1 of 100

Documentation and Guides

ABOUT APONO

Why Choose Apono

Apono is the best solution for just-in-time, temporary access to sensitive cloud resources

Apono lets you automate static access policies by turning them into declarative, dynamic Access Flows. Integrate your cloud environment, CI/CD stack, cloud infrastructure and databases with Apono. Create Access Flows with our declarative UI or in Terraform, and your developers can use Slack, Teams or CLI to request and approve access.

Protect what matters without breaking a sweat.

Who is Accessing Cloud Resources Right Now?

Do developers have admin/write access or read-only access to production?

Can you answer that, or must you sort through your cloud resources to find out? Of course, by the time you get to the last one, you'll have to recheck the first because so much time has elapsed, and access changes constantly. While discussing it, how long would it take to revoke access to a production cloud resource in an emergency?

With Apono, you have a single point of control for managing access without creating a single point of failure.

Apono Access: Automated, Just-in-Time, Just-Enough

Use Apono for on-demand access to critical resources. Grant an engineer permission to fix a production issue in an emergency. Grant a data scientist access to a data lake when needed. Just as important is to revoke access once it's no longer needed.

Apono's permissions are just-in-time and also ephemeral. Access is automatically revoked when no longer needed. No more forgotten privileges or group memberships left open. Access begins and ends according to Access Flow definition.

Access Management that Scales

No need to manually change permissions for each resource on your cloud platform every time someone needs access to one of its resources. While access can be granted at a granular level, large-scale environments can be managed efficiently by creating Access Flows, for individuals and groups, to all cloud resources and assets.

Apono Integrates with Terraform

Are you using Terraform to manage your cloud platforms?

Apono lets you turn static access policies into dynamic Access Flows directly from Terraform. Reuse a simple build file to build the perfect workflows for your organization without ever leaving Terraform.

Designed for DevX

With Apono, you will work smarter with less effort to manage and gain access to your cloud resources. You will take control of your cloud resource inventory from one central location.

Apono's Access Flows prepare for contingencies, emergency access and regular maintenance. Onboarding becomes quick and easy, with our dynamic Access Flows and access bundles. There's no need for writing and maintaining home-grown scripts and complex workflows.

Your developers can request access bundles and get just the access they need exactly when they need it, no hassle.

Deployed Via Slack and Teams

Developers and engineers love ChatOps and CLI, so why should they have to use another interface?

Apono integrates with Slack, Teams and CLI, so your R&D can use the tools they know to request & approve access, connect to the resources, and, after the access is automatically revoked, request the access again when they need it.

Speaks Your (Declarative) Language

Apono has developed a declarative, natural language format for defining access permissions. No need to edit config files. We call it Access Flow, and it looks like this:

Select a resource and then add (a) who is allowed to gain access (b) what kind of access (roles or permissions) to grant, (c) which specific resources in the integration to allow access to, (d) how long the access should last, (e) should access be approved automatically or by someone in the organization.

In fact, integrating with Apono and creating Access Flows has proven so intuitive that most Apono customers set up and deploy access control for their entire organizations within two weeks.

Keeps Your CISO Happy

Apono doesn't have access to any of your data. Ever.

A Home Run With SOX IT Controls

Apono's comprehensive access management covers your entire cloud, with Access Flows defined for every cloud service and resource type. Need to maintain least-privileges to production environments, financial data, PII, and other critical assets? Check!

Security and Architecture

Apono helps you manage just-in-time access in a secure, least privilege way

Overview

Apono was built and designed with security in mind so that any company is able to use it in their environment.

We applied the same least privilege principles to our product that Apono unlocks for its users:

Ensure users receive just the right amount of permissions they need
Ensure users receive access only for the limited time they need them

Security

Apono's secure architecture

The Apono platform is built by two separate components:

The Web App
The Connector

The web app continuously receives basic data about users, resources and permissions from the connector.

The connector is fully deployed within the organization’s environment and has a limited set of template functions that can be invoked and are fully in the organization control.

This architecture ensures high reliability as well as segregation of environments, keeping any access to the environment within the environment.

The Web App security

Our web app is a portal for admins to create and manage integrations and Access Flows.

The portal:

Could only be accessed by admins of the system who've authenticated using the organizational identity provider.
Doesn't require access to the organization's environment resources. No roles, permissions, privileges, or actions are granted to the app.
Integrates with the organizational identity provider as the source of truth for the organizational identities.
Doesn't access your data or environment, and only communicates with the Apono connector.

The Connector security

Our connector is a component you install in your cloud environment (AWS, GCP, Azure, Kubernetes). It communicates with your cloud services and cloud apps using, but not caching or storing, your secrets.

The connector:

Is completely within the organization's control, as it is installed in your cloud provider.
Can be uninstalled or disconnected at any time without support from Apono.
Uses fully visible template functions, mutable by the organization’s environment owner. These functions limit the ability of the connector to only invoke specific actions that are predefined.
Has no permissions to access the data itself.
Does not store any secrets.

👍 The Apono Connector is High Availability
No downtime, no outages, no problem!

Your data

When you integrate your cloud applications and IdP with Apono, Apono syncs metadata and configuration information continuously. We only sync basic information needed for access management: users, groups, resources and permissions.

Apono:

Does not read your data, like datasets, files, documents, code, etc.
Does not collect any personal data about your employees, Apono only requires a user's email address.
Does not store or cache secrets or credentials.

Secrets

Apono does not store or cache any of your secrets.

When a data sync is required, the connector gets the secret from your cloud's Secret Store to access the data it needs. After authenticating, the secret is not saved anywhere.

👍 Credentials rotation as often as you need

Architecture

Apono and AWS

Apono and GCP

Apono and Azure

Glossary

Commonly used Apono terms

GETTING STARTED

How Apono Works

Apono syncs with your apps' data, grants and revokes access

How Apono Works

Your Questions

How does Apono securely integrate with your environment?
How are Access Flows defined and managed?
How do developers request and approve access?
How do admins manage access logs and audit reports?

Great questions, let's get to it:

Integrate with Apono in 3 easy steps

Three easy steps are what it takes to create Just-In-Time and Just Enough permissions for everyone with access to your cloud assets and resources.

1. Install a Connector

Connectors are the components that mediate between Apono and your resources to sync data from cloud applications and grant and revoke access permissions.

The Connector does not read, cache or store any secrets, nor does Apono need an account with admin privileges to function. The Connector contacts your secret store or key vault when it needs to sync data or provision access.

Here's how Connectors work:

2. Integrate With Cloud Apps

After you've installed the Connector, integrate Apono with your cloud applications to sync data on users, groups, resources and permissions.

3. Create Access Flows

Create an Access Flows by answering five questions:

Who should get access?
What can they gain access to?
What Actions will they be able to perform?
How Long should they have the access?
Who must Approve the request?

Fill in the blanks using information from drop-down lists, click Create, and you're done.

Apono is Self-Serve

Using Terraform? Edit your Terraform .tf file to add Apono access management to your resources

Add Apono to Your IaC Configurations

Open-source Terraform or AWS ecosystem, Apono is a recognized provider for both.

