1 of 100

Documentation and Guides

ABOUT APONO

Why Choose Apono

Apono is the best solution for just-in-time, temporary access to sensitive cloud resources

Apono lets you automate static access policies by turning them into declarative, dynamic Access Flows. Integrate your cloud environment, CI/CD stack, cloud infrastructure and databases with Apono. Create Access Flows with our declarative UI or in Terraform, and your developers can use Slack, Teams or CLI to request and approve access.

Protect what matters without breaking a sweat.

Who is Accessing Cloud Resources Right Now?

Do developers have admin/write access or read-only access to production?

Can you answer that, or must you sort through your cloud resources to find out? Of course, by the time you get to the last one, you'll have to recheck the first because so much time has elapsed, and access changes constantly. While discussing it, how long would it take to revoke access to a production cloud resource in an emergency?

With Apono, you have a single point of control for managing access without creating a single point of failure.

Apono Access: Automated, Just-in-Time, Just-Enough

Use Apono for on-demand access to critical resources. Grant an engineer permission to fix a production issue in an emergency. Grant a data scientist access to a data lake when needed. Just as important is to revoke access once it's no longer needed.

Apono's permissions are just-in-time and also ephemeral. Access is automatically revoked when no longer needed. No more forgotten privileges or group memberships left open. Access begins and ends according to Access Flow definition.

Access Management that Scales

No need to manually change permissions for each resource on your cloud platform every time someone needs access to one of its resources. While access can be granted at a granular level, large-scale environments can be managed efficiently by creating Access Flows, for individuals and groups, to all cloud resources and assets.

Your environment is always evolving, and so does Apono. Use hierarchies, tags and exclude for dynamic access management.

Apono Integrates with Terraform

Are you using Terraform to manage your cloud platforms?

That's great because Apono is a Terraform provider and can be provisioned to work alongside your resources by adding code blocks to integrate them into Apono. When you bring up a resource, it will immediately benefit from Apono access management.

Apono lets you turn static access policies into dynamic Access Flows directly from Terraform. Reuse a simple build file to build the perfect workflows for your organization without ever leaving Terraform.

Designed for DevX

With Apono, you will work smarter with less effort to manage and gain access to your cloud resources. You will take control of your cloud resource inventory from one central location.

Apono's Access Flows prepare for contingencies, emergency access and regular maintenance. Onboarding becomes quick and easy, with our dynamic Access Flows and access bundles. There's no need for writing and maintaining home-grown scripts and complex workflows.

Your developers can request access bundles and get just the access they need exactly when they need it, no hassle.

Deployed Via Slack and Teams

Developers and engineers love ChatOps and CLI, so why should they have to use another interface?

Apono integrates with Slack, Teams and CLI, so your R&D can use the tools they know to request & approve access, connect to the resources, and, after the access is automatically revoked, request the access again when they need it.

Speaks Your (Declarative) Language

Apono has developed a declarative, natural language format for defining access permissions. No need to edit config files. We call it Access Flow, and it looks like this:

Select a resource and then add (a) who is allowed to gain access (b) what kind of access (roles or permissions) to grant, (c) which specific resources in the integration to allow access to, (d) how long the access should last, (e) should access be approved automatically or by someone in the organization.

In fact, integrating with Apono and creating Access Flows has proven so intuitive that most Apono customers set up and deploy access control for their entire organizations within two weeks.

Keeps Your CISO Happy

Apono doesn't have access to any of your data. Ever.

How does it work? Install our connector in your environment, direct it to your secret store and you're done! The connector manages the data syncs to our app and handles access provisioning and de-provisioning to your services, without storing or caching secrets.

We call it SasS with on-premise level of security. And you can tell your customers that they can be confident that access to their data is protected.

A Home Run With SOX IT Controls

Apono's comprehensive access management covers your entire cloud, with Access Flows defined for every cloud service and resource type. Need to maintain least-privileges to production environments, financial data, PII, and other critical assets? Check!

Access requests and granted access are all logged, so you have a reliable audit of the access to your data. As part of your IT compliance reporting to SOX, HIPAA, GDPR, PCI DSS, SOC 2 and others, use Apono's audit logs and reports. Send them to external auditors, internal GRC and security teams, and export logs directly to ITSM, SIEM and compliance tools.

Security and Architecture

Apono helps you manage just-in-time access in a secure, least privilege way

Overview

Apono was built and designed with security in mind so that any company is able to use it in their environment.

We applied the same least privilege principles to our product that Apono unlocks for its users:

Ensure users receive just the right amount of permissions they need
Ensure users receive access only for the limited time they need them

Security

Apono's secure architecture

The Apono platform is built by two separate components:

The Web App
The Connector

The web app continuously receives basic data about users, resources and permissions from the connector.

The connector is fully deployed within the organization’s environment and has a limited set of template functions that can be invoked and are fully in the organization control.

This architecture ensures high reliability as well as segregation of environments, keeping any access to the environment within the environment.

The Web App security

Our web app is a portal for admins to create and manage integrations and Access Flows.

The portal:

Could only be accessed by admins of the system who've authenticated using the organizational identity provider.
Doesn't require access to the organization's environment resources. No roles, permissions, privileges, or actions are granted to the app.
Integrates with the organizational identity provider as the source of truth for the organizational identities.
Doesn't access your data or environment, and only communicates with the Apono connector.

The Connector security

Our connector is a component you install in your cloud environment (AWS, GCP, Azure, Kubernetes). It communicates with your cloud services and cloud apps using, but not caching or storing, your secrets.

The connector:

Is completely within the organization's control, as it is installed in your cloud provider.
Can be uninstalled or disconnected at any time without support from Apono.
Uses fully visible template functions, mutable by the organization’s environment owner. These functions limit the ability of the connector to only invoke specific actions that are predefined.
Has no permissions to access the data itself.
Does not store any secrets.

👍 The Apono Connector is High Availability
No downtime, no outages, no problem!
Our Round Robin method helps ensure uptime for your Apono integrations as users request access. Several connector instances will continue provisioning and deprovisioning access as needed.

Your data

When you integrate your cloud applications and IdP with Apono, Apono syncs metadata and configuration information continuously. We only sync basic information needed for access management: users, groups, resources and permissions.

Apono:

Does not read your data, like datasets, files, documents, code, etc.
Does not collect any personal data about your employees: Apono needs a user's email, and that's it.
Does not store or cache secrets or credentials

Secrets

Apono does not store or cache any of your secrets.

When a data sync is required, the connector gets the secret from your cloud's Secret Store to access the data it needs. After authenticating, the secret is not saved anywhere.

👍 Credentials rotation as often as you need
When granting access to users, Apono enforces password reset and credentials rotation out of the box to meet the strictest compliance and security standards. Read more here.

Architecture

Apono and AWS

Apono and GCP

Apono and Azure

Glossary

Commonly used Apono terms

Term

Meaning

GETTING STARTED

How Apono Works

Apono syncs with your apps' data, grants and revokes access

How Apono Works

Your Questions

How does Apono securely integrate with your environment?
How are Access Flows defined and managed?
How do developers request and approve access?
How do admins manage access logs and audit reports?

Great questions, let's get to it:

Integrate with Apono in 3 easy steps

Three easy steps are what it takes to create Just-In-Time and Just Enough permissions for everyone with access to your cloud assets and resources.

1. Install a Connector

Connectors are the components that mediate between Apono and your resources to sync data from cloud applications and grant and revoke access permissions.

