LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
    • S3 Storage
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • RabbitMQ
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
    • Secret Management
      • 1Password
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
      • Reviewing historical requests with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. CONNECTORS AND SECRETS

Apono Integration Secret

PreviousIntegrating with AponoNextHigh Availability for Connectors

Last updated 8 months ago

Was this helpful?

Many integrations require granting Apono connector credentials to allow it to authenticate and connect. You can create secrets in different secrets managers (e.g. AWS, GCP, Azure) and specify them in the integration secret store. This allows the connector to safely and securely retrieve its credentials in order to connect to the desired integration resources.

Apono supports the following secret managers:

Apono Secret

Use Apono to store your connector credentials for the desired integration resources.

Using the Apono secret store option is not recommended for production environments.

We suggest creating a secret in one of the supported cloud providers secret manager or in a Kubernetes secret. Storing secrets in a secret manager enables Apono to sync and provision cloud resources without the need to store credentials for a specific environment in Apono.

Set Credentials in Apono Secret

From your Integration configuration page expand Secret Store, click on the APONO tab and enter the required credentials information for the integration.

Kubernetes Secret

Use Kubernetes secret to store your connector credentials for the desired integration resources.

Prerequisites

Create a secret

Run the following commands to create a secret from the Kubectl CLI.

  1. Create the secret.

kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>

  1. Label the secret with apono-connector-read:true

kubectl label secret <SECRET_NAME> "apono-connector-read=true"

  1. Give the Apono connector permissions to the secret:

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=<APONO_TOKEN> \
    --set-string apono.connectorId=<CONNECTOR_NAME> \
    --set serviceAccount.manageClusterRoles=true \
    --set allowedSecretsToRead={secret1\,secret2\,secret3} \
    --namespace apono-connector

Prerequisites

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.32.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.15.0"
    }
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "kubernetes_secret" "apono-k8s-secret" {
  metadata {
    name = "<SECRET_NAME>"
    namespace = "<NAMESPACE>"
    labels = {
      "apono-connector-read" = "true"
    }
  }

  data = {
    <KEY1> = "<VALUE1>"
    <KEY2> = "<VALUE2>"
  }
  
  type = "Opaque"
}

resource "helm_release" "apono-helm" {
  name       = "apono-connector"
  repository = "https://apono-io.github.io/apono-helm-charts"
  chart      = "apono-connector"
  namespace  = "<NAMESPACE>"

  set {
    name  = "apono.token"
    value = "<APONO_TOKEN>"
    type  = "string"
  }

  set {
    name  = "apono.connectorId"
    value = "<CONNECTOR_NAME>"
    type  = "string"
  }

  set {
    name  = "serviceAccount.manageClusterRoles"
    value = "true"
  }
  
  set {
    name  = "allowedSecretsToRead"
    value = "{secret1\,secret2\,secret3}"
  }
}

Configure Integration to Use Kubernetes Secret

From your Integration configuration page expand Secret Store, click on the Kubernetes tab and enter the required secret namespace and name.

AWS Secret

Use AWS Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

  • AWS role or user with SecretsManagerReadWrite attached policy

Create a secret

Run the following commands to create a secret from the AWS CLI.

aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisite

  • AWS role or user with SecretsManagerReadWrite attached policy.

Create a secret

Follow these steps to create a secret:

  2. Select Other type of secret.

  3. Under Key/value pairs, enter your secret through one of the following approaches:

    • On the Key/value tab, enter your information in the two fields: key in the first field, value in the second field.

    • On the Plaintext tab, enter your secret in JSON key/value pairs.

  4. Click Next. The Configure secret page appears.

  5. Under Tags, click Add.

  6. In the Key field, enter apono-connector-read.

  7. In the Value field, enter true.

Prerequisites

  • AWS role or user with SecretsManagerReadWrite attached policy

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
  name = "<SECRET_NAME>"
  // This tag allows the Apono connector role to read the secret with predefined policy 
  tags = {
    "apono-connector-read" = "true"
  }
}

resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
  secret_id     = aws_secretsmanager_secret.<SECRET_NAME>.id
  secret_string = jsonencode({
    KEY1 = "VALUE1",
    KEY2 = "VALUE2"
  })
}

Configure Integration to Use The AWS Secret

From your Integration configuration page expand Secret Store, click on the AWS tab and enter the required secret region and secret name.

Azure Secret

Use Azure Key Vault to store your connector credentials for the desired integration resources.

Prerequisites

Azure user with the following permission on the Key Vault:

  • For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.

  • For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):

    • Get

    • Set

Create a secret

Run the following commands to create a secret from the Azure CLI.

az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'

Prerequisites

Azure user with the following permission on the Key Vault:

  • For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.