Apono's Terraform provider is great for creating and managing integrations, as well as Access Flows!

Just Add Slack or Teams

Apono is built with DevX in mind. With Apono, developers can:

Gain automatic access without waiting for approval if the Access Flow allows it
Get access details directly in Slack, Teams or CLI and use them with ease

No more complex forms, old service systems, proxies and clients to install, or hackling your IT department when you need to get work done.

That's why thousands of engineers use Apono for access requests every month!

Audit and Report on Access

Apono automates access logs and audit reports:

Getting started

Get started with Apono in 10 minutes to get dynamic, centralized, just-in-time access management for your cloud!

Getting started

You will complete 3 steps to see how easy it is for Admins to manage access with dynamic Access Flows, and how intuitive it is for developers and other end users to request and use Apono access just-in-time.

Try Apono in AWS, then unlock all of your cloud providers and applications for centralized, streamlined access management.

Step 1

Install the connector

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono app from the environment for maximal security.

If you're just getting started with Apono, we recommend using a local connector deployed with docker image.

You should know:

A local connector is only active as long as the container is running. This means you will have to rerun the command when the container is down.
The local connector leverages your existing AWS Profiles. Make sure you have an AWS Profile with Admin permissions to an AWS account, like playground, staging, dev, etc.
If your organization requires MFA, SSO login, VPN login or other security policies, the local connector using your AWS profile will need them to work.

How to deploy the local connector

Prerequisites

A configured AWS profile in your AWS CLI with these permissions: List and IAM to the AWS account and resources you want to integrate.

Necessary permissions policy - LIST

Necessary permissions policy - IAM

Steps

In the catalog, pick AWS.
Pick Account
Install a new connector and pick "Local Installation"

For Linux/mac:

Copy the command that appears in the Apono App and run it in your terminal: bash <(curl -s https://apono-public.s3.amazonaws.com/local-connector/install.sh) --apono-token <TOKEN> The<TOKEN> will appear in the one-liner the UI generates for you.
Follow the interactive prompts and assign:
1. AWS profile: Apono will leverage the permissions of the profile you pick. If you don't specify the profile, press enter and Apono will use the default profile.
Results:
1. If installed successfully, you will see this message: Installation complete. You can return to the Apono App
Go back to the Apono App and continue to integrate AWS. The local connector should appear on the screen with a green checkmark:

For Windows

Copy the command that appears in the Apono App and run it in your terminal: iex ([System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -Uri "https://apono-public.s3.amazonaws.com/local-connector/install.ps1" -UseBasicParsing).Content))
Follow the interactive prompts and assign:
1. The <APONO TOKEN> that appears in the Apono App under the one-liner command.
Results:
1. If installed successfully, you will see the container ID that started running.
Go back to the Apono App and continue to integrate AWS. The local connector should appear on the screen with a green checkmark:

Integrate AWS with Apono

Provide the AWS config:
1. An integration name of your choosing
2. The region of the account you'd like to integrate
Click Connect
Wait for the integration to sync. This may take a few minutes.
Results:
1. You should see a success message indicating that Apono has successfully integrated with AWS Test.

Step 2

Create an Access Flow

Fill in the Access Flow form:
1. Click Someone to pick who can request the access. You can pick yourself under Users.
2. Click Select Target to pick the AWS Account you just connected and **the cloud service **you'd like to manage access to. Duplicate this line to include more cloud services in the Access Flow.
3. Click Any to pick the specific resources in the Access Flow by name, by AWS tags, or by excluding specific resources. You can also leave it as Any.
4. Click Permissions to pick the permissions users will be able to request.
5. You can leave the access time as 1 Hour and the approval as Automatic or change them as you'd like.

Click Create Access Flow.
In the next screen, click Request Access continue to Step 3.

Step 3

Request access

Developers and other end users in the organizations will request access according to the Access Flows using Slack, Teams, CLI, or the Apono Web Portal.

Fill in the request form:
1. Pick the integration
2. Pick the resource type
3. Pick resources
4. Pick permissions
5. Insert a justification

Click Request

Gain and use access

The request will appear on the screen with the status Pending

Once the connector provisions the access successfully, the status of the request will change to Granted

Click View access details
The access details can be used to gain the access you just requested! Test it in AWS!
Click Finish onboarding.

All done!

Check out the Apono Activity log to see how Apono reports and audits access requests.

You can also Revoke the access you were just granted to see how Apono deprovisions access when the access time is up.

Access Discovery

Assess and remediate standing access to improve your cloud security posture

Permanent, always-on permissions to resources (standing access) create security vulnerabilities and complicate access management. Access Discovery helps eliminate unnecessary standing access while ensuring your teams can efficiently request permissions when needed.

Access Discovery analyzes your environment and helps you manage access rights through a two-step process:

Assessment: Automatically identifies and categorizes standing access to reveal where high-risk permissions exist
Remediation: Provides instructions to create access flows and revoke unnecessary standing permissions to improve your security posture

For example, you can identify all production resources with standing access, create an access flow for temporary permissions, and safely revoke permanent access. When team members need access, they can request it through the automated workflow, receive temporary permissions, and automatically have access revoked when their temporary permissions have expired.

Prerequisites

Item

Description

Cloud Environment Integration

At least one cloud environment integration set up with Apono:

Azure Management Group (coming soon)
GCP Organization (coming soon)

AWS Connector required permission

Create a new assessment

Follow these steps to assess an integration:

Select a Cloud provider.
(AWS Organization) Select an integration.
Click Assess. The My Assessments page appears with a row for the integration's assessment.

Explore an assessment

Follow these steps to explore an assessment:

Column

Description

Entitlements

AWS permission sets per account

Risk Score

Value (1-9) representing the level of risk associated with a specific resource, permission, or entitlement within your environment

Account

Account to which the entitlement is associated

Identities

Number of users assigned to the entitlement

Last Used

Number of days since an identity assigned to the entitlement used the permissions

Remediation Progress

Percentage completion of improving the security posture of the entitlement

(Optional) Filter the listed entitlements by one or several of the following filters.

Accounts

Follow these steps to filter by account:

Click the Accounts dropdown menu.
(Optional) In the Search field, enter a value to filter the list of accounts.
Select one or several accounts. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Entitlements

Follow these steps to filter by entitlement:

Click the Entitlements dropdown menu.
(Optional) In the Search field, enter a value to filter the list of entitlements.
Select one or several entitlements. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Risk Score

Follow these steps to filter by risk score:

Click the Risk Score dropdown menu.
(Optional) In the Search field, enter a value to filter the list of risk scores.
Select one or several risk scores. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

In Access Flow

Follow these steps to display only entitlements in an access flow:

Click the In Access Flow dropdown menu.
Select Yes or No. Only the entitlements meeting this criterion will be shown.
Click the top or outside of the dropdown menu to close it.

Revoked

Follow these steps to filter by revoked status:

Click the Revoked dropdown menu.
Select Yes or No. Only the entitlements meeting this criterion will be shown.
Click the top or outside of the dropdown menu to close it.