The Connector does not read, cache or store any secrets, nor does Apono need an account with admin privileges to function. The Connector contacts your secret store or key vault when it needs to sync data or provision access.

Here's how Connectors work:

2. Integrate With Cloud Apps

After you've installed the Connector, integrate Apono with your cloud applications to sync data on users, groups, resources and permissions.

Apono currently has integrations for 35+ resource types in AWS, GCP, Azure and Kubernetes platforms, as well as development and CI/CD tools, databases, incident response tools, IdP, ChatOps products, and more. Check the Integrations Catalog for details and to see the latest.

3. Create Access Flows

Create an Access Flows by answering five questions:

Who should get access?
What can they gain access to?
What Actions will they be able to perform?
How Long should they have the access?
Who must Approve the request?

Fill in the blanks using information from drop-down lists, click Create, and you're done.

Apono is Self-Serve

Apono is completely self-serve! Curious? Try it for yourself (no demo needed)!

Using Terraform? Edit your Terraform .tf file to add Apono access management to your resources

Add Apono to Your IaC Configurations

Open-source Terraform or AWS ecosystem, Apono is a recognized provider for both.

Prepare Terraform configuration scripts by referring to the Terraform Installation Guide. You will also need the Integrations Metadata to learn what to included in each Apono resource.

Apono's Terraform provider is great for creating and managing integrations, as well as Access Flows!

Just Add Slack or Teams

Apono is built with DevX in mind. With Apono, developers can:

Request access directly in their favorite tool: Slack, Teams or CLI
Gain automatic access without waiting for approval if the Access Flow allows it
Get access details directly in Slack, Teams or CLI and use them with ease

No more complex forms, old service systems, proxies and clients to install, or hackling your IT department when you need to get work done.

That's why thousands of engineers use Apono for access requests every month!

Audit and Report on Access

Apono automates access logs and audit reports:

Every access request and action are fully logged
Query logs to get exactly what you need, even with our Public API!
Periodic reports and compliance needs? No problem! Create, save, download and schedule reports at will. We'll send it directly to your inbox.

Getting started

Get started with Apono in 10 minutes to get dynamic, centralized, just-in-time access management for your cloud!

Getting started

Get a taste of what Apono can do by (it's free!) and then follow our onboarding wizard.

You will complete 3 steps to see how easy it is for Admins to manage access with dynamic Access Flows, and how intuitive it is for developers and other end users to request and use Apono access just-in-time.

Try Apono in AWS, then unlock all of your cloud providers and applications for centralized, streamlined access management.

Step 1

Install the connector

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono app from the environment for maximal security.

If you're just getting started with Apono, we recommend using a local connector deployed with docker image.

You should know:

A local connector is only active as long as the container is running. This means you will have to rerun the command when the container is down.
The local connector leverages your existing AWS Profiles. Make sure you have an AWS Profile with Admin permissions to an AWS account, like playground, staging, dev, etc.
If your organization requires MFA, SSO login, VPN login or other security policies, the local connector using your AWS profile will need them to work.

How to deploy the local connector

Prerequisites

A configured AWS profile in your AWS CLI with these permissions: List and IAM to the AWS account and resources you want to integrate.

Necessary permissions policy - LIST

Necessary permissions policy - IAM

Steps

In the catalog, pick AWS.
Pick Account
Install a new connector and pick "Local Installation"

For Linux/mac:

Copy the command that appears in the Apono App and run it in your terminal: bash <(curl -s https://apono-public.s3.amazonaws.com/local-connector/install.sh) --apono-token <TOKEN> The<TOKEN> will appear in the one-liner the UI generates for you.
Follow the interactive prompts and assign:
1. AWS profile: Apono will leverage the permissions of the profile you pick. If you don't specify the profile, press enter and Apono will use the default profile.
Results:
1. If installed successfully, you will see this message: Installation complete. You can return to the Apono App
Go back to the Apono App and continue to integrate AWS. The local connector should appear on the screen with a green checkmark:

For Windows

Copy the command that appears in the Apono App and run it in your terminal: iex ([System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -Uri "https://apono-public.s3.amazonaws.com/local-connector/install.ps1" -UseBasicParsing).Content))
Follow the interactive prompts and assign:
1. The <APONO TOKEN> that appears in the Apono App under the one-liner command.
Results:
1. If installed successfully, you will see the container ID that started running.
Go back to the Apono App and continue to integrate AWS. The local connector should appear on the screen with a green checkmark:

Integrate AWS with Apono

Provide the AWS config:
1. An integration name of your choosing
2. The region of the account you'd like to integrate
Click Connect
Wait for the integration to sync. This may take a few minutes.
Results:
1. You should see a success message indicating that Apono has successfully integrated with AWS Test.

Step 2

Create an Access Flow

Fill in the Access Flow form:
1. Click Someone to pick who can request the access. You can pick yourself under Users.
2. Click Select Target to pick the AWS Account you just connected and **the cloud service **you'd like to manage access to. Duplicate this line to include more cloud services in the Access Flow.
3. Click Any to pick the specific resources in the Access Flow by name, by AWS tags, or by excluding specific resources. You can also leave it as Any.
4. Click Permissions to pick the permissions users will be able to request.
5. You can leave the access time as 1 Hour and the approval as Automatic or change them as you'd like.

Click Create Access Flow.
In the next screen, click Request Access continue to Step 3.

Step 3

Request access

Developers and other end users in the organizations will request access according to the Access Flows using Slack, Teams, CLI, or the Apono Web Portal.

Fill in the request form:
1. Pick the integration
2. Pick the resource type
3. Pick resources
4. Pick permissions
5. Insert a justification

Click Request

Gain and use access

The request will appear on the screen with the status Pending

Once the connector provisions the access successfully, the status of the request will change to Granted

Click View access details
The access details can be used to gain the access you just requested! Test it in AWS!
Click Finish onboarding.

All done!

Check out the Apono Activity log to see how Apono reports and audits access requests.

You can also Revoke the access you were just granted to see how Apono deprovisions access when the access time is up.

Integrating with Apono

How Apono integrations work and what to expect

Integrating with Apono

Intro

In order to manage just-in-time access, Apono needs to integrate with your cloud applications. Our integration:

Syncs data on users, resources and permissions
Automates granting and revoking of users' access to cloud resources

Each integration requires:

An installed connector in your cloud environment
A specific configuration, which may include:
1. A role created for Apono
2. Metadata like proxy address, hostname, port, region, clusters, secret store, etc. To learn more about each integration's required config, visit the integration guide or our guides.

Apono's unique architecture makes the integration extra secure. Learn more .

How it works

Install a connector
1. A connector can be installed on AWS (using Cloudformation [ECS], Terraform [EKS], CLI [EKS]) , GCP (using CLI [GKE]), Azure (using Terraform or CLI) or Kubernetes (using Terraform or Helm).
2. Follow NOTE: If you have installed a connector in the past, you may use it for more than 1 integration\
Follow the integration guide Per each integration's requirements, supply Apono with:
1. The role or permission needed to manage access
2. The metadata to complete the integration NOTE: During this process, you may be required to leave Apono and complete some steps in the source application portal\
Give the integration a name
1. The integration name is used when creating Access Flows
2. This name will be displayed to end-users when creating access requests
Wait for the first sync to complete
1. Follow the status in the Integrations page Connected tab. A healthy integration looks like this:
2. In case of error, follow our
All set! with your new integration

This is what a healthy AWS Account integration process looks like when using an existing connector:

Integration types

Apono currently supports 3 types of integrations:

Resources - these integrations sync data on resources and permissions. Apono then manages JIT access to these resources by granting and revoking users' access based on the Access Flows.
1. Cloud infrastructure
2. Databases
3. CI/CD and development tools
4. Network and VPN
5. IdP groups
User information - these integrations sync data on your users and their attributes, like manager, shift, groups, etc.
1. Identity providers (IdP)
2. Incident response/on-call tools
3. IT service management (ITSM) tools
Communications (chat-ops)

Integrating cloud environments

Overview

Whether you manage your cloud environment in AWS, GCP or Azure, Apono lets you integrate all your cloud services at once!

