = "<VALUE1>"
<KEY2> = "<VALUE2>"
}
type = "Opaque"
}
resource "helm_release" "apono-helm" {
name = "apono-connector"
repository = "https://apono-io.github.io/apono-helm-charts"
chart = "apono-connector"
namespace = "<NAMESPACE>"
set {
name = "apono.token"
value = "<APONO_TOKEN>"
type = "string"
}
set {
name = "apono.connectorId"
value = "<CONNECTOR_NAME>"
type = "string"
}
set {
name = "serviceAccount.manageClusterRoles"
value = "true"
}
set {
name = "allowedSecretsToRead"
value = "{secret1\,secret2\,secret3}"
}
}From your Integration configuration page expand Secret Store, click on the Kubernetes tab and enter the required secret namespace and name.
Use AWS Secret Manager to store your connector credentials for the desired integration resources.
AWS role or user with SecretsManagerReadWrite attached policy
AWS command-line interface
Run the following commands to create a secret from the AWS CLI.
aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'AWS role or user with SecretsManagerReadWrite attached policy.
Follow these steps to create a secret:
From the Secret Manager, click Store a new secret. The Choose secret type page appears.
Select Other type of secret.
Under Key/value pairs, enter your secret through one of the following approaches:
On the Key/value tab, enter your information in the two fields: key in the first field, value in the second field.
On the Plaintext tab, enter your secret in JSON key/value pairs.
Click Next. The Configure secret page appears.
Under Tags, click Add.
In the Key field, enter apono-connector-read.
In the Value field, enter true.
AWS role or user with SecretsManagerReadWrite attached policy
Terraform command-line interface
Use the following configuration to create a secret from the Terraform CLI.
resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
name = "<SECRET_NAME>"
// This tag allows the Apono connector role to read the secret with predefined policy
tags = {
"apono-connector-read" = "true"
}
}
resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
secret_id = aws_secretsmanager_secret.<SECRET_NAME>.id
secret_string = jsonencode({
KEY1 = "VALUE1",
KEY2 = "VALUE2"
})
}From your Integration configuration page expand Secret Store, click on the AWS tab and enter the required secret region and secret name.
Use Azure Key Vault to store your connector credentials for the desired integration resources.
Azure user with the following permission on the Key Vault:
For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
Get
Set
Azure command-line interface
Run the following commands to create a secret from the Azure CLI.
az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'Azure user with the following permission on the Key Vault:
For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
Get
Set
Follow these steps to create a secret:
Navigate to your key vault in the Azure portal.
On the Key Vault left-hand sidebar, select Objects then select Secrets.
Select + Generate/Import.
On the Create a secret screen choose the following values:
Upload options: Manual.
Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning
Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
Leave the other values to their defaults. Select Create.
Azure user with the following permission on the Key Vault:
For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
Get
Set
Terraform command-line interface
Use the following configuration to create a secret from the Terraform CLI.
data "azurerm_key_vault" "<KEY_VAULT>" {
name = "<KEY_VAULT_NAME>"
resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}
resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
name = "<SECRET_NAME>"
value = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}From your Integration configuration page expand Secret Store, click on the Azure tab and enter the required secret key vault URL and secret nam
Use GCP Secret Manager to store your connector credentials for the desired integration resources.
GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)
gcloud command-line interface
Run the following commands to create a secret from the gcloud CLI.
gcloud secrets create <SECRET_NAME> \
--replication-policy="<REPLICATION-POLICY>" \
--data-file=-
gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)
Follow these steps to create a secret:
Go to the Secret Manager page in the Google Cloud console.
On the Secret Manager page, click Create Secret.
On the Create secret page, under Name, enter my-secret.
In the Secret value field, enter my super secret data.
Click the Create secret button.
GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)
Terraform command-line interface
Use the following configuration to create a secret from the Terraform CLI.
resource "google_secret_manager_secret" "<SECRET_NAME>" {
secret_id = "<SECRET_NAME>"
replication {
<REPLICATION-POLICY>
}
}
resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
secret = google_secret_manager_secret.<SECRET_NAME>.id
secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}From your Integration configuration page expand Secret Store, click on the GCP tab and enter the required secret Project and secret ID.
Use HashiCorp Vault to store your connector credentials for the desired integration resources.
Required Apono connector version: 1.6.6
HashiCorp Vault token
Create token using:
You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration.
Enable Secret Engine
If you did not set the VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN environment variables, refer to the steps in the Create a Vault Cluster on HCP tutorial.
Verify that the VAULT_NAMESPACE environment variable is set to admin.
$ echo $VAULT_NAMESPACE
adminIf not, be sure to set it before you continue.
$ export VAULT_NAMESPACE=adminEnable key/value v2 secrets engine (kv-v2) at secret/.
$ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/Create New Secret
Store api-key with value ABC0DEFG9876 at the path secret/test/webapp.
$ vault kv put secret/test/webapp api-key="ABC0DEFG9876"Example output:
Key Value
--- -----
created_time 2021-06-17T02:48:51.643350733Z
deletion_time n/a
destroyed false
version 1To verify, read back the secret at secret/test/webapp.
$ vault kv get secret/test/webappExample output:
====== Metadata ======
Key Value
--- -----
created_time 2021-06-17T02:48:51.643350733Z
deletion_time n/a
destroyed false
version 1
===== Data =====
Key Value
--- -----
api-key ABC0DEFG9876Enable Secret Engine
In the Vault UI, set the current namespace to admin/.
Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.
Enter secret in the Path field.
Click Enable Engine to complete.
Now that you have a secret engine enabled, you will create a new secret.
Create New Secret
Click Create secret. Enter test/webapp in the Path for this secret field.
Under the Secret data section, enter api-key in the key field, and ABC0DEFG9876 in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.
Update Apono Connector Configuration to Integrate with HashiCorp Vault
Define vault in your connector using:
environment variable: export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'
Read from file (docker secrets/secret file mount into the container): export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"
To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:
[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]
To skip certificate verification use the following environment variable:
[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]
Define HashiCorp Vault Fetch Secret Definition from Secret Manager
You can define HashiCorp vault to fetch secret definition from AWS, GCP, Azure or Kubernetes secret managers using the following environment variable:
HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'From your Integration configuration page expand Secret Store, click on the HashiCorp tab and enter the required secret Secret engine and Secret path.