Click the row of the entitlement. The Entitlement Details panel opens. The following table explains the content displayed in the Identities section.

Column

Description

Identity

Name of the user

Relationship

Manner through which the identity is associated to the entitlement

An identity may be associated directly or through membership within a group

Last Used

Number of days since the identity used the entitlement

Step 1

Indicates the first step (access flow creation) of the remediation process has been completed

Step 2

Indicates the second step (standing access removal) of the remediation process has been completed

Click the X in the top right corner of the panel to close the panel.

Remediate access

Follow these steps to remediate an entitlement:

Element

Description

Access Posture

Value between 0-100 representing the overall security state of your cloud environment, focusing on the prevalence of standing access across your resources

As you replace standing access with just-in-time access flow, your access posture improves.

Tiers Tiles

Tiles each representing a tier of risk

Each tile displays the following information:

Risk tier: Critical, High, Medium, or Low
Numerical impact on the access posture score
Number of affected entitlements
Button providing access to the remediation plan for the specific tier

On one of the four tier cards, click Remediation Plan. The Remediation Plan popup window appears.
In the Step 1 tile, click Create Now. The Create Access Flow page appears with a prepopulated access flow.

With the exception of the Grant for section, other sections in the access flow cannot be edited.

Under Grant for, you can adjust the access duration and choose a different approver.
Click Create Access Flow.
Click Back To Assessment. The Remediation Plan popup window reappears with a checkmark indicator in the Step 1 tile.
In the Step 2 tile, click Revoke Access. The Revoke standing access page appears.
(Optional) Filter the entitlement list by one or several of the following filters.

Account

Follow these steps to filter by account:

Click the Account dropdown menu.
(Optional) In the Search field, enter a value to filter the list of accounts.
Select one or several accounts. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Entitlement

Follow these steps to filter by entitlement:

Click the Account dropdown menu.
(Optional) In the Search field, enter a value to filter the list of entitlements.
Select one or several entitlements. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Risk Score

Follow these steps to filter by risk score:

Click the Risk Score dropdown menu.
(Optional) In the Search field, enter a value to filter the list of risk scores.
Select one or several risk scores. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Select one or several entitlements.
Click Revoke. The Revoke standing access popup window appears.
Follow the instructions to revoke standing access for the selected entitlements with AWS CLI.
On the Revoke standing access popup window, click Reassess. The View assessment page for the integration will appear and display your improved access posture score.

The rows of the select entitlements will have green bars in the Remediation Progress column indicating the completion of the remediation process.

If other tiers need to be remediated, repeat steps 2-12.

Integrating with Apono

How Apono integrations work and what to expect

Integrating with Apono

Intro

In order to manage just-in-time access, Apono needs to integrate with your cloud applications. Our integration:

Syncs data on users, resources and permissions
Automates granting and revoking of users' access to cloud resources

Each integration requires:

An installed connector in your cloud environment
A specific configuration, which may include:
1. A role created for Apono

How it works

Install a connector
1. A connector can be installed on AWS (using Cloudformation [ECS], Terraform [EKS], CLI [EKS]) , GCP (using CLI [GKE]), Azure (using Terraform or CLI) or Kubernetes (using Terraform or Helm).
Follow the integration guide Per each integration's requirements, supply Apono with:
1. The role or permission needed to manage access
2. The metadata to complete the integration NOTE: During this process, you may be required to leave Apono and complete some steps in the source application portal
Give the integration a name
1. The integration name is used when creating Access Flows
2. This name will be displayed to end-users when creating access requests
Wait for the first sync to complete

This is what a healthy AWS Account integration process looks like when using an existing connector:

Integration types

Apono currently supports 3 types of integrations:

Resources - these integrations sync data on resources and permissions. Apono then manages JIT access to these resources by granting and revoking users' access based on the Access Flows.
1. Cloud infrastructure
2. Databases
3. CI/CD and development tools
4. Network and VPN
5. IdP groups
User information - these integrations sync data on your users and their attributes, like manager, shift, groups, etc.
1. Identity providers (IdP)
2. Incident response/on-call tools
3. IT service management (ITSM) tools
Communications (chat-ops)

Integrating cloud environments

Overview

Whether you manage your cloud environment in AWS, GCP or Azure, Apono lets you integrate all your cloud services at once!

This means you can manage your entire environment with Apono in a single integration: Apono integrates multiple cloud services from the same AWS Account, GCP Project or Azure Subscription.

In AWS, simply install the connector and secret on any Account you'd like to manage, provide the region and we will do the rest: we'll sync all your resource types, like EC2, RDS, S3 buckets, IAM roles&policies, ECR, EKS, and more all at once.

In GCP, simply install the connector and secret on any Project you'd like to manage and we will do the rest: we'll sync all your resource types, like BigQuery tables, Spanner, Storage, and more all at once.

In Azure, simply install the connector and secret on any Subscription you'd like to manage, and we will do the rest: we'll sync all your resource types, like Storage, MySQL, PostgreSQL, and more all at once.

How it works

Go to the Apono Integrations page and click the Catalog tab.
Pick your cloud provider: AWS, GCP or Azure
Pick the level you'd like to integrate on:
1. AWS:
  1. Pick Organization to manage access to the SSO Identity Center
  2. Pick Account to sync and manage access to a specific Account and multiple services it contains
2. GCP
  1. Pick Organization to manage access to the Organization or Folder roles.
  2. Pick Project to sync and manage access to a specific Project and multiple services it contains
3. Azure
  1. Pick Subscription to sync and manage access to a specific Resource Group and multiple services it contains
Provide Apono with the required configuration, and you're done! We'll sync all the services for you.
You'll be redirected to the Connected tab, where you can see your integrations and all the services or resource types that were synced for it. This is also the place to see and troubleshoot integration errors and create new Access Flows.

CONNECTORS AND SECRETS

Apono Integration Secret

Many integrations require granting Apono connector credentials to allow it to authenticate and connect. You can create secrets in different secrets managers (e.g. AWS, GCP, Azure) and specify them in the integration secret store. This allows the connector to safely and securely retrieve its credentials in order to connect to the desired integration resources.

Apono supports the following secret managers:

High Availability for Connectors

Deploy active-active HA instances of the same connector

Active-active availability refers to a high availability (HA) architecture, where two or more systems are actively handling requests simultaneously.

HA can provide the following benefits:

Provide redundancy by maintaining operations during downtime
Distribute requests across multiple active systems to improve load balancing
Maximize resource use by employing standby systems
Reroute traffic through automatic failover to the remaining active system

Apono leverages HA to guarantee uptime to customers. Our on-premise connector can be deployed with several instances. If one instance is down, HA ensures that others are available to continue provisioning.

Prerequisite

Deploy HA connector instances

For HA, you can add instances to an existing connector using the same connector ID.

Follow these steps to add a connector instance for high availability:

Select Cloud Installation.
Select a platform for the connector. The permission options appear.
Select a permissions option.
Select an installation method.

The Apono UI auto-populates the token for the new connector instance.

Depending on the environment, the connector ID parameter may appear as any of the following properties:

APONO_CONNECTOR_ID
apono.connectorId
connectorId

Upon completion, you can integrate your HA connectors with your environment.