This means you can manage your entire environment with Apono in a single integration: Apono integrates multiple cloud services from the same AWS Account, GCP Project or Azure Subscription.

In AWS, simply install the connector and secret on any Account you'd like to manage, provide the region and we will do the rest: we'll sync all your resource types, like EC2, RDS, S3 buckets, IAM roles&policies, ECR, EKS, and more all at once.

In GCP, simply install the connector and secret on any Project you'd like to manage and we will do the rest: we'll sync all your resource types, like BigQuery tables, Spanner, Storage, and more all at once.

In Azure, simply install the connector and secret on any Subscription you'd like to manage, and we will do the rest: we'll sync all your resource types, like Storage, MySQL, PostgreSQL, and more all at once.

How it works

Go to the Apono Integrations page and click the Catalog tab.
Pick your cloud provider: AWS, GCP or Azure
Pick the level you'd like to integrate on:
1. AWS:
  1. Pick Organization to manage access to the SSO Identity Center
  2. Pick Account to sync and manage access to a specific Account and multiple services it contains
2. GCP
  1. Pick Organization to manage access to the Organization or Folder roles.
  2. Pick Project to sync and manage access to a specific Project and multiple services it contains
3. Azure
  1. Pick Subscription to sync and manage access to a specific Resource Group and multiple services it contains
Provide Apono with the required configuration, and you're done! We'll sync all the services for you.
You'll be redirected to the Connected tab, where you can see your integrations and all the services or resource types that were synced for it. This is also the place to see and troubleshoot integration errors and create new Access Flows.

CONNECTORS AND SECRETS

Apono Integration Secret

Many integrations require granting Apono connector credentials to allow it to authenticate and connect. You can create secrets in different secrets managers (e.g. AWS, GCP, Azure) and specify them in the integration secret store. This allows the connector to safely and securely retrieve its credentials in order to connect to the desired integration resources.

Apono supports the following secret managers:

Apono Secret

Use Apono to store your connector credentials for the desired integration resources.

Using the Apono secret store option is not recommended for production environments.

We suggest creating a secret in one of the supported cloud providers secret manager or in a Kubernetes secret. Storing secrets in a secret manager enables Apono to sync and provision cloud resources without the need to store credentials for a specific environment in Apono.

Set Credentials in Apono Secret

From your Integration configuration page expand Secret Store, click on the APONO tab and enter the required credentials information for the integration.

Kubernetes Secret

Use Kubernetes secret to store your connector credentials for the desired integration resources.

Prerequisites

Apono connector installed in your Kubernetes cluster
Kubectl command-line interface

Create a secret

Run the following commands to create a secret from the Kubectl CLI.

Create the secret.

kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>

Label the secret with apono-connector-read:true

kubectl label secret <SECRET_NAME> "apono-connector-read=true"

Give the Apono connector permissions to the secret:

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=<APONO_TOKEN> \
    --set-string apono.connectorId=<CONNECTOR_NAME> \
    --set serviceAccount.manageClusterRoles=true \
    --set allowedSecretsToRead={secret1\,secret2\,secret3} \
    --namespace apono-connector

Prerequisites

Apono connector installed in your Kubernetes cluster
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.32.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.15.0"
    }
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "kubernetes_secret" "apono-k8s-secret" {
  metadata {
    name = "<SECRET_NAME>"
    namespace = "<NAMESPACE>"
    labels = {
      "apono-connector-read" = "true"
    }
  }

  data = {
    <KEY1> = "<VALUE1>"
    <KEY2> = "<VALUE2>"
  }
  
  type = "Opaque"
}

resource "helm_release" "apono-helm" {
  name       = "apono-connector"
  repository = "https://apono-io.github.io/apono-helm-charts"
  chart      = "apono-connector"
  namespace  = "<NAMESPACE>"

  set {
    name  = "apono.token"
    value = "<APONO_TOKEN>"
    type  = "string"
  }

  set {
    name  = "apono.connectorId"
    value = "<CONNECTOR_NAME>"
    type  = "string"
  }

  set {
    name  = "serviceAccount.manageClusterRoles"
    value = "true"
  }
  
  set {
    name  = "allowedSecretsToRead"
    value = "{secret1\,secret2\,secret3}"
  }
}

Configure Integration to Use Kubernetes Secret

From your Integration configuration page expand Secret Store, click on the Kubernetes tab and enter the required secret namespace and name.

AWS Secret

Use AWS Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy
AWS command-line interface

Create a secret

Run the following commands to create a secret from the AWS CLI.

aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisite

AWS role or user with SecretsManagerReadWrite attached policy.

Create a secret

Follow these steps to create a secret:

From the Secret Manager, click Store a new secret. The Choose secret type page appears.
Select Other type of secret.
Under Key/value pairs, enter your secret through one of the following approaches:
- On the Key/value tab, enter your information in the two fields: key in the first field, value in the second field.
- On the Plaintext tab, enter your secret in JSON key/value pairs.
Click Next. The Configure secret page appears.
Under Tags, click Add.
In the Key field, enter apono-connector-read.
In the Value field, enter true.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
  name = "<SECRET_NAME>"
  // This tag allows the Apono connector role to read the secret with predefined policy 
  tags = {
    "apono-connector-read" = "true"
  }
}

resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
  secret_id     = aws_secretsmanager_secret.<SECRET_NAME>.id
  secret_string = jsonencode({
    KEY1 = "VALUE1",
    KEY2 = "VALUE2"
  })
}

Configure Integration to Use The AWS Secret

From your Integration configuration page expand Secret Store, click on the AWS tab and enter the required secret region and secret name.

Azure Secret

Use Azure Key Vault to store your connector credentials for the desired integration resources.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set
Azure command-line interface

Create a secret

Run the following commands to create a secret from the Azure CLI.

az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Follow these steps to create a secret:

Navigate to your key vault in the Azure portal.
On the Key Vault left-hand sidebar, select Objects then select Secrets.
Select + Generate/Import.
On the Create a secret screen choose the following values:
- Upload options: Manual.
- Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning
- Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
- Leave the other values to their defaults. Select Create.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

data "azurerm_key_vault" "<KEY_VAULT>" {
  name                = "<KEY_VAULT_NAME>"
  resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}

resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
  name         = "<SECRET_NAME>"
  value        = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
  key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}

Configure Integration to Use The Azure Secret

From your Integration configuration page expand Secret Store, click on the Azure tab and enter the required secret key vault URL and secret nam

GCP Secret

Use GCP Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)
gcloud command-line interface

Create a secret

Run the following commands to create a secret from the gcloud CLI.

gcloud secrets create <SECRET_NAME> \
    --replication-policy="<REPLICATION-POLICY>" \
    --data-file=-

gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)

Create a secret

Follow these steps to create a secret:

Go to the Secret Manager page in the Google Cloud console.
On the Secret Manager page, click Create Secret.
On the Create secret page, under Name, enter my-secret.
In the Secret value field, enter my super secret data.
Click the Create secret button.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "google_secret_manager_secret" "<SECRET_NAME>" {
  secret_id = "<SECRET_NAME>"

  replication {
    <REPLICATION-POLICY>
  }
}

resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
  secret = google_secret_manager_secret.<SECRET_NAME>.id

  secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}

Configure Integration to Use The GCP Secret

From your Integration configuration page expand Secret Store, click on the GCP tab and enter the required secret Project and secret ID.

