Manage Secrets with AWS Secrets Manager
You only need one
secrets.tf
file per Sym EnvironmentIf you ran
symflow generate
, you might already be configured with asecrets.tf
file! If so, then you do not need to complete these steps.
How Sym uses AWS Secrets Manager
Sym never stores or persists your secrets on our platform. Instead, the Sym Runtime leverages the Runtime Connector Role with read-only permissions to access values in your AWS Secrets Manager that are tagged with a specific SymEnv
.
This page will describe how to Terraform the resources needed to create an AWS IAM Policy that Sym will use to gain ReadOnly access to your Secrets Manager secrets that are tagged with SymEnv = environment_name
. We will create a file name secrets.tf
that:
- Defines which AWS Secrets Manager instance to connect to.
- Defines a Read-Only IAM Policy for Secrets Manager.
- Grants the Runtime Connector Role (defined in
runtime.tf
) Read-Only Permissions
Prerequisites
- An
environment.tf
file generated bysymflow init
a. If you have not runsymflow init
, please follow the instructions in Installing Sym- A Runtime Connector Role defined in
runtime.tf
a. If you do not have aruntime.tf
, please follow the instructions in Connecting Sym to AWS
Grant Sym Read-Only Access to AWS Secrets Manager
In the directory that contains your Sym configuration (i.e. the directory created by symflow init
), create a new file named secrets.tf
with the following contents:
resource "aws_iam_policy" "secrets_manager_access" {
name = "SymSecretsManager${title(local.environment_name)}"
path = "/sym/"
description = "AWS IAM policy granting the Sym Runtime read-only permissions to Secrets Manager secrets tagged with `SymEnv = environment_name`."
policy = <<EOT
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": { "StringEquals": { "secretsmanager:ResourceTag/SymEnv": "${local.environment_name}" } }
}
]
}
EOT
}
resource "aws_iam_role_policy_attachment" "attach_secrets_manager_access" {
policy_arn = aws_iam_policy.secrets_manager_access.arn
role = aws_iam_role.sym_runtime_connector.name
}
# This resource tells Sym how to access your AWS account's Secrets Manager instance.
resource "sym_secrets" "this" {
type = "aws_secrets_manager"
name = "${local.environment_name}-sym-secrets"
settings = {
# This tells Sym to use the runtime_context integration defined in runtime.tf to access
# your AWS account's Secrets Manager.
context_id = sym_integration.runtime_context.id
}
}
Finally, run terraform apply
to save your configuration.
A look inside your secrets.tf
file
secrets.tf
fileThis section describes each resource defined in secrets.tf
in detail.
Defining a Read-Only IAM Policy for Secrets Manager
This resource describes the AWS IAM Policy that grants the Sym Runtime read-only permissions to Secrets Manager secrets that are labeled with SymEnv = environment_name
.
resource "aws_iam_policy" "secrets_manager_access" {
name = "SymSecretsManager${title(local.environment_name)}"
path = "/sym/"
description = "AWS IAM policy granting the Sym Runtime read-only permissions to Secrets Manager secrets tagged with `SymEnv = environment_name`."
policy = <<EOT
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": { "StringEquals": { "secretsmanager:ResourceTag/SymEnv": "${local.environment_name}" } }
}
]
}
EOT
}
Granting the Runtime Connector Role Read-Only Permissions
This resource attaches AWS IAM Policy defined above to the Runtime Connector Role defined in runtime.tf
.
resource "aws_iam_role_policy_attachment" "attach_secrets_manager_access" {
policy_arn = aws_iam_policy.secrets_manager_access.arn
role = aws_iam_role.sym_runtime_connector.name
}
Defining a Secret Source
The sym_secrets
resource defines a "secret source", telling Sym that your secrets are stored in AWS Secrets Manager, and to assume the Runtime Connector Role defined in your runtime.tf
file to access your AWS account's Secrets Manager.
resource "sym_secrets" "this" {
type = "aws_secrets_manager"
name = "${local.environment_name}-sym-secrets"
settings = {
# This tells Sym to use the runtime_context integration defined in runtime.tf to access
# your AWS account's Secrets Manager.
context_id = sym_integration.runtime_context.id
}
}
Next Steps
The Sym Runtime should now have read-only access to your AWS Secrets Manager Secrets. In Share Secrets with the Sym Runtime we will describe how to Terraform secrets and share them with the Sym Runtime.
Updated 9 days ago