Installing a connector with Docker

To manage access to on-prem resources with Apono, install a connector as a Docker Container

Intro

If you want the flexibility of installing the Apono connector on any machine, a docker container is a great alternative.

Step-by-step guide

Prerequisites

A docker installed on any machine
An Apono token
- Find Your Integration Token:
  2. Under the Connector section, select Add a New Connector from the drop-down list
  3. Copy the token displayed toward the bottom of the section. This token is unique per account.

Guide

In the following command, replace the variables:
1. Replace APONO-TOKEN with the token you copied in the Prerequisites
2. For CONNECTOR_ID, insert any name of your choosing
Run the command in the terminal:

export APONO_TOKEN=[the token you copied from Apono Add Connector flow]
export CONNECTOR_ID=apono-connector

docker login registry.apono.io -u apono -p $APONO_TOKEN

docker run -e APONO_CONNECTOR_ID=$CONNECTOR_ID -e APONO_TOKEN=$APONO_TOKEN -e APONO_URL=api.apono.io registry.apono.io/apono-connector:v1.6.7

That's it!

Results

Manage integrations

Find, edit, and delete and more for an integration

After creating an integration, you can use the Apono UI to find, edit, delete, and perform additional actions on that integration.

Find an integration

You can search for an integration to view its related information.

Follow these steps to locate an integration in the Apono UI:

After searching and applying filters, only integrations matching criteria appear on the Connected tab.

The Connected tab displays context information related to each integration:

Name
Connector
Resource Types
Sync Summary
Status

This information is intended to help you quickly identify specific integrations.

Apply filters

Follow these steps to apply filters:

Click the Filters dropdown menu. The filter options appear.
From the Where dropdown menu, select an option.
From the is dropdown menu, select a value.
(Optional) Click + Add new filter and repeat steps 2-3 to add more filters.
Click Apply.

Edit an integration

Follow these steps to edit an integration:

In the row of the integration, click ⠇> Edit. The Edit Integration page for the integration appears.
Update the integration information.
Click Update.

The integration will re-sync. If the updates are valid, you will get a success message and see synced resources. Otherwise, error messages will be displayed.

Delete an integration

Follow these steps to delete an integration:

In the row of the integration, click ⠇> Delete. A confirmation popup window appears.

Be mindful of the following:

Click Yes.

Additional integration actions

In addition to finding, editing, or deleting integrations, you can perform other tasks to manage integrations from the Apono UI.

View associated integration resources

Follow these steps to view the associated integration resources:

In the row of the integration, click ⠇> Resources. A page of the integration's resources appears.

Refresh an integration

Follow these steps to refresh an integration:

In the row of the integration, click ⠇> Refresh. Apono syncs the integration.

Manage connectors

Find, rename, and delete an existing Apono connector

Find a connector

You can search for a connector to view its related information.

Follow this step to locate a connector in the Apono UI:

The Connectors tab displays context information related to each connector:

Name
Location
Version
Status

This information is intended to help you quickly identify specific connectors.

Rename a connector

If you change the name of a connector in the Apono UI, you must also change the connector_id param in the installed connector.

Failure to update the connector_id will cause the integration to stop working.

Follow these steps to rename a connector:

In the row of the connector, click ⠇**> Edit**. The Edit the Connector page for the connector appears.
Update the Connector Name.
Click Update Connector.

Delete a connector

Follow these steps to delete a connector:

Delete the connector within your cloud environment.
In the row of the connector, click ⠇**> Delete**. A confirmation popup window appears.

If the connector is associated with one or more integrations, a popup window will appear with a link to show the integrations:

Click Show Integrations to see the list of associated integrations.

Click Yes.

AWS ENVIRONMENT

AWS Overview

Cloud computing has become an essential tool for businesses of all sizes. As a provider of many services and tools, Amazon Web Services (AWS) is a cloud environment supported by Apono.

The articles in this section will help you connect Apono with your AWS-based resources so that you can effectively manage permissions to these resources.

Apono Connector for AWS

How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono

Overview

To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.

The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.

To manage access to all the accounts in the AWS organization:

What's a connector? What makes it so secure?

How to install the Connector

First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).

Now, follow one of the guides below depending on your selection:

AWS Account Connector

Prerequisites

Administrator permissions to the AWS account you want to connect.
VPC with outbound connectivity

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS

2. In CloudFormation

Choose Cloudformation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next

Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

AWS Organization Connector on the management account

Prerequisites

Administrator permissions to the AWS management account in the Organization.
VPC with outbound connectivity.

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS

2. In CloudFormation

Click "Open Cloud Formation"
Sign in to your AWS user and click Next

The new stack should be installed in the management account (which manages the organization's Identity Center)
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

Connector with assumable permissions to the AWS management account

Prerequisites

Administrator permissions to the AWS management account in the Organization
For EKS: admin permissions on the cluster

Step 1: Deploy a connector in an AWS account

Using CloudFormation (ECS)

Follow the link to open the CloudFormation in the member account you want to deploy.
Fill the SubnetIDs, VpcId parameters.
Click Create stack, and wait to finish.
Copy the connector role from the "Outputs" tab and the connector ID from the "Parameters" tab. These will be required for the next step.

Using Helm (EKS)

Set the following environment variables, to set the AWS Role for the connector deployed in EKS.

export AWS_ACCOUNT_ID=  
export AWS_ROLE_NAME=
export CONNECTOR_TOKEN=
export CONNECTOR_ID=

Where:

AWS_ACCOUNT_ID is the account where the EKS deployment is hosted AWS_ROLE_NAME is the role defined for the connector in step 1 CONNECTOR_TOKEN is the token generated in the Apono UI when creating a new connector

CONNECTOR_ID is the connector name. Set any name of your choosing.

Run the following helm command to deploy the connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$CONNECTOR_TOKEN \
    --set-string apono.connectorId=$CONNECTOR_ID \
    --set serviceAccount.awsRoleAccountId=$AWS_ACCOUNT_ID \
    --set serviceAccount.awsRoleName=$AWS_ROLE_NAME \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME)

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Step 2: Deploy roles in the Management Account (assumable by the connector)

Purpose: The connector will assume this role in order to manage the entire AWS organization.

For the "AponoConnectorId" and "ConnectorRoleArn" parameters, paste the copied values from the previous step.
Fill the "OrganizationalUnitId" parameter. You can find it under AWS organizations.
Create stack, and wait to finish.

Results

Verify that the Stackset was created successfully and that Cloudformation finished.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

Installing a connector on EKS Using Terraform

This guide is intended for admins managing a Connector in the environment

📘 You have chosen the advanced installation method

How to install the Connector on EKS Using Terraform

Prerequisites

Required CLI: terraform

Step 1 - Create Connector

Important: before you start, copy the connector Terraform params and export them in the terminal.

Step 2 - Configure Variables

Step 3 - Add necessary Terraform providers

** if you already use your own providers, you can skip this step

Run terraform init to validate it works

Step 4 - Add EKS cluster OIDC provider to your IAM

It's required that your EKS cluster OIDC provider will be added to your IAM. &#xNAN;This step is required only once, and you may have already done it.