HashiCorp Secret

Use HashiCorp Vault to store your connector credentials for the desired integration resources.

Prerequisites

Required Apono connector version: 1.6.6
Vault command-line
HashiCorp Vault token
- Create token using:
  - token create command
  - HCP portal

Create Secret in HashiCorp Vault

You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration.

Enable Secret Engine

If you did not set the VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN environment variables, refer to the steps in the Create a Vault Cluster on HCP tutorial.

Verify that the VAULT_NAMESPACE environment variable is set to admin.
```
$ echo $VAULT_NAMESPACE
admin
```
If not, be sure to set it before you continue.
```
$ export VAULT_NAMESPACE=admin
```

Enable key/value v2 secrets engine (kv-v2) at secret/.

$ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/

Create New Secret

Store api-key with value ABC0DEFG9876 at the path secret/test/webapp.

$ vault kv put secret/test/webapp api-key="ABC0DEFG9876"

Example output:

Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

To verify, read back the secret at secret/test/webapp.

$ vault kv get secret/test/webapp

Example output:

====== Metadata ======
Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

===== Data =====
Key        Value
---        -----
api-key    ABC0DEFG9876

Enable Secret Engine

In the Vault UI, set the current namespace to admin/.

Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.

Enter secret in the Path field.
Click Enable Engine to complete.

Now that you have a secret engine enabled, you will create a new secret.

Create New Secret

Click Create secret. Enter test/webapp in the Path for this secret field.
Under the Secret data section, enter api-key in the key field, and ABC0DEFG9876 in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.

Update Apono Connector Configuration to Integrate with HashiCorp Vault

Define vault in your connector using:

environment variable: export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'
Read from file (docker secrets/secret file mount into the container): export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"

To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]

To skip certificate verification use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]

Define HashiCorp Vault Fetch Secret Definition from Secret Manager

You can define HashiCorp vault to fetch secret definition from AWS, GCP, Azure or Kubernetes secret managers using the following environment variable:

HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'

Configure Integration to Use The HashiCorp Vault Secret

From your Integration configuration page expand Secret Store, click on the HashiCorp tab and enter the required secret Secret engine and Secret path.

High Availability for Connectors

Deploy active-active HA instances of the same connector

Active-active availability refers to a high availability (HA) architecture, where two or more systems are actively handling requests simultaneously.

HA can provide the following benefits:

Provide redundancy by maintaining operations during downtime
Distribute requests across multiple active systems to improve load balancing
Maximize resource use by employing standby systems
Reroute traffic through automatic failover to the remaining active system

Apono leverages HA to guarantee uptime to customers. Our on-premise connector can be deployed with several instances. If one instance is down, HA ensures that others are available to continue provisioning.

Prerequisite

Item

Description

Deploy HA connector instances

For HA, you can add instances to an existing connector using the same connector ID.

All connector instances must be the same version. Update any older versions to maintain functionality (AWS | Azure | GCP | Kubernetes).

Follow these steps to add a connector instance for high availability:

From the Connectors page, click Install Connector. The Install Connector page appears.
Select Cloud Installation.
Select a platform for the connector. The permission options appear.
Select a permissions option.
Select an installation method.

The Apono UI auto-populates the token for the new connector instance.

In the connector installation module, configure the connector ID parameter to share the same value as an existing connector ID in the environment. You can find the connector ID of an existing instance on the Connectors page.

Depending on the environment, the connector ID parameter may appear as any of the following properties:

APONO_CONNECTOR_ID
apono.connectorId
connectorId

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    connectorId = $EXISTING_CONNECTOR_ID
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

Complete the installation of the connector in your environment (AWS | Azure | GCP | Kubernetes).

Upon completion, you can integrate your HA connectors with your environment.

Installing a connector with Docker

To manage access to on-prem resources with Apono, install a connector as a Docker Container

Intro

If you want the flexibility of installing the Apono connector on any machine, a docker container is a great alternative.

Step-by-step guide

Prerequisites

A docker installed on any machine
An Apono token
- Find Your Integration Token:
  1. Select any integration in the Catalog.
  2. Under the Connector section, select Add a New Connector from the drop-down list
  3. Copy the token displayed toward the bottom of the section. This token is unique per account.

Guide

In the following command, replace the variables:
1. Replace APONO-TOKEN with the token you copied in the Prerequisites
2. For CONNECTOR_ID, insert any name of your choosing
Run the command in the terminal:

export APONO_TOKEN=[the token you copied from Apono Add Connector flow]
export CONNECTOR_ID=apono-connector

docker login registry.apono.io -u apono -p $APONO_TOKEN

docker run -e APONO_CONNECTOR_ID=$CONNECTOR_ID -e APONO_TOKEN=$APONO_TOKEN -e APONO_URL=api.apono.io registry.apono.io/apono-connector:v1.6.7

That's it!

Results

If done correctly, you should see your docker Connector in the new integration dropdown list, or in the Connectors page

Manage integrations

Find, edit, and delete and more for an integration

After creating an integration, you can use the Apono UI to find, edit, delete, and perform additional actions on that integration.

Find an integration

You can search for an integration to view its related information.

Follow these steps to locate an integration in the Apono UI:

On the Connected tab, in the search bar, enter the name of the integration. All matching integrations appear.
(Optional) Apply one or more filters.

After searching and applying filters, only integrations matching criteria appear on the Connected tab.

The Connected tab displays context information related to each integration:

Name
Connector
Resource Types
Sync Summary
Status

This information is intended to help you quickly identify specific integrations.

Apply filters

Follow these steps to apply filters:

Click the Filters dropdown menu. The filter options appear.
From the Where dropdown menu, select an option.
From the is dropdown menu, select a value.
(Optional) Click + Add new filter and repeat steps 2-3 to add more filters.
Click Apply.

Edit an integration

Follow these steps to edit an integration:

Find an integration.
In the row of the integration, click ⠇**> Edit**. The Edit Integration page for the integration appears.
Update the integration information.
Click Update.

The integration will re-sync. If the updates are valid, you will get a success message and see synced resources. Otherwise, error messages will be displayed.

Delete an integration

Follow these steps to delete an integration:

Find an integration.
In the row of the integration, click ⠇**> Delete**. A confirmation popup window appears.

Be mindful of the following:

If your integration is associated with one or more access flows, a popup window will appear listing the access flows. For each access flow, click the link and delete the access flow.
If your integration has active access requests, a popup window will appear listing the request IDs. For each request, click the link and revoke the access.

Click Yes.

Additional integration actions

In addition to finding, editing, or deleting integrations, you can perform other tasks to manage integrations from the Apono UI.

View associated integration resources

Follow these steps to view the associated integration resources:

Find an integration.
In the row of the integration, click ⠇**> Resources**. A page of the integration's resources appears.

