Apono Integration Secret

Prerequisites

• Apono connector installed in your Kubernetes cluster

• Kubectl command-line interface

Create a secret

Run the following commands to create a secret from the Kubectl CLI.

1. Create the secret.

kubectl create secret generic <SECRET_NAME> --from-literal=<KEY1>=<VALUE1> --from-literal=<KEY2>=<VALUE2>

1. Label the secret with apono-connector-read:true

kubectl label secret <SECRET_NAME> "apono-connector-read=true"

1. Give the Apono connector permissions to the secret:

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=<APONO_TOKEN> \
    --set-string apono.connectorId=<CONNECTOR_NAME> \
    --set serviceAccount.manageClusterRoles=true \
    --set allowedSecretsToRead={secret1\,secret2\,secret3} \
    --namespace apono-connector 

Prerequisites

• Apono connector installed in your Kubernetes cluster

• Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.32.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.15.0"
    }
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "kubernetes_secret" "apono-k8s-secret" {
  metadata {
    name = "<SECRET_NAME>"
    namespace = "<NAMESPACE>"
    labels = {
      "apono-connector-read" = "true"
    }
  }

  data = {
    <KEY1> = "<VALUE1>"
    <KEY2> = "<VALUE2>"
  }
  
  type = "Opaque"
}

resource "helm_release" "apono-helm" {
  name       = "apono-connector"
  repository = "https://apono-io.github.io/apono-helm-charts"
  chart      = "apono-connector"
  namespace  = "<NAMESPACE>"

  set {
    name  = "apono.token"
    value = "<APONO_TOKEN>"
    type  = "string"
  }

  set {
    name  = "apono.connectorId"
    value = "<CONNECTOR_NAME>"
    type  = "string"
  }

  set {
    name  = "serviceAccount.manageClusterRoles"
    value = "true"
  }
  
  set {
    name  = "allowedSecretsToRead"
    value = "{secret1\,secret2\,secret3}"
  }
}

Prerequisites

• AWS role or user with SecretsManagerReadWrite attached policy

• AWS command-line interface

Create a secret

Run the following commands to create a secret from the AWS CLI.

aws secretsmanager create-secret \
--name "<SECRET_NAME>" \
--tags '[{"Key":"apono-connector-read","Value":"true"}]' \
--region <REGION> \
--secret-string '{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisite

• AWS role or user with SecretsManagerReadWrite attached policy.

Create a secret

Follow these steps to create a secret:

1. From the Secret Manager, click Store a new secret. The Choose secret type page appears.

2. Select Other type of secret.

3. Under Key/value pairs, enter your secret through one of the following approaches:

   • On the Key/value tab, enter your information in the two fields: key in the first field, value in the second field.

   • On the Plaintext tab, enter your secret in JSON key/value pairs.

4. Click Next. The Configure secret page appears.

5. Under Tags, click Add.

6. In the Key field, enter apono-connector-read.

7. In the Value field, enter true.

Prerequisites

• AWS role or user with SecretsManagerReadWrite attached policy

• Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "aws_secretsmanager_secret" "<SECRET_NAME>" {
  name = "<SECRET_NAME>"
  // This tag allows the Apono connector role to read the secret with predefined policy 
  tags = {
    "apono-connector-read" = "true"
  }
}

resource "aws_secretsmanager_secret_version" "<SECRET_NAME>" {
  secret_id     = aws_secretsmanager_secret.<SECRET_NAME>.id
  secret_string = jsonencode({
    KEY1 = "VALUE1",
    KEY2 = "VALUE2"
  })
}

Prerequisites

Azure user with the following permission on the Key Vault:

• For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.

• For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):

  • Get

  • Set

• Azure command-line interface

Create a secret

Run the following commands to create a secret from the Azure CLI.

az keyvault secret set \
--vault-name "<KEYVAULT_NAME>" \
--name "<SECRET_NAME>" \
--value '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'

Prerequisites

Azure user with the following permission on the Key Vault:

• For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.

• For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):

  • Get

  • Set

Create a secret

Follow these steps to create a secret:

1. Navigate to your key vault in the Azure portal.

2. On the Key Vault left-hand sidebar, select Objects then select Secrets.

3. Select + Generate/Import.

4. On the Create a secret screen choose the following values:

   • Upload options: Manual.

   • Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning

   • Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.

   • Leave the other values to their defaults. Select Create.

Prerequisites

Azure user with the following permission on the Key Vault:

• For Azure Key Vault that configured with 'Azure role-based access control' permission model grant the user the Key Vault Secrets Officer role.

• For Azure Key Vault that configured with 'access policy' permission model create and grant the user an access policy with the following secret permissions (Secret Management Operations):

  • Get

  • Set

• Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

data "azurerm_key_vault" "<KEY_VAULT>" {
  name                = "<KEY_VAULT_NAME>"
  resource_group_name = "<KEY_VAULT_RESOURCE_GROUP_NAME>"
}

resource "azurerm_key_vault_secret" "<SECRET_NAME>" {
  name         = "<SECRET_NAME>"
  value        = '{"<KEY1>": "<VALUE1>", "<KEY2>": "<VALUE2>"}'
  key_vault_id = azurerm_key_vault.<KEY_VAULT>.id
}

Prerequisites

• GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

• Secret Manager API (enabled once per project)

• gcloud command-line interface

Create a secret

Run the following commands to create a secret from the gcloud CLI.

gcloud secrets create <SECRET_NAME> \
    --replication-policy="<REPLICATION-POLICY>" \
    --data-file=-

gcloud secrets versions access 1 --secret='{"KEY1":"VALUE1","KEY2":"VALUE2"}'

Prerequisites

• GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

• Secret Manager API (enabled once per project)

Create a secret

Follow these steps to create a secret:

1. Go to the Secret Manager page in the Google Cloud console.

2. On the Secret Manager page, click Create Secret.

3. On the Create secret page, under Name, enter my-secret.

4. In the Secret value field, enter my super secret data.

5. Click the Create secret button.

Prerequisites

• GCP user with Secret Manager Admin(roles/secretmanager.admin) role.

• Secret Manager API (enabled once per project)

• Terraform command-line interface

Create a secret

Use the following configuration to create a secret from the Terraform CLI.

resource "google_secret_manager_secret" "<SECRET_NAME>" {
  secret_id = "<SECRET_NAME>"

  replication {
    <REPLICATION-POLICY>
  }
}

resource "google_secret_manager_secret_version" "<SECRET_NAME>-version" {
  secret = google_secret_manager_secret.<SECRET_NAME>.id

  secret_data = '{"KEY1":"VALUE1","KEY2":"VALUE2"}'
}

Enable Secret Engine

If you did not set the VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN environment variables, refer to the steps in the Create a Vault Cluster on HCP tutorial.

1. Verify that the VAULT_NAMESPACE environment variable is set to admin.

   Copy

   $ echo $VAULT_NAMESPACE
   admin

   If not, be sure to set it before you continue.

   Copy

   $ export VAULT_NAMESPACE=admin

2. Enable key/value v2 secrets engine (kv-v2) at secret/.

   Copy

   $ vault secrets enable -path=secret kv-v2
   Success! Enabled the kv-v2 secrets engine at: secret/

Create New Secret

1. Store api-key with value ABC0DEFG9876 at the path secret/test/webapp.

   Copy

   $ vault kv put secret/test/webapp api-key="ABC0DEFG9876"

   Example output:

   Copy

   Key              Value
   ---              -----
   created_time     2021-06-17T02:48:51.643350733Z
   deletion_time    n/a
   destroyed        false
   version          1

2. To verify, read back the secret at secret/test/webapp.

   Copy

   $ vault kv get secret/test/webapp

   Example output:

   Copy

   ====== Metadata ======
   Key              Value
   ---              -----
   created_time     2021-06-17T02:48:51.643350733Z
   deletion_time    n/a
   destroyed        false
   version          1
   
   ===== Data =====
   Key        Value
   ---        -----
   api-key    ABC0DEFG9876

Enable Secret Engine

1. In the Vault UI, set the current namespace to admin/.

1. Select Secrets engines.

2. Click Enable new engine.

3. Select KV from the list, and then click Next.

1. Enter secret in the Path field.

2. Click Enable Engine to complete.

Now that you have a secret engine enabled, you will create a new secret.

Create New Secret

1. Click Create secret. Enter test/webapp in the Path for this secret field.

2. Under the Secret data section, enter api-key in the key field, and ABC0DEFG9876 in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.