Step 5 - Create the Connector IAM role

The Connector is deployed using helm and requires an IAM Role to be able to access tagged ASM secrets in the future.

Step 6 - Deploy Apono Connector

Validate the Connector is Connected

Updating a connector in AWS

Learn how to update a connector through the AWS CLI

Periodically, you may need to update your AWS connector to help maintain functionality, performance, and security.

This article explains how to update a connector through the AWS CLI and redeploy the CloudFormation stack with the latest connector template.

Prerequisites

Update a connector

Follow these steps to update a connector:

Copy the following Account level or Organization level AWS update script. Be sure to replace AWS_STACK_NAME with your AWS stack name.

Be sure to replace AWS_PROFILE and AWS_SERVER_REGION with your profile and region values.

At your AWS CLI prompt, enter the updated script from the previous step to initiate the update. The AWS CLI will return an object containing the StackId.
In CloudFormation, on the Stack Info tab, confirm that the update has completed:
2. Under the Stack name column, click the stack name.
3. On the Stack info tab, check the Status.

Troubleshooting

This section details common errors that can occur during the updating process. If an error occurs that is not listed below, please contact your Apono representative.

An error occurred (ValidationError) when calling the UpdateStack operation: Stack [stack name] does not exist.

This occurs when the incorrect stack name has been included in the update script.

Use the following steps to correct this error:

Installing a connector on AWS ECS using Terraform

Create a connector on Amazon Elastic Container Service

Connectors are secure on-prem components that link Apono and your resources:

No secrets are read, cached, or stored.
No account admin privileges need to be granted to Apono.
The connector contacts your secret store or key vault to sync data or provision access.

Once set up, this connector will enable you to sync data from cloud applications and grant and revoke access permissions through Amazon Elastic Container Service (ECS).

Prerequisites

Install a connector

Use the following steps to install an Apono connector for AWS on ECS:

At the shell prompt, define an environment variable named TF_VAR_APONO_TOKEN with your Apono token value.

When using the following snippets, be sure to use the correct value for assignPublicIp:

true: Set when a subnet has an Internet Gateway
false: Set shen a subnet has a NAT Gateway

Enables installing the connector in the cloud environment and managing access to resources, such as Amazon RDS, S3 buckets, EC2 machines, and self-hosted databases

Enables installing the connector in the cloud environment but managing access to non-AWS resources, such as self-hosted databases

At the Terraform CLI, download and install the provider plugin and module.

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

Enter yes to confirm deploying the changes to your AWS account.

FAQ

Can the Apono Terraform module be pinned to a version?

Yes. You can append the version number to the source location with the ?ref=vX.X.X query string.

The following example pins the version to 1.0.0 for a connector without permissions.

AWS Integrations

If your organization uses Amazon Web Services (AWS) as a cloud platform, Apono's AWS integrations can help you securely manage access to your AWS cloud-based services and databases.

By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.

Through our AWS integrations, Apono enables you to perform the following access tasks:

Limit Access: Discover existing cloud privileges and convert them to just-in-time access flows.
Enable Self-Service Access: Allow developers to request access to AWS services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive AWS resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific S3 buckets, RDS, or EC2 instances with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across AWS.

Integrate an AWS account or organization

Learn how to complete an AWS integration in the Apono UI

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.

Integrate an AWS account

Prerequisites

To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS account:

Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Integrate an AWS organization

Prerequisites

To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS organization:

Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Troubleshooting

Auto Discover AWS RDS Instances

Automatically identify AWS RDS instances in an Account or Organization for JIT access management

Apono’s Auto Discovery feature identifies tagged AWS RDS instances, including MySQL and PostgreSQL. Rather than integrating each instance individually, you can integrate selected databases and their resources at once during your AWS Account or Organization setup.

This capability requires network access to each discoverable database. If your databases are in different AWS networks, make sure to create an AWS connector for each network.

Prerequisites

Enable Auto Discovery

Follow these steps to enable Auto Discovery:

In your AWS RDS database instance, create a user for the Apono connector. As part of this step, you will also create a secret.

Under Discovery, click Amazon Account or Amazon Organization.
Under Connect Sub Integration, select Database, Table, and Role to control the granularity of discovery in each discovered instance. \

After connecting your AWS Account or AWS Organization to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration, along with sub-integrations for each RDS instance, initialize during the first data fetch. The integration becomes Active once the process completes.

Troubleshooting

If RDS instances appear with errors on your Integrations page, follow these steps:

Check Tags: Verify all required tags are present and correctly formatted.
Connector Permissions: Ensure the Apono connector has necessary permissions to read tags and access secrets.
Network connectivity: Ensure each RDS instance is accessible by an Apono connector within the same network.

For any questions about the discovery process, please contact Apono Support.

AZURE ENVIRONMENT

GCP ENVIRONMENT

KUBERNETES ENVIRONMENT

ADDITIONAL INTEGRATIONS

Network Management

Manage just-in-time, just-enough access to servers, RDPs, internal apps, and more

Development Tools

Apono Integration Secret

Apono supports the following secret managers:

Apono Secret

Use Apono to store your connector credentials for the desired integration resources.

Using the Apono secret store option is not recommended for production environments.

We suggest creating a secret in one of the supported cloud providers secret manager or in a Kubernetes secret. Storing secrets in a secret manager enables Apono to sync and provision cloud resources without the need to store credentials for a specific environment in Apono.

Set Credentials in Apono Secret

From your Integration configuration page expand Secret Store, click on the APONO tab and enter the required credentials information for the integration.

Kubernetes Secret

Use Kubernetes secret to store your connector credentials for the desired integration resources.

Prerequisites

Create a secret

Run the following commands to create a secret from the Kubectl CLI.

Create the secret.

kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>

Label the secret with apono-connector-read:true

kubectl label secret <SECRET_NAME> "apono-connector-read=true"

Give the Apono connector permissions to the secret:

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=<APONO_TOKEN> \
    --set-string apono.connectorId=<CONNECTOR_NAME> \
    --set serviceAccount.manageClusterRoles=true \
    --set allowedSecretsToRead={secret1\,secret2\,secret3} \
    --namespace apono-connector

Prerequisites

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.32.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.15.0"
    }
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "kubernetes_secret" "apono-k8s-secret" {
  metadata {
    name = "<SECRET_NAME>"
    namespace = "<NAMESPACE>"
    labels = {
      "apono-connector-read" = "true"
    }
  }

  data = {
    <KEY1> = "<VALUE1>"
    <KEY2> = "<VALUE2>"
  }
  
  type = "Opaque"
}

resource "helm_release" "apono-helm" {
  name       = "apono-connector"
  repository = "https://apono-io.github.io/apono-helm-charts"
  chart      = "apono-connector"
  namespace  = "<NAMESPACE>"

  set {
    name  = "apono.token"
    value = "<APONO_TOKEN>"
    type  = "string"
  }

  set {
    name  = "apono.connectorId"
    value = "<CONNECTOR_NAME>"
    type  = "string"
  }

  set {
    name  = "serviceAccount.manageClusterRoles"
    value = "true"
  }
  
  set {
    name  = "allowedSecretsToRead"
    value = "{secret1\,secret2\,secret3}"
  }
}

Configure Integration to Use Kubernetes Secret

From your Integration configuration page expand Secret Store, click on the Kubernetes tab and enter the required secret namespace and name.

