Manage Secrets with AWS Secrets Manager

🚧

This page assumes you have completed Getting Started: Implement Your First Flow, or already have some basic Sym resources created. If you have not created any Sym resources yet, please visit the Getting Started pages first.

How Sym uses AWS Secrets Manager

Sym connects with the AWS Secrets Manager in your AWS account to manage secrets. There are several components required in the Terraform configuration to allow the Sym Runtime access to your AWS account:

Connect the Sym Runtime with your AWS Account

📘

You only need one Runtime Connector and Permission Context per environment

The steps in this section are largely the same as the instructions in Integrating Services: AWS.

If you already have a Runtime Connector module, you only need to add the Secrets Manager Add-on (addons = ["aws/secretsmgr"]) and you can move on to "Declare a Sym Secrets Resource"

Declare the Runtime Connector Module

To be able to access your secrets, the Sym Runtime needs to be able to assume an IAM role in your AWS account. The runtime-connector module creates an AWS IAM Role in your AWS account that the Sym Runtime can assume. The aws/secretsmgr add-on gives the IAM role generated by the module permissions to access secrets in your AWS environment.

For more information about the runtime-connector module, see: Runtime Connector

For more information about the aws/secretsmgr add-on, see: Secrets Manager Addon

To set this up, add the following code to your Terraform configuration.

# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
  source  = "symopsio/runtime-connector/sym"
  version = ">= 1.0.0"
  
  # The aws/secretsmgr addon is required to access secrets
  addons = ["aws/secretsmgr"]
  
  environment = "main"
}

Declare the Runtime Permission Context

The runtime_connector created the AWS resources necessary for the Sym Runtime to access resources in your AWS account, but we still need to Terraform the Sym resources needed for the Sym Runtime to know which IAM role it should assume.

This is done with a sym_integration resource with type = permission_context.

# An Integration that tells the Sym Runtime which IAM Role to assume in your Account
# (The IAM Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
  type = "permission_context"
  name = "runtime-main"

  settings    = module.runtime_connector.settings
  external_id = module.runtime_connector.settings.account_id
}

Declare a Sym Secrets Resource

The sym_secrets resource tells Sym how to access your secrets. For example, this resource will tell Sym to connect to AWS Secrets Manager with the permissions defined by the sym_integration.runtime_context resource.

# This resource tells Sym which role to use to access your AWS Secrets Manager
resource "sym_secrets" "this" {
  type = "aws_secrets_manager"
  name = "secrets-main"

  settings = {
    context_id = sym_integration.runtime_context.id
  }
}

Full configuration example

############ General AWS Secrets Manager Setup ##############

# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
  source  = "symopsio/runtime-connector/sym"
  version = ">= 1.0.0"

  # The aws/secretsmgr addon is required to access secrets
  addons = ["aws/secretsmgr"]

  environment = "main"
}

# An Integration that tells the Sym Runtime resource which AWS Role to assume
# (The AWS Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
  type = "permission_context"
  name = "main-runtime"

  external_id = module.runtime_connector.settings.account_id
  settings    = module.runtime_connector.settings
}

# This resource tells Sym which role to use to access your AWS Secrets Manager
resource "sym_secrets" "this" {
  type = "aws_secrets_manager"
  name = "main-sym-secrets"

  settings = {
    context_id = sym_integration.runtime_context.id
  }
}

Next Steps

The Sym Runtime should now have access to your AWS Secrets Manager Secrets. In Share Secrets with the Sym Runtime we will describe how to Terraform secrets and share them with the Sym Runtime.


Did this page help you?