Refresh an integration

Follow these steps to refresh an integration:

Find an integration.
In the row of the integration, click ⠇**> Refresh**. Apono syncs the integration.

Manage connectors

Find, rename, and delete an existing Apono connector

After creating a connector in your AWS, Azure, GCP, or Kubernetes environment, you can use the Apono UI to find, rename, and delete that connector.

Find a connector

You can search for a connector to view its related information.

Follow this step to locate a connector in the Apono UI:

On the Connectors page, in the search bar, enter the name of the connector. All matching connectors appear.

The Connectors tab displays context information related to each connector:

Name
Location
Version
Status

This information is intended to help you quickly identify specific connectors.

Rename a connector

If you change the name of a connector in the Apono UI, you must also change the connector_id param in the installed connector.

Failure to update the connector_id will cause the integration to stop working.

Follow these steps to rename a connector:

On the Connectors page, in the search bar, enter the name of the connector. All matching connectors appear.
In the row of the connector, click ⠇**> Edit**. The Edit the Connector page for the connector appears.
Update the Connector Name.
Click Update Connector.

Delete a connector

Follow these steps to delete a connector:

Delete the connector within your cloud environment.
On the Connectors page, in the search bar, enter the name of the connector. All matching connectors appear.
In the row of the connector, click ⠇**> Delete**. A confirmation popup window appears.

If the connector is associated with one or more integrations, a popup window will appear with a link to show the integrations:

Click Show Integrations to see the list of associated integrations.
For each integration, delete the integration.

Click Yes.

AWS ENVIRONMENT

AWS Overview

Cloud computing has become an essential tool for businesses of all sizes. As a provider of many services and tools, Amazon Web Services (AWS) is a cloud environment supported by Apono.

The articles in this section will help you connect Apono with your AWS-based resources so that you can effectively manage permissions to these resources.

Apono Connector for AWS

How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono

Overview

To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.

The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.

To manage access to a single AWS account, install a connector on that account. Follow .
To manage access to all the accounts in the AWS organization:
- Install a connector on the management account. Follow . OR
- Install a connector in any account with ECS or EKS and give it delegated permissions to the management account. Follow .

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal .

How to install the Connector

First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).

Now, follow one of the guides below depending on your selection:

AWS Account Connector

Prerequisites

Administrator permissions to the AWS account you want to connect.
VPC with outbound connectivity

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS

2. In CloudFormation

Choose Cloudformation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next

Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

AWS Organization Connector on the management account

Prerequisites

Administrator permissions to the AWS management account in the Organization.
VPC with outbound connectivity.

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS

2. In CloudFormation

Click "Open Cloud Formation"
Sign in to your AWS user and click Next

The new stack should be installed in the management account (which manages the organization's Identity Center)
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

Connector with delegated permissions to the AWS management account

Prerequisites

Administrator permissions to the AWS management account in the Organization
For EKS: admin permissions on the cluster

Step 1: Deploy a connector in an AWS account

Using CloudFormation (ECS)

Open the CloudFormation in the member account you want to deploy at.
Fill the SubnetIDs, VpcId parameters
Create stack, and wait to finish
Copy the connector role from the "Outputs" tab

Using Helm (EKS)

Set the following environment variables, to set the AWS Role for the connector deployed in EKS.

Where:

AWS_ACCOUNT_ID is the account where the EKS deployment is hosted

AWS_ROLE_NAME is the role defined for the connector in step 1

CONNECTOR_TOKEN is the token generated in the Apono UI when creating a new connector

[block:image] { "images": [ { "image": [ "https://files.readme.io/78e94c2-image.png", null, "" ], "align": "center", "sizing": "300px" } ] } [/block]

CONNECTOR_ID is the connector name. Set any name of your choosing.

Run the following helm command to deploy the connector

Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME)

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Step 2: Deploy roles in the Management Account (assumable by the connector)

In "ConnectorRoleArn" parameter, paste the connector role from the previous step.
Fill the "OrganizationalUnitId" parameter.
Create stack, and wait to finish.
Copy the Management Account Role ARN from the "Outputs" tab.

Results

Verify that the Stackset was created successfully and that Cloudformation finished.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

Installing a connector on EKS Using Terraform

This guide is intended for admins managing a Connector in the environment

📘 You have chosen the advanced installation method
You can also easily connect AWS in Apono following this UI guide

How to install the Connector on EKS Using Terraform

Prerequisites

Required CLI: terraform

Step 1 - Create Connector

Important: before you start, copy the connector Terraform params and export them in the terminal.

Step 2 - Configure Variables

Step 3 - Add necessary Terraform providers

** if you already use your own providers, you can skip this step

Run terraform init to validate it works

Step 4 - Add EKS cluster OIDC provider to your IAM

It's required that your EKS cluster OIDC provider will be added to your IAM. This step is required only once, and you may have already done it.

Step 5 - Create the Connector IAM role

The Connector is deployed using helm and requires an IAM Role to be able to access tagged ASM secrets in the future.

Step 6 - Deploy Apono Connector

Validate the Connector is Connected

Updating a connector in AWS

Learn how to update a connector through the AWS CLI

Periodically, you may need to update your AWS connector to help maintain functionality, performance, and security.

This article explains how to update a connector through the AWS CLI and redeploy the CloudFormation stack with the latest connector template.

Prerequisites

Item

Description

Update a connector

Follow these steps to update a connector:

Copy the following Account level or Organization level AWS update script. Be sure to replace AWS_STACK_NAME with your AWS stack name.

Be sure to replace AWS_PROFILE and AWS_SERVER_REGION with your profile and region values.

At your AWS CLI prompt, enter the updated script from the previous step to initiate the update. The AWS CLI will return an object containing the StackId.
In CloudFormation, on the Stack Info tab, confirm that the update has completed:
2. Under the Stack name column, click the stack name.
3. On the Stack info tab, check the Status.

Troubleshooting

This section details common errors that can occur during the updating process. If an error occurs that is not listed below, please contact your Apono representative.

An error occurred (ValidationError) when calling the UpdateStack operation: Stack [stack name] does not exist.

This occurs when the incorrect stack name has been included in the update script.

Use the following steps to correct this error:

Installing a connector on AWS ECS using Terraform

Create a connector on Amazon Elastic Container Service

Connectors are secure on-prem components that link Apono and your resources:

No secrets are read, cached, or stored.
No account admin privileges need to be granted to Apono.
The connector contacts your secret store or key vault to sync data or provision access.

Once set up, this connector will enable you to sync data from cloud applications and grant and revoke access permissions through Amazon Elastic Container Service (ECS).

Prerequisites

Item

Description

Install a connector

Use the following steps to install an Apono connector for AWS on ECS:

At the shell prompt, define an environment variable named TF_VAR_APONO_TOKEN with your Apono token value.

When using the following snippets, be sure to use the correct value for assignPublicIp:

true: Set when a subnet has an Internet Gateway
false: Set shen a subnet has a NAT Gateway

Enables installing the connector in the cloud environment and managing access to resources, such as Amazon RDS, S3 buckets, EC2 machines, and self-hosted databases

Enables installing the connector in the cloud environment but managing access to non-AWS resources, such as self-hosted databases

At the Terraform CLI, download and install the provider plugin and module.

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

Enter yes to confirm deploying the changes to your AWS account.

FAQ

Can the Apono Terraform module be pinned to a version?

Yes. You can append the version number to the source location with the ?ref=vX.X.X query string.