AWS Secret

Use AWS Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy

Create a secret

Run the following commands to create a secret from the AWS CLI.

aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisite

AWS role or user with SecretsManagerReadWrite attached policy.

Create a secret

Follow these steps to create a secret:

Select Other type of secret.
Under Key/value pairs, enter your secret through one of the following approaches:
- On the Key/value tab, enter your information in the two fields: key in the first field, value in the second field.
- On the Plaintext tab, enter your secret in JSON key/value pairs.
Click Next. The Configure secret page appears.
Under Tags, click Add.
In the Key field, enter apono-connector-read.
In the Value field, enter true.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
  name = "<SECRET_NAME>"
  // This tag allows the Apono connector role to read the secret with predefined policy 
  tags = {
    "apono-connector-read" = "true"
  }
}

resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
  secret_id     = aws_secretsmanager_secret.<SECRET_NAME>.id
  secret_string = jsonencode({
    KEY1 = "VALUE1",
    KEY2 = "VALUE2"
  })
}

Configure Integration to Use The AWS Secret

From your Integration configuration page expand Secret Store, click on the AWS tab and enter the required secret region and secret name.

Azure Secret

Use Azure Key Vault to store your connector credentials for the desired integration resources.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Run the following commands to create a secret from the Azure CLI.

az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Follow these steps to create a secret:

Navigate to your key vault in the Azure portal.
On the Key Vault left-hand sidebar, select Objects then select Secrets.
Select + Generate/Import.
On the Create a secret screen choose the following values:
- Upload options: Manual.
- Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
- Leave the other values to their defaults. Select Create.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

data "azurerm_key_vault" "<KEY_VAULT>" {
  name                = "<KEY_VAULT_NAME>"
  resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}

resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
  name         = "<SECRET_NAME>"
  value        = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
  key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}

Configure Integration to Use The Azure Secret

From your Integration configuration page expand Secret Store, click on the Azure tab and enter the required secret key vault URL and secret nam

GCP Secret

Use GCP Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Run the following commands to create a secret from the gcloud CLI.

gcloud secrets create <SECRET_NAME> \
    --replication-policy="<REPLICATION-POLICY>" \
    --data-file=-

gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Follow these steps to create a secret:

On the Secret Manager page, click Create Secret.
On the Create secret page, under Name, enter my-secret.
In the Secret value field, enter my super secret data.
Click the Create secret button.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "google_secret_manager_secret" "<SECRET_NAME>" {
  secret_id = "<SECRET_NAME>"

  replication {
    <REPLICATION-POLICY>
  }
}

resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
  secret = google_secret_manager_secret.<SECRET_NAME>.id

  secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}

Configure Integration to Use The GCP Secret

From your Integration configuration page expand Secret Store, click on the GCP tab and enter the required secret Project and secret ID.

HashiCorp Secret

Use HashiCorp Vault to store your connector credentials for the desired integration resources.

Prerequisites

Required Apono connector version: 1.6.6
HashiCorp Vault token
- Create token using:

Create Secret in HashiCorp Vault

You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration.

Enable Secret Engine

Verify that the VAULT_NAMESPACE environment variable is set to admin.
```
$ echo $VAULT_NAMESPACE
admin
```
If not, be sure to set it before you continue.
```
$ export VAULT_NAMESPACE=admin
```

Enable key/value v2 secrets engine (kv-v2) at secret/.

$ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/

Create New Secret

Store api-key with value ABC0DEFG9876 at the path secret/test/webapp.

$ vault kv put secret/test/webapp api-key="ABC0DEFG9876"

Example output:

Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

To verify, read back the secret at secret/test/webapp.

$ vault kv get secret/test/webapp

Example output:

====== Metadata ======
Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

===== Data =====
Key        Value
---        -----
api-key    ABC0DEFG9876

Enable Secret Engine

In the Vault UI, set the current namespace to admin/.

Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.

Enter secret in the Path field.
Click Enable Engine to complete.

Now that you have a secret engine enabled, you will create a new secret.

Create New Secret

Click Create secret. Enter test/webapp in the Path for this secret field.
Under the Secret data section, enter api-key in the key field, and ABC0DEFG9876 in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.

Update Apono Connector Configuration to Integrate with HashiCorp Vault

Define vault in your connector using:

environment variable: export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'
Read from file (docker secrets/secret file mount into the container): export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"

To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]

To skip certificate verification use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]

Define HashiCorp Vault Fetch Secret Definition from Secret Manager

HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'

Configure Integration to Use The HashiCorp Vault Secret

From your Integration configuration page expand Secret Store, click on the HashiCorp tab and enter the required secret Secret engine and Secret path.

Apono Secret

Use Apono to store your connector credentials for the desired integration resources.

Using the Apono secret store option is not recommended for production environments.

Set Credentials in Apono Secret

From your Integration configuration page expand Secret Store, click on the APONO tab and enter the required credentials information for the integration.

Kubernetes Secret

Use Kubernetes secret to store your connector credentials for the desired integration resources.

Prerequisites

installed in your Kubernetes cluster
command-line interface

Create a secret

Run the following commands to create a secret from the Kubectl CLI.

Create the secret.

kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>

Label the secret with apono-connector-read:true

kubectl label secret <SECRET_NAME> "apono-connector-read=true"

Give the Apono connector permissions to the secret:

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=<APONO_TOKEN> \
    --set-string apono.connectorId=<CONNECTOR_NAME> \
    --set serviceAccount.manageClusterRoles=true \
    --set allowedSecretsToRead={secret1\,secret2\,secret3} \
    --namespace apono-connector

Prerequisites

installed in your Kubernetes cluster
command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.32.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.15.0"
    }
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "kubernetes_secret" "apono-k8s-secret" {
  metadata {
    name = "<SECRET_NAME>"
    namespace = "<NAMESPACE>"
    labels = {
      "apono-connector-read" = "true"
    }
  }

  data = {
    <KEY1> = "<VALUE1>"
    <KEY2> = "<VALUE2>"
  }
  
  type = "Opaque"
}

resource "helm_release" "apono-helm" {
  name       = "apono-connector"
  repository = "https://apono-io.github.io/apono-helm-charts"
  chart      = "apono-connector"
  namespace  = "<NAMESPACE>"

  set {
    name  = "apono.token"
    value = "<APONO_TOKEN>"
    type  = "string"
  }

  set {
    name  = "apono.connectorId"
    value = "<CONNECTOR_NAME>"
    type  = "string"
  }

  set {
    name  = "serviceAccount.manageClusterRoles"
    value = "true"
  }
  
  set {
    name  = "allowedSecretsToRead"
    value = "{secret1\,secret2\,secret3}"
  }
}

Configure Integration to Use Kubernetes Secret

From your Integration configuration page expand Secret Store, click on the Kubernetes tab and enter the required secret namespace and name.

