Manage Secrets with AWS Secrets Manager
This page assumes you have completed Getting Started: Implement Your First Flow, or already have some basic Sym resources created. If you have not created any Sym resources yet, please visit the Getting Started pages first.
How Sym uses AWS Secrets Manager
Sym connects with the AWS Secrets Manager in your AWS account to manage secrets. There are several components required in the Terraform configuration to allow the Sym Runtime access to your AWS account:
- The
runtime-connector
module - A
sym_integration
of typepermission_context
- A
sym_secrets
resource
Connect the Sym Runtime with your AWS Account
You only need one Runtime Connector and Permission Context per environment
The steps in this section are largely the same as the instructions in Integrating Services: AWS.
If you already have a Runtime Connector module, you only need to add the Secrets Manager Add-on (
addons = ["aws/secretsmgr"]
) and you can move on to "Declare a Sym Secrets Resource"
Declare the Runtime Connector Module
To be able to access your secrets, the Sym Runtime needs to be able to assume an IAM role in your AWS account. The runtime-connector
module creates an AWS IAM Role in your AWS account that the Sym Runtime can assume. The aws/secretsmgr
add-on gives the IAM role generated by the module permissions to access secrets in your AWS environment.
For more information about the runtime-connector
module, see: Runtime Connector
For more information about the aws/secretsmgr
add-on, see: Secrets Manager Addon
To set this up, add the following code to your Terraform configuration.
# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
source = "symopsio/runtime-connector/sym"
version = ">= 1.0.0"
# The aws/secretsmgr addon is required to access secrets
addons = ["aws/secretsmgr"]
environment = "main"
}
Declare the Runtime Permission Context
The runtime_connector
created the AWS resources necessary for the Sym Runtime to access resources in your AWS account, but we still need to Terraform the Sym resources needed for the Sym Runtime to know which IAM role it should assume.
This is done with a sym_integration
resource with type = permission_context
.
# An Integration that tells the Sym Runtime which IAM Role to assume in your Account
# (The IAM Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
type = "permission_context"
name = "runtime-main"
settings = module.runtime_connector.settings
external_id = module.runtime_connector.settings.account_id
}
Declare a Sym Secrets Resource
The sym_secrets
resource tells Sym how to access your secrets. For example, this resource will tell Sym to connect to AWS Secrets Manager with the permissions defined by the sym_integration.runtime_context
resource.
# This resource tells Sym which role to use to access your AWS Secrets Manager
resource "sym_secrets" "this" {
type = "aws_secrets_manager"
name = "secrets-main"
settings = {
context_id = sym_integration.runtime_context.id
}
}
Full configuration example
############ General AWS Secrets Manager Setup ##############
# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
source = "symopsio/runtime-connector/sym"
version = ">= 1.0.0"
# The aws/secretsmgr addon is required to access secrets
addons = ["aws/secretsmgr"]
environment = "main"
}
# An Integration that tells the Sym Runtime resource which AWS Role to assume
# (The AWS Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
type = "permission_context"
name = "main-runtime"
external_id = module.runtime_connector.settings.account_id
settings = module.runtime_connector.settings
}
# This resource tells Sym which role to use to access your AWS Secrets Manager
resource "sym_secrets" "this" {
type = "aws_secrets_manager"
name = "main-sym-secrets"
settings = {
context_id = sym_integration.runtime_context.id
}
}
Next Steps
The Sym Runtime should now have access to your AWS Secrets Manager Secrets. In Share Secrets with the Sym Runtime we will describe how to Terraform secrets and share them with the Sym Runtime.
Updated 7 days ago