Apono Integration Secret
Many integrations require granting Apono connector credentials to allow it to authenticate and connect. You can create secrets in different secrets managers (e.g. AWS, GCP, Azure) and specify them in the integration secret store. This allows the connector to safely and securely retrieve its credentials in order to connect to the desired integration resources.
Apono supports the following secret managers:
Apono Secret
Use Apono to store your connector credentials for the desired integration resources.
Using the Apono secret store option is not recommended for production environments.
We suggest creating a secret in one of the supported cloud providers secret manager or in a Kubernetes secret. Storing secrets in a secret manager enables Apono to sync and provision cloud resources without the need to store credentials for a specific environment in Apono.\
Set Credentials in Apono Secret
From your Integration configuration page expand Secret Store, click on the APONO tab and enter the required credentials information for the integration.
Kubernetes Secret
Use Kubernetes secret to store your connector credentials for the desired integration resources.
Prerequisites
Apono connector installed in your Kubernetes cluster.
Create Secret in Kubernetes Cluster
You can use one of the following methods to create a secret in AWS Secret Manager to use in your integration:
CLI
Prerequisites
Install the Kubectl Command-line.
Create a new secret for Apono
Create the secret.
kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>Label the secret with
apono-connector-read:true
kubectl label secret <SECRET_NAME> "apono-connector-read=true"Give the Apono connector permissions to the secret:
helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
--set-string apono.token=<APONO_TOKEN> \
--set-string apono.connectorId=<CONNECTOR_NAME> \
--set serviceAccount.manageClusterRoles=true \
--set allowedSecretsToRead={secret1\,secret2\,secret3} \
--namespace apono-connector Terraform
Prerequisites
Install the Terraform Command-line.
Create a new secret for Apono
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.32.0"
}
helm = {
source = "hashicorp/helm"
version = "2.15.0"
}
}
}
provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
resource "kubernetes_secret" "apono-k8s-secret" {
metadata {
name = "<SECRET_NAME>"
namespace = "<NAMESPACE>"
labels = {
"apono-connector-read" = "true"
}
}
data = {
<KEY1> = "<VALUE1>"
<KEY2> = "<VALUE2>"
}
type = "Opaque"
}
resource "helm_release" "apono-helm" {
name = "apono-connector"
repository = "https://apono-io.github.io/apono-helm-charts"
chart = "apono-connector"
namespace = "<NAMESPACE>"
set {
name = "apono.token"
value = "<APONO_TOKEN>"
type = "string"
}
set {
name = "apono.connectorId"
value = "<CONNECTOR_NAME>"
type = "string"
}
set {
name = "serviceAccount.manageClusterRoles"
value = "true"
}
set {
name = "allowedSecretsToRead"
value = "{secret1\,secret2\,secret3}"
}
}Configure Integration to Use Kubernetes Secret
From your Integration configuration page expand Secret Store, click on the Kubernetes tab and enter the required secret namespace and name.
AWS Secret
Use AWS Secret Manager to store your connector credentials for the desired integration resources.
Prerequisites
AWS role or user with SecretsManagerReadWrite attached policy.
Create Secret in AWS Secret Manager
You can use one of the following methods to create a secret in AWS Secret Manager to use in your integration:
Console
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
Choose Store a new secret.
On the Choose other type of secret.
In Key/value pairs, either enter your secret in JSON Key/value pairs, or choose the Plaintext tab and enter the secret in any format.
Click next
In Configure secret, under Tags, add the following tag:
apono-connector-read:true
CLI
Prerequisites
Install the AWS Command-line.
Create a new secret for Apono
aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'Terraform
Prerequisites
Install the Terraform Command-line.
Create a new secret for Apono
resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
name = "<SECRET_NAME>"
// This tag allows the Apono connector role to read the secret with predefined policy
tags = {
"apono-connector-read" = "true"
}
}
resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
secret_id = aws_secretsmanager_secret.<SECRET_NAME>.id
secret_string = jsonencode({
KEY1 = "VALUE1",
KEY2 = "VALUE2"
})
}Configure Integration to Use The AWS Secret
From your Integration configuration page expand Secret Store, click on the AWS tab and enter the required secret region and secret name.
Azure Secret
Use Azure Key Vault to store your connector credentials for the desired integration resources.
Prerequisites
Azure user with the following permission on the Key Vault:
For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the
Key Vault Secrets Officerrole.For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
Get
Set
Create Secret in Azure Key Vault
You can use one of the following methods to create a secret in Azure Key Vault to use in your integration:
Console
Navigate to your key vault in the Azure portal:
On the Key Vault left-hand sidebar, select Objects then select Secrets.