AWS Secret

Use AWS Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy
command-line interface

Create a secret

Run the following commands to create a secret from the AWS CLI.

aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisite

AWS role or user with SecretsManagerReadWrite attached policy.

Create a secret

Follow these steps to create a secret:

From the , click Store a new secret. The Choose secret type page appears.
Select Other type of secret.
Under Key/value pairs, enter your secret through one of the following approaches:
- On the Key/value tab, enter your information in the two fields: key in the first field, value in the second field.
- On the Plaintext tab, enter your secret in JSON key/value pairs.
Click Next. The Configure secret page appears.
Under Tags, click Add.
In the Key field, enter apono-connector-read.
In the Value field, enter true.

Prerequisites

AWS role or user with SecretsManagerReadWrite attached policy
command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
  name = "<SECRET_NAME>"
  // This tag allows the Apono connector role to read the secret with predefined policy 
  tags = {
    "apono-connector-read" = "true"
  }
}

resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
  secret_id     = aws_secretsmanager_secret.<SECRET_NAME>.id
  secret_string = jsonencode({
    KEY1 = "VALUE1",
    KEY2 = "VALUE2"
  })
}

Configure Integration to Use The AWS Secret

From your Integration configuration page expand Secret Store, click on the AWS tab and enter the required secret region and secret name.

Azure Secret

Use Azure Key Vault to store your connector credentials for the desired integration resources.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Run the following commands to create a secret from the Azure CLI.

az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Follow these steps to create a secret:

Navigate to your key vault in the Azure portal.
On the Key Vault left-hand sidebar, select Objects then select Secrets.
Select + Generate/Import.
On the Create a secret screen choose the following values:
- Upload options: Manual.
- Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
- Leave the other values to their defaults. Select Create.

Prerequisites

Azure user with the following permission on the Key Vault:

For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.
For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):
- Get
- Set

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

data "azurerm_key_vault" "<KEY_VAULT>" {
  name                = "<KEY_VAULT_NAME>"
  resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}

resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
  name         = "<SECRET_NAME>"
  value        = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
  key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}

Configure Integration to Use The Azure Secret

From your Integration configuration page expand Secret Store, click on the Azure tab and enter the required secret key vault URL and secret nam

GCP Secret

Use GCP Secret Manager to store your connector credentials for the desired integration resources.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Run the following commands to create a secret from the gcloud CLI.

gcloud secrets create <SECRET_NAME> \
    --replication-policy="<REPLICATION-POLICY>" \
    --data-file=-

gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Follow these steps to create a secret:

On the Secret Manager page, click Create Secret.
On the Create secret page, under Name, enter my-secret.
In the Secret value field, enter my super secret data.
Click the Create secret button.

Prerequisites

GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "google_secret_manager_secret" "<SECRET_NAME>" {
  secret_id = "<SECRET_NAME>"

  replication {
    <REPLICATION-POLICY>
  }
}

resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
  secret = google_secret_manager_secret.<SECRET_NAME>.id

  secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}

Configure Integration to Use The GCP Secret

From your Integration configuration page expand Secret Store, click on the GCP tab and enter the required secret Project and secret ID.

HashiCorp Secret

Use HashiCorp Vault to store your connector credentials for the desired integration resources.

Prerequisites

Required Apono connector version: 1.6.6
HashiCorp Vault token
- Create token using:

Create Secret in HashiCorp Vault

You can use one of the following methods to create a secret in HashiCorp Vault to use in your integration.

Enable Secret Engine

Verify that the VAULT_NAMESPACE environment variable is set to admin.
```
$ echo $VAULT_NAMESPACE
admin
```
If not, be sure to set it before you continue.
```
$ export VAULT_NAMESPACE=admin
```

Enable key/value v2 secrets engine (kv-v2) at secret/.

$ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/

Create New Secret

Store api-key with value ABC0DEFG9876 at the path secret/test/webapp.

$ vault kv put secret/test/webapp api-key="ABC0DEFG9876"

Example output:

Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

To verify, read back the secret at secret/test/webapp.

$ vault kv get secret/test/webapp

Example output:

====== Metadata ======
Key              Value
---              -----
created_time     2021-06-17T02:48:51.643350733Z
deletion_time    n/a
destroyed        false
version          1

===== Data =====
Key        Value
---        -----
api-key    ABC0DEFG9876

Enable Secret Engine

In the Vault UI, set the current namespace to admin/.

Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.

Enter secret in the Path field.
Click Enable Engine to complete.

Now that you have a secret engine enabled, you will create a new secret.

Create New Secret

Click Create secret. Enter test/webapp in the Path for this secret field.
Under the Secret data section, enter api-key in the key field, and ABC0DEFG9876 in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.

Update Apono Connector Configuration to Integrate with HashiCorp Vault

Define vault in your connector using:

environment variable: export HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"}]'
Read from file (docker secrets/secret file mount into the container): export HASHICORP_VAULT_CONFIG_FILE_PATH="/path/to/vault/config.json"

To authenticate HashiCorp Vault with SSL/TLS client certificate you can use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "ca_cert_base64": "BASE64_HASHICORP_VAULT"}]

To skip certificate verification use the following environment variable:

[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN", "skip_verify": "true"}]

Define HashiCorp Vault Fetch Secret Definition from Secret Manager

HASHICORP_VAULT_CONFIG='[{"address":"http://HASHICORP_VAULT_URL","token":"HASHICORP_VAULT_TOKEN"},
{"from_secret_store": "AWS", "region": "AWS_REGION", "secret_id": "AWS_SECRET_ID",},
{"from_secret_store": "GCP", "project": "GCP_PROJECT_ID", "secret_id": "GCP_SECRET_ID"},
{"from_secret_store": "AZURE", "AZURE_KEY_VAULT_URL": "vault_url", "name": "SECRET_NAME"},
{"from_secret_store": "KUBERNETES", "NAMESPACE": "namespace", "name": "SECRET_NAME"}
]'

Configure Integration to Use The HashiCorp Vault Secret

From your Integration configuration page expand Secret Store, click on the HashiCorp tab and enter the required secret Secret engine and Secret path.

AWS RDS MySQL

Prerequisites

If you already have AWS Apono connector:
- Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:

Create AWS RDS MySQL Integration

Generate Credentials

Create user and grant permissions:

You can use only one authentication option on the RDS instance at a time.

(MySQL 8.0+) Grant the service account the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.

Password Authentication

With password authentication, your database performs all administration of user accounts. You create users with SQL statements such as CREATE USER, with the appropriate clause required by the DB engine for specifying passwords.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';

SHOW DATABASES Allows the user to view all databases in the RDS instance. CREATE USER Grants the ability to create new users. UPDATE Permits updates in the MySQL system database, including user privileges. PROCESS Allows viewing the server's process list, including all executing queries.

Grant the user the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.

