# Apono Integration Secret

Many integrations require granting Apono connector credentials to allow it to authenticate and connect. You can create secrets in different secrets managers (e.g. AWS, GCP, Azure) and specify them in the integration secret store. This allows the connector to safely and securely retrieve its credentials in order to connect to the desired integration resources.

Apono supports the following secret managers:

{% tabs %}
{% tab title="Apono" %}

#### Apono Secret

Use Apono to store your connector credentials for the desired integration resources.

{% hint style="danger" %}
**Using the Apono secret store option is not recommended for production environments.**

We suggest creating a secret in one of the supported cloud providers secret manager or in a Kubernetes secret. Storing secrets in a secret manager enables Apono to sync and provision cloud resources without the need to store credentials for a specific environment in Apono.
{% endhint %}

***

**Set Credentials in Apono Secret**

From your **Integration** configuration page expand **Secret Store**, click on the **APONO** tab and enter the required credentials information for the integration.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-cd39fed7f917db1db435000c91ecee559a97eedc%2Fimage%20(21).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>
{% endtab %}

{% tab title="Kubernetes" %}

#### Kubernetes Secret

Use Kubernetes secret to store your connector credentials for the desired integration resources.

{% tabs %}
{% tab title="cli" %}
**Prerequisites**

* [Apono connector](https://docs.apono.io/docs/kubernetes-environment/apono-connector-for-kubernetes) installed in your Kubernetes cluster
* [Kubectl](https://kubernetes.io/docs/tasks/tools/) command-line interface

***

**Create a secret**

Run the following commands to create a secret from the Kubectl CLI.

1. Create the secret.

{% code overflow="wrap" %}

```bash
kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>
```

{% endcode %}

2. Label the secret with `apono-connector-read:true`

{% code overflow="wrap" %}

```bash
kubectl label secret <SECRET_NAME> "apono-connector-read=true"
```

{% endcode %}

3. Give the Apono connector permissions to the secret:

{% code overflow="wrap" %}

```sh
helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=<APONO_TOKEN> \
    --set-string apono.connectorId=<CONNECTOR_NAME> \
    --set serviceAccount.manageClusterRoles=true \
    --set allowedSecretsToRead={secret1\,secret2\,secret3} \
    --namespace apono-connector 
```

{% endcode %}
{% endtab %}

{% tab title="terraform" %}
**Prerequisites**

* [Apono connector](https://docs.apono.io/docs/kubernetes-environment/apono-connector-for-kubernetes) installed in your Kubernetes cluster
* [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) command-line interface

***

**Create a secret**

Use the following configuration to create a secret from the Terraform CLI.

```hcl
terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.32.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.15.0"
    }
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "kubernetes_secret" "apono-k8s-secret" {
  metadata {
    name = "<SECRET_NAME>"
    namespace = "<NAMESPACE>"
    labels = {
      "apono-connector-read" = "true"
    }
  }

  data = {
    <KEY1> = "<VALUE1>"
    <KEY2> = "<VALUE2>"
  }
  
  type = "Opaque"
}

resource "helm_release" "apono-helm" {
  name       = "apono-connector"
  repository = "https://apono-io.github.io/apono-helm-charts"
  chart      = "apono-connector"
  namespace  = "<NAMESPACE>"

  set {
    name  = "apono.token"
    value = "<APONO_TOKEN>"
    type  = "string"
  }

  set {
    name  = "apono.connectorId"
    value = "<CONNECTOR_NAME>"
    type  = "string"
  }

  set {
    name  = "serviceAccount.manageClusterRoles"
    value = "true"
  }
  
  set {
    name  = "allowedSecretsToRead"
    value = "{secret1\,secret2\,secret3}"
  }
}
```

{% endtab %}
{% endtabs %}

***

**Configure Integration to Use Kubernetes Secret**

From your **Integration** configuration page expand **Secret Store**, click on the **Kubernetes** tab and enter the required secret **namespace** and **name**.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-764ba20626f91eda885e6505d5d937a61f314b65%2Fimage%20(24).png?alt=media" alt=""><figcaption></figcaption></figure>
{% endtab %}

{% tab title="AWS" %}

#### AWS Secret

Use AWS Secret Manager to store your connector credentials for the desired integration resources.