The following example pins the version to 1.0.0 for a connector without permissions.

AWS Integrations

If your organization uses Amazon Web Services (AWS) as a cloud platform, Apono's AWS integrations can help you securely manage access to your AWS cloud-based services and databases.

By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.

Through our AWS integrations, Apono enables you to perform the following access tasks:

Limit Access: Discover existing cloud privileges and convert them to just-in-time access flows.
Enable Self-Service Access: Allow developers to request access to AWS services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive AWS resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific S3 buckets, RDS, or EC2 instances with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across AWS.

Integrate an AWS account or organization

Learn how to complete an AWS integration in the Apono UI

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.

Integrate an AWS account

Prerequisites

installed in your AWS account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS account:

Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Integrate an AWS organization

Prerequisites

To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS organization:

Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Troubleshooting

Amazon Redshift

Integrate with Apono to view existing permissions and create Access Flows to Amazon Redshift clusters

Amazon Redshift is a fast, scalable, and secure fully managed data warehouse service in the cloud, serving as a primary data store for vast datasets and analytic workloads. Amazon Web Services (AWS) enables businesses to analyze their data using standard SQL and existing business intelligence tools, promoting insightful decision-making and integration with various AWS services.

Through this integration, Apono helps you securely manage access to your Amazon Redshift instance.

Prerequisites

Item

Description

Integrate Amazon Redshift

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Amazon Redshift. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Amazon Redshift instance.

Troubleshooting

Refer to Troubleshooting Errors for information about errors that may occur.

RDS PostgreSQL

Integrate with AWS-managed PostgreSQL for JIT access management for RDS

PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.

Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.

Prerequisites

Item

Description

Create an AWS RDS PostgreSQL user

You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

Follow these steps to create a user and grant it database permissions:

Create a new user with either Built-in authentication or IAM authentication.

You can use only one authentication option on the RDS instance at a time.

Built-in authentication identifies a user through a username and password.

CREATE USER apono_connector WITH PASSWORD 'secret_passwd';

Be sure to select a strong password for the user.

After enabling IAM on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.

To create the user, run the following commands from your Postgre client.

CREATE USER apono_connector;
GRANT rds_iam TO apono_connector;

From your preferred client tool, grant rds_superuser access to the user.

ALTER USER apono_connector WITH CREATEROLE;
GRANT rds_superuser TO apono_connector;

(IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "rds-db:connect"
             ],
             "Resource": [
                 "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
             ]
         },
         {
             "Effect": "Allow",
             "Action": [
                 "rds:DescribeDBInstances"
             ],
             "Resource": [
                 "arn:aws:rds:*:*:db:*"
             ]
         }
     ]
 }

(Built-in authentication only) Create an AWS secret with the credentials from step 1.

When using IAM authentication, a secret does not need to be created.

The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the PostgreSQL instance instead of a secret.

Integrate Amazon RDS for PostgreSQL

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click AWS RDS PostgreSQL. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Associate the secret or credentials.

A secret is not needed for IAM authentication.

Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your RDS for PostgreSQL database.

AWS RDS MySQL

Prerequisites

If you already have AWS Apono connector:
- Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:
AWS command-line
MySQL command-line

Create AWS RDS MySQL Integration

Generate Credentials

Create user and grant permissions:

You can use only one authentication option on the RDS instance at a time.

(MySQL 8.0+) Grant the service account the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.

Password Authentication

With password authentication, your database performs all administration of user accounts. You create users with SQL statements such as CREATE USER, with the appropriate clause required by the DB engine for specifying passwords.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

SHOW DATABASES Allows the user to view all databases in the RDS instance. CREATE USER Grants the ability to create new users. UPDATE Permits updates in the MySQL system database, including user privileges. PROCESS Allows viewing the server's process list, including all executing queries.

IAM Authentication

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance \
    --db-instance-identifier DBInstanceIdentifier \
    --apply-immediately \
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance ^
    --db-instance-identifier DBInstanceIdentifier ^
    --apply-immediately ^
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Sign in to the AWS Management Console and open the Amazon RDS console Amazon RDS console , and choose your DB instance.
Copy the following details:
- Endpoint: The DNS name of the DB instance.
- Port: The port number on which the DB instance accepts connections.
Connect to the DB instance using your SQL client using the copied details.
Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

IAM Authentication

Enable IAM database authentication
1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases.
3. Choose the DB instance that you want to modify.

    Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability.

4. Choose Modify.
5. In the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication. Choose Password authentication or Password and Kerberos authentication to disable IAM authentication.
6. Choose Continue.
7. To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
8. Choose Modify DB instance.

2. Copy the following RDS SQL details: * Endpoint: The DNS name of the DB instance. * Port: The port number on which the DB instance accepts connections. 3. Connect to the DB instance using your SQL client using the copied details. 4. Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
        "Action": [
          "rds-db:connect"
        ],
      "Resource": [
        "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
      ]
    },
    {
      "Effect": "Allow",
        "Action": [
          "rds:DescribeDBInstances"
        ],
        "Resource": [
          "arn:aws:rds:*:*:db:*"
        ]
      }
  ]
}

Create Integration in Apono

In the Apono admin console, go to the Integrations page and click the Add Integration button in the top-left side, or press on the Catalog blade.
In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In Apono connector step, select the connector with the required permissions to be used with your AWS RDS MySQL.
In Integration config step, provide the following information about your AWS RDS MySQL:

In Secret Store step, provide the connector credentials using one of the following secret store options:

When using IAM authentication, **a secret does not need to be created**. The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the MySQL instance instead of a secret.

For the AWS RDS MySQL integration, use the following secret format: username:<The database username> password:<The user password>\

(Optional) In Get more with Apono step, you can set up the following:

Next Steps

Integrate with EKS

Create an integration to manage access to a Kubernetes cluster on AWS

With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.

Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.

Prerequisites

Configure user authentication

Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).

Create a new policy

Follow these steps to create a new policy:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.

Replace the default policy with the following policy. Be sure to replace the placeholder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.

Create the IAM role

Follow these steps to create the IAM role:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.

If an Overly permission trust policy popup window appears, click Continue.

Authenticate the EKS cluster

Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.

Read Apply the aws-auth ConfigMap to your cluster to learn more about editing the aws-auth ConfigMap.

Follow these steps to authenticate the cluster:

Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.
```
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"
```

Follow these steps to authenticate the cluster:

Change the authentication mode to EKS API.
Create the access entry:
- For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
- For the Username use apono:{{SessionName}}.
- Choose Cluster as the access scope.

Now, you can integrate with EKS.

Integrate with Elastic Kubernetes Service (EKS)

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.

Click Next. The Integration Config section expands.
Define the Integration Config settings.

When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.

Click Next. The Secret Store section expands.

When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.

(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.

Log in to EKS with Apono access details

After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access role.

The following table shows two approaches to assume this role.

AWS Lambda Custom Integration

Learn how to integrate an AWS Lambda Custom Integration with Apono

AWS Lambda enables you to build and connect cloud services and internal web apps by writing single-purpose functions that are attached to events emitted from your cloud infrastructure and services.

Its serverless architecture frees you to write, test, and deploy functions quickly without having to manage infrastructure setup.

With this integration, you can connect your internal applications to AWS Lambda functions and manage access to those applications with Apono.

Prerequisites

Before starting this integration, create the items listed in the following table.

