Manage Secrets with AWS Secrets Manager

๐Ÿšง

You only need one secrets.tf file per Sym Environment

If you ran symflow generate, you might already be configured with a secrets.tf file! If so, then you do not need to complete these steps.

How Sym uses AWS Secrets Manager

Sym never stores or persists your secrets on our platform. Instead, the Sym Runtime leverages the Runtime Connector Role with read-only permissions to access values in your AWS Secrets Manager that are tagged with a specific SymEnv.

This page will describe how to Terraform the resources needed to create an AWS IAM Policy that Sym will use to gain ReadOnly access to your Secrets Manager secrets that are tagged with SymEnv = environment_name. We will create a file name secrets.tf that:

  • Defines which AWS Secrets Manager instance to connect to.
  • Defines a Read-Only IAM Policy for Secrets Manager.
  • Grants the Runtime Connector Role (defined in runtime.tf) Read-Only Permissions

๐Ÿ“˜

Prerequisites

  1. An environment.tf file generated by symflow init
    a. If you have not run symflow init, please follow the instructions in Installing Sym
  2. A Runtime Connector Role defined in runtime.tf
    a. If you do not have a runtime.tf, please follow the instructions in Connecting Sym to AWS

Grant Sym Read-Only Access to AWS Secrets Manager

In the directory that contains your Sym configuration (i.e. the directory created by symflow init), create a new file named secrets.tf with the following contents:

resource "aws_iam_policy" "secrets_manager_access" {
  name = "SymSecretsManager${title(local.environment_name)}"
  path = "/sym/"

  description = "AWS IAM policy granting the Sym Runtime read-only permissions to Secrets Manager secrets tagged with `SymEnv = environment_name`."
  policy      = <<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "*",
      "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SymEnv": "${local.environment_name}" } }
    }
  ]
}
EOT
}

resource "aws_iam_role_policy_attachment" "attach_secrets_manager_access" {
  policy_arn = aws_iam_policy.secrets_manager_access.arn
  role       = aws_iam_role.sym_runtime_connector.name
}

# This resource tells Sym how to access your AWS account's Secrets Manager instance.
resource "sym_secrets" "this" {
  type = "aws_secrets_manager"
  name = "${local.environment_name}-sym-secrets"

  settings = {
    # This tells Sym to use the runtime_context integration defined in runtime.tf to access
    # your AWS account's Secrets Manager.
    context_id = sym_integration.runtime_context.id
  }
}

Finally, run terraform apply to save your configuration.

A look inside your secrets.tf file

This section describes each resource defined in secrets.tf in detail.

Defining a Read-Only IAM Policy for Secrets Manager

This resource describes the AWS IAM Policy that grants the Sym Runtime read-only permissions to Secrets Manager secrets that are labeled with SymEnv = environment_name.

resource "aws_iam_policy" "secrets_manager_access" {
  name = "SymSecretsManager${title(local.environment_name)}"
  path = "/sym/"

  description = "AWS IAM policy granting the Sym Runtime read-only permissions to Secrets Manager secrets tagged with `SymEnv = environment_name`."
  policy      = <<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "*",
      "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SymEnv": "${local.environment_name}" } }
    }
  ]
}
EOT
}

Granting the Runtime Connector Role Read-Only Permissions

This resource attaches AWS IAM Policy defined above to the Runtime Connector Role defined in runtime.tf.

resource "aws_iam_role_policy_attachment" "attach_secrets_manager_access" {
  policy_arn = aws_iam_policy.secrets_manager_access.arn
  role       = aws_iam_role.sym_runtime_connector.name
}

Defining a Secret Source

The sym_secrets resource defines a "secret source", telling Sym that your secrets are stored in AWS Secrets Manager, and to assume the Runtime Connector Role defined in your runtime.tf file to access your AWS account's Secrets Manager.

resource "sym_secrets" "this" {
  type = "aws_secrets_manager"
  name = "${local.environment_name}-sym-secrets"

  settings = {
    # This tells Sym to use the runtime_context integration defined in runtime.tf to access
    # your AWS account's Secrets Manager.
    context_id = sym_integration.runtime_context.id
  }
}

Next Steps

The Sym Runtime should now have read-only access to your AWS Secrets Manager Secrets. In Share Secrets with the Sym Runtime we will describe how to Terraform secrets and share them with the Sym Runtime.