{% tabs %}
{% tab title="cli" %}
**Prerequisites**

* AWS role or user with `SecretsManagerReadWrite` attached policy
* [AWS](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) command-line interface

***

**Create a secret**

Run the following commands to create a secret from the AWS CLI.

```sh
aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
```

{% endtab %}

{% tab title="console" %}
**Prerequisite**

* AWS role or user with `SecretsManagerReadWrite` attached policy.

***

**Create a secret**

Follow these steps to create a secret:

1. From the [Secret Manager](https://console.aws.amazon.com/secretsmanager/), click **Store a new secret**. The **Choose secret type** page appears.
2. Select **Other type of secret**.
3. Under **Key/value** pairs, enter your secret through one of the following approaches:
   * On the **Key/value** tab, enter your information in the two fields: key in the first field, value in the second field.
   * On the **Plaintext** tab, enter your secret in JSON key/value pairs.
4. Click **Next**. The **Configure secret** page appears.
5. Under **Tags**, click **Add**.
6. In the **Key** field, enter *apono-connector-read*.
7. In the **Value** field, enter *true*.
   {% endtab %}

{% tab title="terraform" %}
**Prerequisites**

* AWS role or user with `SecretsManagerReadWrite` attached policy
* [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) command-line interface

***

**Create a secret**

Use the following configuration to create a secret from the Terraform CLI.

```hcl
resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
  name = "<SECRET_NAME>"
  // This tag allows the Apono connector role to read the secret with predefined policy 
  tags = {
    "apono-connector-read" = "true"
  }
}

resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
  secret_id     = aws_secretsmanager_secret.<SECRET_NAME>.id
  secret_string = jsonencode({
    KEY1 = "VALUE1",
    KEY2 = "VALUE2"
  })
}
```

{% endtab %}
{% endtabs %}

***

**Configure Integration to Use The AWS Secret**

From your **Integration** configuration page expand **Secret Store**, click on the **AWS** tab and enter the required secret **region** and **secret name**.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-0747866c6e9745efbb6b2abbaf59365713e74b2d%2Fimage%20(23).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>
{% endtab %}

{% tab title="Azure" %}

#### Azure Secret

Use Azure Key Vault to store your connector credentials for the desired integration resources.

{% tabs %}
{% tab title="cli" %}
**Prerequisites**

Azure user with the following permission on the Key Vault:

* For Azure Key Vault that configured with '**Azure role-based access control**' permission model grant the user the `Key Vault Secrets Officer` role.
* For Azure Key Vault that configured with '**access policy**' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
  * Get
  * Set
* [Azure](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) command-line interface

***

**Create a secret**

Run the following commands to create a secret from the Azure CLI.

```sh
az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
```

{% endtab %}

{% tab title="console" %}
**Prerequisites**

Azure user with the following permission on the Key Vault:

* For Azure Key Vault that configured with '**Azure role-based access control**' permission model grant the user the `Key Vault Secrets Officer` role.
* For Azure Key Vault that configured with '**access policy**' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
  * Get
  * Set

***

**Create a secret**

Follow these steps to create a secret:

1. Navigate to your key vault in the Azure portal.
2. On the Key Vault left-hand sidebar, select **Objects** then select **Secrets**.
3. Select **+ Generate/Import**.
4. On the **Create a secret** screen choose the following values:
   * **Upload options**: Manual.
   * **Name**: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see [Key Vault objects, identifiers, and versioning](https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#objects-identifiers-and-versioning)
   * **Value**: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
   * Leave the other values to their defaults. Select **Create**.
     {% endtab %}

{% tab title="terraform" %}
**Prerequisites**

Azure user with the following permission on the Key Vault:

* For Azure Key Vault that configured with '**Azure role-based access control**' permission model grant the user the `Key Vault Secrets Officer` role.
* For Azure Key Vault that configured with '**access policy**' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
  * Get
  * Set
* [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) command-line interface