Item

Description

Integrate an AWS Lambda Custom Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click AWS Lambda Custom Integration. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your AWS Lambda function.

EC2 via Systems Manager Agent (SSM)

Apono AWS EC2 Integration utilizes SSM (System Manager) Agent to for JIT access management for AWS VMs

EC2 via Systems Manager Agent (SSM)

Have you connected an AWS account?

Make sure you integrated your AWS account to Apono. Follow this AWS Integration step-by-step guide.

Intro

This integration provides the ability to grant users permissions to connect to the EC2 with a secure connection - SSM.

Prerequisites

An integration between Apono and the AWS Organization or Account where the EC2 is.
EC2 machine with SSM agent installed. Installed by default in most EC2s docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent
End users will need to install the session manager plugin for AWS CLI on the local user's computer. docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin

Step-by-step guide

The EC2 instance role

Follow the steps below to create an EC2 instance role with the AmazonSSMManagedInstanceCore managed policy. Read more here.

In the AWS IAM, Click Create new IAM Role
1. Click Create Role
2. Choose the AWS Service option
3. From the dropdown list, choose EC2
4. Choose EC2 Role for AWS System Manager. Click Next.
5. Verify that the AmazonSSMManagerInstanceCore policy is added. Click Next
6. Fill the Role name box (for example, ec2-ssm)
7. Click Create role
Go back to the Modify IAM Role page
1. From the dropdown list, choose the new IAM role we created (ec2-ssm)
2. Click Update IAM role
3. Pleas note: it takes about 30 minutes for the AWS sync to finish.

Integrating Apono with the EC2 instances

In the Apono UI, edit an existing AWS Org or AWS Account integration or create a new one.
Add the EC2 Connect resource type.
Complete the integration and click Integrate.

Results

Apono should now discover EC2 machines! You can now create access flows to EC2 instances.

AZURE ENVIRONMENT

Apono Connector for Azure

How to install a Connector on your Azure environment to integrate with Azure management group or subscription

If your organization uses Azure as it's cloud provider, you can take advantage of Apono , allowing you to create just-in-time access management based on Access Flows and user requests to your Azure resources.

The integration between Azure and Apono requires an Azure Apono connector installed in your Azure environment.

The remainder of this guide focuses on installing and configuring the Azure Apono connector on ACI in your Azure environment.

Prerequisites

Azure user with the following permissions on your Azure management group/subscription:

Role

Permissions

Command-line.

The Apono Azure Management Groups integration allows you to auto-discover all resources under your Tenant by installing the connector on one of the Azure Subscriptions under the Tenant Root Management Group.

Installation Steps

In Apono

Go to Integrations, under Environment from the left navigator.
Under Integrations, click the Catalog tab and select under Cloud provider category.

Under Apono connector, choose + Add new connector.
Choose installation method and copy the Apono token.

In Azure

Install an Azure connector on ACI using Azure CLI

Learn how to deploy a connector in an Azure environment

Azure Container Instances (ACI) is a managed, serverless compute platform for running containerized applications. This guide explains how to install and configure an Apono connector on ACI in your Azure environment using Azure CLI.

Prerequisites

Item

Description

Install a new connector

You can install a connector for an Azure Management Group or Subscription.

Follow these steps to install a new connector:

At the shell prompt, set the environment variables.

Set the REGION environment variable.

Run the following command to deploy the connector on your ACI.

Add the User Access Administrator role to the connector in the management group scope.

For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

On the page, verify that the connector has been updated.

You can now integrate with an .

Follow these steps to install a new connector:

Export the following environment variables.

Set the REGION environment variable.

Run the following command to deploy the connector on your ACI.

Add the User Access Administrator role to the connector in the subscription scope.

For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

Install an Azure connector on ACI using PowerShell

Learn how to deploy a connector in an Azure environment

Prerequisites

Item

Description

Install a new connector

You can install a connector for an Azure Management Group or Subscription.

Follow these steps to install a new connector:

At the shell prompt, set the environment variables.

Set the REGION environment variable.

Run the following command to deploy the connector on your ACI.

Add the User Access Administrator role to the connector in the management group scope.

For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

Follow these steps to install a new connector:

Export the following environment variables.

Set the REGION environment variable.

Run the following command to deploy the connector on your ACI.

Add the User Access Administrator role to the connector in the subscription scope.

For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

Install an Azure connector on ACI using Terraform

Learn how to deploy a connector in an Azure environment

Prerequisites

Item

Description

Install a new connector

Follow these steps to set up a new connector:

At the shell prompt, set the Apono environment variables to your account token.

In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector or :

Enables installing the connector in the cloud environment and managing access to resources

Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases

At the Terraform CLI, download and install the provider plugin and module.

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

Enter yes to confirm deploying the changes to your Azure account.

Updating a connector in Azure

Learn how to update a connector through the Azure CLI

Periodically, you may need to update your Azure connector to help maintain functionality, performance, and security.

This article explains how to update and redeploy a connector through the Azure CLI.

Prerequisites

Item

Description

Update a connector

To update an Apono connector for Azure, follow these steps in the shell environment with Azure CLI installed:

Set the APONO_CONNECTOR_ID environment variable to your chosen connector ID.
Set the APONO_TOKEN environment variable to your account token.
Set the SUBSCRIPTION_ID environment variable to the Azure subscription ID.
Set the RESOURCE_GROUP_NAME environment variable to the Azure resource group name.
Set the REGION environment variable.
Run the following command to deploy an updated version of the connector on the Azure Container Instance service.

7. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been updated.

Azure Integrations

If your organization uses Azure as a cloud platform, Apono can help you securely manage access to your Azure cloud-based services, subscriptions, and resource groups.

By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand . Through our integrations, Apono enables you to perform the following access tasks:

Limit Access: Discover existing privileges in Azure and convert them to just-in-time Access Flows.
Enable Self-Service Access: Allow developers to request access to Azure services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive Azure resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific services with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across Azure.

Azure MySQL

Create an integration to manage access to Azure-managed MySQL databases

MySQL is a reliable and secure open-source relational database system. It serves as the main data store for various applications, websites, and products. This includes mission-critical applications and dynamic websites.

Microsoft enables developers to create cloud-hosted MySQL databases.

Through this integration, Apono helps you securely manage access to your Azure MySQL databases.

Prerequisites

Before starting this integration, create the items listed in the following table.

Item

Description

Create a MySQL user

You must create a user in your MySQL instance for the Apono connector and grant that user permissions to your databases.

Use the following steps to create a user and grant it permissions:

In your preferred client tool, create a new user. Be sure to set a strong password for the user.
Expose databases to the user. This allows Apono to view database names without accessing the contents of each database.
Grant the user database permissions. The following commands grant Apono the following permissions:
- Creating users
- Updating user information and privileges
- Monitoring and troubleshooting processes running on the database\
Grant the user only one of the following sets of permissions. The chosen set defines the highest level of permissions to provision with Apono. Expand each of the following options to reveal the SQL commands:

(MySQL 8.0+) Grant the service account the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.

Integrate Azure MySQL

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

Under Discovery, click one or more resource types and cloud services to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Click Next. The Custom Access Details section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

GCP ENVIRONMENT

KUBERNETES ENVIRONMENT

ADDITIONAL INTEGRATIONS

Network Management

Manage just-in-time, just-enough access to servers, RDPs, internal apps, and more

Development Tools

Incident Response Integrations

Apono Integration Secret

Apono supports the following secret managers:

Apono Secret

Use Apono to store your connector credentials for the desired integration resources.