GRANT ROLE_ADMIN on *.* to USER_NAME;

IAM Authentication

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance \
    --db-instance-identifier DBInstanceIdentifier \
    --apply-immediately \
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance ^
    --db-instance-identifier DBInstanceIdentifier ^
    --apply-immediately ^
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Copy the following details:
- Endpoint: The DNS name of the DB instance.
- Port: The port number on which the DB instance accepts connections.
Connect to the DB instance using your SQL client using the copied details.
Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

IAM Authentication

Enable IAM database authentication
2. In the navigation pane, choose Databases.
3. Choose the DB instance that you want to modify.

    Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability.

4. Choose Modify.
5. In the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication. Choose Password authentication or Password and Kerberos authentication to disable IAM authentication.
6. Choose Continue.
7. To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
8. Choose Modify DB instance.

2. Copy the following RDS SQL details: * Endpoint: The DNS name of the DB instance. * Port: The port number on which the DB instance accepts connections. 3. Connect to the DB instance using your SQL client using the copied details. 4. Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
        "Action": [
          "rds-db:connect"
        ],
      "Resource": [
        "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
      ]
    },
    {
      "Effect": "Allow",
        "Action": [
          "rds:DescribeDBInstances"
        ],
        "Resource": [
          "arn:aws:rds:*:*:db:*"
        ]
      }
  ]
}

Create Integration in Apono

In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In Apono connector step, select the connector with the required permissions to be used with your AWS RDS MySQL.
In Integration config step, provide the following information about your AWS RDS MySQL:

Variable

Value

Required

Integration Name

The integration name.

Yes

Auth Type

The authentication method for connecting to an AWS RDS instance, with options for password (username and password) or iam (IAM-based authentication).

Yes

Region

AWS region where the RDS instance is located.

Yes

Instance ID

The unique identifier of the AWS RDS instance.

Yes

Credentials rotation period (in days)

i.e.: 90

User cleanup after access is revoked (in days)

i.e.: 90

When using IAM authentication, **a secret does not need to be created**. The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the MySQL instance instead of a secret.

For the AWS RDS MySQL integration, use the following secret format: username:<The database username> password:<The user password>\

(Optional) In Get more with Apono step, you can set up the following:

Setting

Description

Credential Rotation

User cleanup after access is revoked (in days)

(Optional) Defines the number of days after access has been revoked that the user should be deleted

Custom Access Details

(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.

Integration Owner

From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.

NOTE: When Resource Owner is defined, an Integration Owner must be defined.

Resource Owner

Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

NOTE: When this setting is defined, an Integration Owner must also be defined.

Next Steps

CloudSQL - PostgreSQL

Create an integration to manage access to PostgreSQL instances on Google Cloud SQL

Google Cloud SQL PostgreSQL is a fully managed relational database service built for the cloud. It provides a high-performance, scalable, and highly available PostgreSQL database instance without the overhead of managing infrastructure. With Google Cloud SQL, users benefit from Google Cloud's robust infrastructure, which ensures high availability, security, and scalability for their databases.

Through this integration, Apono helps you securely manage access to your Google Cloud SQL PostgreSQL database instances.

To enable Apono to manage Google Cloud SQL PostgreSQL user access, you must create a user and then configure the integration within the Apono UI.

Prerequisites

Item

Description

Apono Connector

Cloud SQL Admin API

Cloud SQL Admin Role

(Cloud IAM authentication only) Google Cloud role that the Apono connector's service user must have at the instance's project or organization level

PostgreSQL Info

Information for the database instance to be integrated:

Create a PostgreSQL user

You must create a user in your PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

You must use the admin account and password to connect to your database.

Following these steps to create a user and grant it permissions:

Use apono_connector for the username.

This authentication method grants the user the cloudsqlsuperuser role. Be sure to set a strong password for the user.

As an alternative, you can run the following command from your Postgre client:

CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password'

Use apono-connector-iam-sa@[PROJECT_ID].iam.gserviceaccount.com for the Principal.

This authentication method does not grant the user account database privileges.

Be sure that the Apono connector GCP service account (apono-connector-iam-sa@[PROJECT_ID].iam.gserviceaccount.com) has the Cloud SQL Admin role.

(Cloud IAM only) In your preferred client tool, grant cloudsqlsuperuser access to the user account.

ALTER ROLE "<CONNECTOR_USERNAME>" WITH CREATEROLE;
GRANT cloudsqlsuperuser TO "<CONNECTOR_USERNAME>";

In your preferred client tool, grant the cloudsqlsuperuser role privileges on all databases except template0 and cloudsqladmin. This allows Apono to perform tasks that are not restricted to a single schema or object within the database, such as creating, altering, and dropping database objects.

DO $$
DECLARE
  database_name text;
BEGIN
  FOR database_name IN (SELECT datname FROM pg_database WHERE datname != 'template0' AND datname != 'cloudsqladmin') LOOP
    EXECUTE 'GRANT ALL PRIVILEGES ON DATABASE ' || quote_ident(database_name) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
  END LOOP;
END; $$

For each database to be managed through Apono, connect to the database and grant cloudsqlsuperuser privileges on all objects in the schemas. This allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.

DO $$
DECLARE
  schema text;
BEGIN
  FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP
    EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
    EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
    EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
    EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
  END LOOP;
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO cloudsqlsuperuser WITH GRANT OPTION';
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO cloudsqlsuperuser WITH GRANT OPTION';
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO cloudsqlsuperuser WITH GRANT OPTION';
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO cloudsqlsuperuser WITH GRANT OPTION';
END; $$

Connect to the template1 database and grant cloudsqlsuperuser privileges on all objects in the schemas. For any new databases created in the future, this allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.

DO $$
DECLARE
  schema text;
BEGIN
  FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP
    EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
    EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
    EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
    EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
  END LOOP;
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO cloudsqlsuperuser WITH GRANT OPTION';
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO cloudsqlsuperuser WITH GRANT OPTION';
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO cloudsqlsuperuser WITH GRANT OPTION';
  EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO cloudsqlsuperuser WITH GRANT OPTION';
END; $$

When using Cloud IAM authentication, the service account and its permissions are managed through Google Cloud IAM roles and policies. The service account is used to authenticate to the Cloud SQL instance.

A secret does not need to be created.

Integrate Google Cloud SQL - PostgreSQL

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

Under Discovery, click one or more resource types and cloud services to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.\
Setting
Description
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Authorization type for the MySQL service account user:
IAM Auth: Cloud IAM authentication
User / Password: Built-in authentication
Project ID
ID of the project where the PostgreSQL instance is deployed
Region
Location where the PostgreSQL instance is deployed
Instance ID
ID of the PostgreSQL instance
Instance ID User Override
(Optional) Allows overriding the instance ID for the user
Database Name
Name of the database to integrate By default, Apono sets this value to postgre.
SSL Mode
(Optionl) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server:
require: An SSL-encrypted connection must be used.
allow: An SSL-encrypted or unencrypted connection is used. If an SSL-encrypted connection is unavailable, the unencrypted connection is used.
disable: An unencrypted connection is used.
prefer: An SSL-encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.
Click Next. The Secret Store section expands.

A secret is not needed or Cloud IAM authentication.

Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Setting
Description
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.