***

**Create a secret**

Use the following configuration to create a secret from the Terraform CLI.

```hcl
data "azurerm_key_vault" "<KEY_VAULT>" {
  name                = "<KEY_VAULT_NAME>"
  resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}

resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
  name         = "<SECRET_NAME>"
  value        = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
  key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}
```

{% endtab %}
{% endtabs %}

***

**Configure Integration to Use The Azure Secret**

From your **Integration** configuration page expand **Secret Store**, click on the **Azure** tab and enter the required secret **key vault URL** and **secret nam**

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-0ecda74b27a8c895889c561442501c054d2c5048%2Fimage%20(22).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>
{% endtab %}

{% tab title="GCP" %}

#### GCP Secret

Use GCP Secret Manager to store your connector credentials for the desired integration resources.

{% tabs %}
{% tab title="cli" %}
**Prerequisites**

* GCP user with **`Secret Manager Admin`**`(roles/secretmanager.admin)` role.
* [Secret Manager API](https://cloud.google.com/secret-manager/docs/configuring-secret-manager) (enabled once per project)
* [gcloud](https://cloud.google.com/sdk/docs/install) command-line interface

***

**Create a secret**

Run the following commands to create a secret from the gcloud CLI.

{% code overflow="wrap" %}

```sh
gcloud secrets create <SECRET_NAME> \
    --replication-policy="<REPLICATION-POLICY>" \
    --data-file=-

gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'
```

{% endcode %}
{% endtab %}

{% tab title="console" %}
**Prerequisites**

* GCP user with **`Secret Manager Admin`**`(roles/secretmanager.admin)` role.
* [Secret Manager API](https://cloud.google.com/secret-manager/docs/configuring-secret-manager) (enabled once per project)

***

**Create a secret**

Follow these steps to create a secret:

1. [Go to the Secret Manager page](https://console.cloud.google.com/security/secret-manager) in the Google Cloud console.
2. On the **Secret Manager** page, click **Create Secret**.
3. On the **Create secret** page, under **Name**, enter `my-secret`.
4. In the **Secret value** field, enter `my super secret data`.
5. Click the **Create secret** button.
   {% endtab %}

{% tab title="terraform" %}
**Prerequisites**

* GCP user with **`Secret Manager Admin`**`(roles/secretmanager.admin)` role.
* [Secret Manager API](https://cloud.google.com/secret-manager/docs/configuring-secret-manager) (enabled once per project)
* [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) command-line interface

***

**Create a secret**

Use the following configuration to create a secret from the Terraform CLI.

```hcl
resource "google_secret_manager_secret" "<SECRET_NAME>" {
  secret_id = "<SECRET_NAME>"

  replication {
    <REPLICATION-POLICY>
  }
}

resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
  secret = google_secret_manager_secret.<SECRET_NAME>.id

  secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}
```

{% endtab %}
{% endtabs %}

***

**Configure Integration to Use The GCP Secret**

From your **Integration** configuration page expand **Secret Store**, click on the **GCP** tab and enter the required secret **Project** and **secret ID**.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-caa69a80162e45ba3d42aa8d6693b4ea2022b6b5%2Fimage%20(20).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>
{% endtab %}

{% tab title="HashiCorp" %}

#### HashiCorp Secret

Use HashiCorp Vault to store your connector credentials for the desired integration resources.

**Prerequisites**

* Required Apono connector version: 1.6.6
* [Vault command-line](https://developer.hashicorp.com/vault/docs/install)
* HashiCorp Vault token
  * Create token using:
    * [`token create` command](https://developer.hashicorp.com/vault/docs/commands/token/create)
    * [HCP portal](https://developer.hashicorp.com/vault/tutorials/tokens/tokens)

***

**Create Secret in HashiCorp Vault**

You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration.

{% tabs %}
{% tab title="cli" %}
**Enable Secret Engine**

If you did not set the `VAULT_ADDR`, `VAULT_NAMESPACE`, and `VAULT_TOKEN` environment variables, refer to the steps in the [Create a Vault Cluster on HCP](https://developer.hashicorp.com/vault/tutorials/cloud/get-started-vault#access-the-vault-cluster) tutorial.