  • For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):

    • Get

    • Set

Create a secret

Follow these steps to create a secret:

  1. Navigate to your key vault in the Azure portal.

  2. On the Key Vault left-hand sidebar, select Objects then select Secrets.

  3. Select + Generate/Import.

  4. On the Create a secret screen choose the following values:

    • Upload options: Manual.

    • Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.

    • Leave the other values to their defaults. Select Create.

Prerequisites

Azure user with the following permission on the Key Vault:

  • For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.

  • For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):

    • Get

    • Set

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

data "azurerm_key_vault" "<KEY_VAULT>" {
  name                = "<KEY_VAULT_NAME>"
  resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}

resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
  name         = "<SECRET_NAME>"
  value        = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
  key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}

Configure Integration to Use The Azure Secret

From your Integration configuration page expand Secret Store, click on the Azure tab and enter the required secret key vault URL and secret nam

GCP Secret

Use GCP Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

  • GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Run the following commands to create a secret from the gcloud CLI.

gcloud secrets create <SECRET_NAME> \
    --replication-policy="<REPLICATION-POLICY>" \
    --data-file=-

gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisites

  • GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Follow these steps to create a secret:

  2. On the Secret Manager page, click Create Secret.

  3. On the Create secret page, under Name, enter my-secret.

  4. In the Secret value field, enter my super secret data.

  5. Click the Create secret button.

Prerequisites

  • GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "google_secret_manager_secret" "<SECRET_NAME>" {
  secret_id = "<SECRET_NAME>"

  replication {
    <REPLICATION-POLICY>
  }
}

resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
  secret = google_secret_manager_secret.<SECRET_NAME>.id

  secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}

Configure Integration to Use The GCP Secret

From your Integration configuration page expand Secret Store, click on the GCP tab and enter the required secret Project and secret ID.

HashiCorp Secret

Use HashiCorp Vault to store your connector credentials for the desired integration resources.

Prerequisites

  • Required Apono connector version: 1.6.6

  • HashiCorp Vault token

    • Create token using:

Create Secret in HashiCorp Vault

You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration.

Enable Secret Engine

  1. Verify that the VAULT_NAMESPACE environment variable is set to admin.

    $ echo $VAULT_NAMESPACE
admin

    If not, be sure to set it before you continue.

    $ export VAULT_NAMESPACE=admin

  2. Enable key/value v2 secrets engine (kv-v2) at secret/.

    $ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/

Create New Secret

  1. Store api-key with value ABC0DEFG9876 at the path secret/test/webapp.

    $ vault kv put secret/test/webapp api-key="ABC0DEFG9876"

    Example output:

    Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

  2. To verify, read back the secret at secret/test/webapp.

    $ vault kv get secret/test/webapp

    Example output:

    ====== Metadata ======
Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

===== Data =====
Key        Value
---        -----
api-key    ABC0DEFG9876

Enable Secret Engine

  1. In the Vault UI, set the current namespace to admin/.

  1. Select Secrets engines.

  2. Click Enable new engine.

  3. Select KV from the list, and then click Next.

  1. Enter secret in the Path field.

  2. Click Enable Engine to complete.

Now that you have a secret engine enabled, you will create a new secret.

Create New Secret

  1. Click Create secret. Enter test/webapp in the Path for this secret field.

  2. Under the Secret data section, enter api-key in the key field, and ABC0DEFG9876 in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.

Update Apono Connector Configuration to Integrate with HashiCorp Vault

Define vault in your connector using:

  • environment variable: export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'

  • Read from file (docker secrets/secret file mount into the container): export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"

To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]

To skip certificate verification use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]

Define HashiCorp Vault Fetch Secret Definition from Secret Manager

HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'

Configure Integration to Use The HashiCorp Vault Secret

From your Integration configuration page expand Secret Store, click on the HashiCorp tab and enter the required secret Secret engine and Secret path.

installed in your Kubernetes cluster

command-line interface

installed in your Kubernetes cluster

command-line interface

command-line interface

From the , click Store a new secret. The Choose secret type page appears.

command-line interface

command-line interface

Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see

command-line interface

(enabled once per project)

command-line interface

(enabled once per project)

in the Google Cloud console.

(enabled once per project)

command-line interface

If you did not set the VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN environment variables, refer to the steps in the tutorial.

Create secret page

You can define HashiCorp vault to fetch secret definition from , , or secret managers using the following environment variable:

Apono connector
Kubectl
Apono connector
Terraform
AWS
Secret Manager
Terraform
Azure
Key Vault objects, identifiers, and versioning
Terraform
Secret Manager API
gcloud
Secret Manager API
Go to the Secret Manager page
Secret Manager API
Terraform
Vault command-line
token create command
HCP portal
Create a Vault Cluster on HCP
AWS
GCP
Azure
Kubernetes