Using the Apono secret store option is not recommended for production environments.

Set Credentials in Apono Secret

From your Integration configuration page expand Secret Store, click on the APONO tab and enter the required credentials information for the integration.

Kubernetes Secret

Use Kubernetes secret to store your connector credentials for the desired integration resources.

Prerequisites

Apono connector installed in your Kubernetes cluster
Kubectl command-line interface

Create a secret

Run the following commands to create a secret from the Kubectl CLI.

Create the secret.

kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>

Label the secret with apono-connector-read:true

kubectl label secret <SECRET_NAME> "apono-connector-read=true"

Give the Apono connector permissions to the secret:

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=<APONO_TOKEN> \
    --set-string apono.connectorId=<CONNECTOR_NAME> \
    --set serviceAccount.manageClusterRoles=true \
    --set allowedSecretsToRead={secret1\,secret2\,secret3} \
    --namespace apono-connector

Prerequisites

Apono connector installed in your Kubernetes cluster
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.32.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.15.0"
    }
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "kubernetes_secret" "apono-k8s-secret" {
  metadata {
    name = "<SECRET_NAME>"
    namespace = "<NAMESPACE>"
    labels = {
      "apono-connector-read" = "true"
    }
  }

  data = {
    <KEY1> = "<VALUE1>"
    <KEY2> = "<VALUE2>"
  }
  
  type = "Opaque"
}

resource "helm_release" "apono-helm" {
  name       = "apono-connector"
  repository = "https://apono-io.github.io/apono-helm-charts"
  chart      = "apono-connector"
  namespace  = "<NAMESPACE>"

  set {
    name  = "apono.token"
    value = "<APONO_TOKEN>"
    type  = "string"
  }

  set {
    name  = "apono.connectorId"
    value = "<CONNECTOR_NAME>"
    type  = "string"
  }

  set {
    name  = "serviceAccount.manageClusterRoles"
    value = "true"
  }
  
  set {
    name  = "allowedSecretsToRead"
    value = "{secret1\,secret2\,secret3}"
  }
}

Configure Integration to Use Kubernetes Secret

From your Integration configuration page expand Secret Store, click on the Kubernetes tab and enter the required secret namespace and name.

AWS Secret

Use AWS Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy
AWS command-line interface

Create a secret

Run the following commands to create a secret from the AWS CLI.

aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisite

AWS role or user with SecretsManagerReadWrite attached policy.

Create a secret

Follow these steps to create a secret:

From the Secret Manager, click Store a new secret. The Choose secret type page appears.
Select Other type of secret.
Under Key/value pairs, enter your secret through one of the following approaches:
- On the Key/value tab, enter your information in the two fields: key in the first field, value in the second field.
- On the Plaintext tab, enter your secret in JSON key/value pairs.
Click Next. The Configure secret page appears.
Under Tags, click Add.
In the Key field, enter apono-connector-read.
In the Value field, enter true.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
  name = "<SECRET_NAME>"
  // This tag allows the Apono connector role to read the secret with predefined policy 
  tags = {
    "apono-connector-read" = "true"
  }
}

resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
  secret_id     = aws_secretsmanager_secret.<SECRET_NAME>.id
  secret_string = jsonencode({
    KEY1 = "VALUE1",
    KEY2 = "VALUE2"
  })
}

Configure Integration to Use The AWS Secret

From your Integration configuration page expand Secret Store, click on the AWS tab and enter the required secret region and secret name.

Azure Secret

Use Azure Key Vault to store your connector credentials for the desired integration resources.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set
Azure command-line interface

Create a secret

Run the following commands to create a secret from the Azure CLI.

az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Follow these steps to create a secret:

Navigate to your key vault in the Azure portal.
On the Key Vault left-hand sidebar, select Objects then select Secrets.
Select + Generate/Import.
On the Create a secret screen choose the following values:
- Upload options: Manual.
- Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning
- Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
- Leave the other values to their defaults. Select Create.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

data "azurerm_key_vault" "<KEY_VAULT>" {
  name                = "<KEY_VAULT_NAME>"
  resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}

resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
  name         = "<SECRET_NAME>"
  value        = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
  key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}

Configure Integration to Use The Azure Secret

From your Integration configuration page expand Secret Store, click on the Azure tab and enter the required secret key vault URL and secret nam

GCP Secret

Use GCP Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)
gcloud command-line interface

Create a secret

Run the following commands to create a secret from the gcloud CLI.

gcloud secrets create <SECRET_NAME> \
    --replication-policy="<REPLICATION-POLICY>" \
    --data-file=-

gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)

Create a secret

Follow these steps to create a secret:

Go to the Secret Manager page in the Google Cloud console.
On the Secret Manager page, click Create Secret.
On the Create secret page, under Name, enter my-secret.
In the Secret value field, enter my super secret data.
Click the Create secret button.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.
Secret Manager API (enabled once per project)
Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "google_secret_manager_secret" "<SECRET_NAME>" {
  secret_id = "<SECRET_NAME>"

  replication {
    <REPLICATION-POLICY>
  }
}

resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
  secret = google_secret_manager_secret.<SECRET_NAME>.id

  secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}

Configure Integration to Use The GCP Secret

From your Integration configuration page expand Secret Store, click on the GCP tab and enter the required secret Project and secret ID.

HashiCorp Secret

Use HashiCorp Vault to store your connector credentials for the desired integration resources.

Prerequisites

Required Apono connector version: 1.6.6
Vault command-line
HashiCorp Vault token
- Create token using:
  - token create command
  - HCP portal

Create Secret in HashiCorp Vault

You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration.

Enable Secret Engine

If you did not set the VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN environment variables, refer to the steps in the Create a Vault Cluster on HCP tutorial.

Verify that the VAULT_NAMESPACE environment variable is set to admin.
```
$ echo $VAULT_NAMESPACE
admin
```
If not, be sure to set it before you continue.
```
$ export VAULT_NAMESPACE=admin
```

Enable key/value v2 secrets engine (kv-v2) at secret/.

$ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/

Create New Secret

Store api-key with value ABC0DEFG9876 at the path secret/test/webapp.

$ vault kv put secret/test/webapp api-key="ABC0DEFG9876"

Example output:

Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

To verify, read back the secret at secret/test/webapp.

$ vault kv get secret/test/webapp

Example output:

====== Metadata ======
Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

===== Data =====
Key        Value
---        -----
api-key    ABC0DEFG9876

Enable Secret Engine

In the Vault UI, set the current namespace to admin/.

Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.

Enter secret in the Path field.
Click Enable Engine to complete.

Now that you have a secret engine enabled, you will create a new secret.

Create New Secret

Click Create secret. Enter test/webapp in the Path for this secret field.
Under the Secret data section, enter api-key in the key field, and ABC0DEFG9876 in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.

Update Apono Connector Configuration to Integrate with HashiCorp Vault

Define vault in your connector using:

environment variable: export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'
Read from file (docker secrets/secret file mount into the container): export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"

To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]

To skip certificate verification use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]

Define HashiCorp Vault Fetch Secret Definition from Secret Manager

You can define HashiCorp vault to fetch secret definition from AWS, GCP, Azure or Kubernetes secret managers using the following environment variable:

HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'

Configure Integration to Use The HashiCorp Vault Secret

From your Integration configuration page expand Secret Store, click on the HashiCorp tab and enter the required secret Secret engine and Secret path.