1. Verify that the `VAULT_NAMESPACE` environment variable is set to `admin`.

   ```
   $ echo $VAULT_NAMESPACE
   admin
   ```

   If not, be sure to set it before you continue.

   ```
   $ export VAULT_NAMESPACE=admin
   ```
2. Enable key/value v2 secrets engine (`kv-v2`) at `secret/`.

   ```
   $ vault secrets enable -path=secret kv-v2
   Success! Enabled the kv-v2 secrets engine at: secret/
   ```

**Create New Secret**

1. Store `api-key` with value `ABC0DEFG9876` at the path `secret/test/webapp`.

   ```
   $ vault kv put secret/test/webapp api-key="ABC0DEFG9876"
   ```

   **Example output:**

   ```
   Key              Value
   ---              -----
   created_time     2021-06-17T02:48:51.643350733Z
   deletion_time    n/a
   destroyed        false
   version          1
   ```
2. To verify, read back the secret at `secret/test/webapp`.

   ```
   $ vault kv get secret/test/webapp
   ```

   **Example output:**

   ```
   ====== Metadata ======
   Key              Value
   ---              -----
   created_time     2021-06-17T02:48:51.643350733Z
   deletion_time    n/a
   destroyed        false
   version          1

   ===== Data =====
   Key        Value
   ---        -----
   api-key    ABC0DEFG9876
   ```

{% endtab %}

{% tab title="console" %}
**Enable Secret Engine**

1. In the Vault UI, set the current namespace to `admin/`.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-1c9d838f7be6dadefa4920428219351018dfce0c%2Fimage%20(25).png?alt=media" alt=""><figcaption></figcaption></figure>

2. Select **Secrets engines**.
3. Click **Enable new engine**.
4. Select **KV** from the list, and then click **Next**.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-6cf66c5de604a6ef6f8b58a0422209d0d2501048%2Fimage%20(19).png?alt=media" alt=""><figcaption></figcaption></figure>

5. Enter `secret` in the **Path** field.
6. Click **Enable Engine** to complete.

Now that you have a secret engine enabled, you will create a new secret.

**Create New Secret**

1. Click **Create secret**. Enter `test/webapp` in the **Path for this secret** field.
2. Under the **Secret data** section, enter `api-key` in the **key** field, and `ABC0DEFG9876` in the **value** field. You can click on the sensitive information toggle to show or hide the entered secret values.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXewGSdD2hkGxmd4YOj3UN9JpDKkCRIaqJCNJZt1R_5-ASTNvqh_FRqUamzCP88TISJGvUfxX8nhcqtJFLz7pTU80SdRnGIa6ReDUUcB-YzSgFLp2o12QsamMpjgO5zlSPpjZBrtbU2BNgpfKraGewXMwsEo?key=u661KqnCucNG5yJACl042g" alt="" width="563"><figcaption><p>Create secret page</p></figcaption></figure>
{% endtab %}
{% endtabs %}

**Update Apono Connector Configuration to Integrate with HashiCorp Vault**

Define vault in your connector using:

* environment variable: `export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'`
* Read from file (docker secrets/secret file mount into the container): `export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"`

{% hint style="info" %}
To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:

`[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]`

To skip certificate verification use the following environment variable:

`[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]`
{% endhint %}

**Define HashiCorp Vault Fetch Secret Definition from Secret Manager**

You can define HashiCorp vault to fetch secret definition from [AWS](#aws), [GCP](#gcp), [Azure](#azure) or [Kubernetes](#kubernetes) secret managers using the following environment variable:

{% code overflow="wrap" %}

```bash
HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'
```

{% endcode %}

***

**Configure Integration to Use The HashiCorp Vault Secret**

From your **Integration** configuration page expand **Secret Store**, click on the **HashiCorp** tab and enter the required secret **Secret engine** and S**ecret path**.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-b305fe03d1c7d7d25d84d4e06442b2cf38768a61%2Fimage%20(10).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>
{% endtab %}
{% endtabs %}