Select + Generate/Import.
On the Create a secret screen choose the following values:
Upload options: Manual.
Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning
Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
Leave the other values to their defaults. Select Create.
CLI
Prerequisites
Install the Azure Command-line.
Create a new secret for Apono
az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'Terraform
Prerequisites
Install the Terraform Command-line.
Create a new secret for Apono
data "azurerm_key_vault" "<KEY_VAULT>" {
name = "<KEY_VAULT_NAME>"
resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}
resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
name = "<SECRET_NAME>"
value = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}Configure Integration to Use The Azure Secret
From your Integration configuration page expand Secret Store, click on the Azure tab and enter the required secret key vault URL and secret nam
GCP Secret
Use GCP Secret Manager to store your connector credentials for the desired integration resources.
Prerequisites
GCP user with
Secret Manager Admin(roles/secretmanager.admin)role.Enable the Secret Manager API, once per project.
Create Secret in GCP Secret Manager
You can use one of the following methods to create a secret in GCP Secret Manager to use in your integration:
Console
Go to the Secret Manager page in the Google Cloud console.
On the Secret Manager page, click Create Secret.
On the Create secret page, under Name, enter
my-secret.In the Secret value field, enter
my super secret data.Click the Create secret button.
CLI
Prerequisites
Install the gcloud Command-line.
Create a new secret for Apono
gcloud secrets create <SECRET_NAME> \
--replication-policy="<REPLICATION-POLICY>" \
--data-file=-
gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'Terraform
Prerequisites
Install the Terraform Command-line.
Create a new secret for Apono
resource "google_secret_manager_secret" "<SECRET_NAME>" {
secret_id = "<SECRET_NAME>"
replication {
<REPLICATION-POLICY>
}
}
resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
secret = google_secret_manager_secret.<SECRET_NAME>.id
secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}Configure Integration to Use The GCP Secret
From your Integration configuration page expand Secret Store, click on the GCP tab and enter the required secret Project and secret ID.
HashiCorp Secret
Use HashiCorp Vault to store your connector credentials for the desired integration resources.
Prerequisites
Required Apono connector version: 1.6.6
HashiCorp Vault token
Create token using:
Create Secret in HashiCorp Vault
You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration:
Console
Enable Secret Engine
In the Vault UI, set the current namespace to
admin/.
Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.
Enter
secretin the Path field.Click Enable Engine to complete.
Now that you have a secret engine enabled, you will create a new secret.
Create New Secret
Click Create secret. Enter
test/webappin the Path for this secret field.Under the Secret data section, enter
api-keyin the key field, andABC0DEFG9876in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.
CLI
Enable Secret Engine
If you did not set the VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN environment variables, refer to the steps in the Create a Vault Cluster on HCP tutorial.
Verify that the
VAULT_NAMESPACEenvironment variable is set toadmin.$ echo $VAULT_NAMESPACE adminIf not, be sure to set it before you continue.
$ export VAULT_NAMESPACE=adminEnable key/value v2 secrets engine (
kv-v2) atsecret/.$ vault secrets enable -path=secret kv-v2 Success! Enabled the kv-v2 secrets engine at: secret/
Create New Secret
Store
api-keywith valueABC0DEFG9876at the pathsecret/test/webapp.$ vault kv put secret/test/webapp api-key="ABC0DEFG9876"Example output:
Key Value --- ----- created_time 2021-06-17T02:48:51.643350733Z deletion_time n/a destroyed false version 1To verify, read back the secret at
secret/test/webapp.$ vault kv get secret/test/webappExample output:
====== Metadata ====== Key Value --- ----- created_time 2021-06-17T02:48:51.643350733Z deletion_time n/a destroyed false version 1 ===== Data ===== Key Value --- ----- api-key ABC0DEFG9876
Update Apono Connector Configuration to Integrate with HashiCorp Vault
Define vault in your connector using:
environment variable:
export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'Read from file (docker secrets/secret file mount into the container):
export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"
To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:
[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]
To skip certificate verification use the following environment variable:
[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]
Define HashiCorp Vault Fetch Secret Definition from Secret Manager
You can define HashiCorp vault to fetch secret definition from AWS, GCP, Azure or Kubernetes secret managers using the following environment variable:
HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'Configure Integration to Use The HashiCorp Vault Secret
From your Integration configuration page expand Secret Store, click on the HashiCorp tab and enter the required secret Secret engine and Secret path.
Last updated
