Share Secrets with the Sym Runtime

Most Integrations will require some form of authentication, such as an API key. In this section, we will describe how to share these sensitive secrets with Sym securely through AWS Secrets Manager.

πŸ“˜

Does Sym have access to your AWS Secrets Manager?

This page assumes that you have already configured all the resources described in Manage Secrets with AWS Secrets Manager.

Create an AWS Manager Secret

The aws_secretsmanager_secret resource is a Terraform resource that managers AWS Secrets Manager secret metadata.

Note that this only declares the secret, but does not populate its value.

resource "aws_secretsmanager_secret" "my_secret" {
  name        = "sym/main/my-secret"
  description = "A secret needed for interacting with an external service"

  tags = {
    # This SymEnv tag is required and MUST match the `environment` in your `runtime_connector` module
    # because the aws/secretsmgr only grants access to secrets tagged with a matching SymEnv value
    SymEnv = "main"
  }
}

Populate the secret value

You can populate the secret in two ways:

  • A plain value
  • A JSON blob

A JSON blob is useful if your values are closely related, such as an Aptible bot username and password. In general, you will want to use the plain value.

Using the AWS CLI

You can use the AWS CLI put-secret-value command to populate the value

Plain value

# The secret-id must match the `name` parameter of the `aws_secretsmanager_secret` resource
aws secretsmanager put-secret-value --secret-id "sym/main/my-secret" --secret-string "YOUR-SECRET-VALUE"

JSON blob

# The secret-id must match the `name` parameter of the `aws_secretsmanager_secret` resource
# Make sure the JSON is a valid JSON string
aws secretsmanager put-secret-value --secret-id "sym/main/my-secret"  --secret-string '{"username":"[email protected]", "password": "EXAMPLE-PASSWORD"}'

Using the AWS console

Alternatively, this can be done in a browser by visiting the AWS console. Find the secret in AWS Secrets Manager, and update the value manually. See AWS's documentation: Modify a Secret.

Share the Secret with the Sym Runtime

The sym_secret resource tells Sym how to find a specific secret by providing the source (AWS Secrets Manager) and the name of the secret, so that Sym knows where to look and what to look for.

The configuration will vary depending on if you populated your AWS Secrets Manager Secret with a plain value or with a JSON blob.

Plain value

In this case, the Sym Runtime will use the value in your AWS Secrets Manager Secret directly.

resource "sym_secret" "my_api_key" {
    # The source of your secrets and the permissions needed to access
    # i.e. AWS Secrets Manager, access with IAM Role.
    # This resource was defined in "Manage Secrets with AWS Secrets Manager"
    source_id = sym_secrets.this.id

    # Name of the key in AWS Secrets Manager
    path = aws_secretsmanager_secret.my_secret.name
}

JSON blob

In this case, the Sym Runtime will parse the value in your AWS Secrets Manager Secret as JSON and attempt to extract the value defined by the json_key setting.

For example, if your secret was populated with the following:

{
  "username": "[email protected]",
  "password": "EXAMPLE-PASSWORD"
}

You can extract the values as follows

resource "sym_secret" "bot_username" {
    # The source of your secrets and the permissions needed to access
    # i.e. AWS Secrets Manager, access with IAM Role.
    # This resource was defined in "Manage Secrets with AWS Secrets Manager"
    source_id = sym_secrets.this.id

    # Name of the key in AWS Secrets Manager
    path = aws_secretsmanager_secret.my_secret.name

    settings = {
        json_key = "username"
    }
}

resource "sym_secret" "bot_password" {
    # The source of your secrets and the permissions needed to access
    # i.e. AWS Secrets Manager, access with IAM Role.
    # This resource was defined in "Manage Secrets with AWS Secrets Manager"
    source_id = sym_secrets.this.id

    # Name of the key in AWS Secrets Manager
    path = aws_secretsmanager_secret.my_secret.name

    settings = {
        json_key = "password"
    }
}

Full Configuration Example

############ General AWS Secrets Manager Setup ##############

# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
  source  = "symopsio/runtime-connector/aws"
  version = ">= 1.0.0"

  # The aws/secretsmgr addon is required to access secrets
  addons = ["aws/secretsmgr"]

  environment = "main"
}

# An Integration that tells the Sym Runtime resource which AWS Role to assume
# (The AWS Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
  type = "permission_context"
  name = "main-runtime"

  external_id = module.runtime_connector.settings.account_id
  settings    = module.runtime_connector.settings
}

# This resource tells Sym which role to use to access your AWS Secrets Manager
resource "sym_secrets" "this" {
  type = "aws_secrets_manager"
  name = "main-sym-secrets"

  settings = {
    context_id = sym_integration.runtime_context.id
  }
}

############ Plain Value Secret Setup ##############

# An AWS Secrets Manager Secret to hold your API Key. Set the value with:
# aws secretsmanager put-secret-value --secret-id "sym/main/my-api-key" --secret-string "YOUR-API-KEY"
resource "aws_secretsmanager_secret" "my_api_key" {
  name        = "sym/main/my-api-key"
  description = "API Key for Sym to interact with external services"

  tags = {
    # This SymEnv tag is required and MUST match the `environment` in your `runtime_connector` module
    # because the aws/secretsmgr only grants access to secrets tagged with a matching SymEnv value
    SymEnv = "main"
  }
}

# This resource tells Sym how to access your Secret
resource "sym_secret" "my_api_key" {
  # The source of your secrets and the permissions needed to access
  # i.e. AWS Secrets Manager, access with IAM Role.
  source_id = sym_secrets.this.id

  # Name of the key in AWS Secrets Manager
  path = aws_secretsmanager_secret.my_api_key.name
}

############ JSON Value Secret Setup ##############

# An AWS Secrets Manager Secret to hold your credentials. Set the value with:
# aws secretsmanager put-secret-value --secret-id "sym/main/my-credentials" --secret-string '{"username": "foo", "password": "bar"}'
resource "aws_secretsmanager_secret" "my_credentials" {
  name        = "sym/main/my-credentials"
  description = "JSON Credentials for Sym to interact with external services"

  tags = {
    # This SymEnv tag is required and MUST match the `environment` in your `runtime_connector` module
    # because the aws/secretsmgr only grants access to secrets tagged with a matching SymEnv value
    SymEnv = "main"
  }
}

resource "sym_secret" "bot_username" {
    # The source of your secrets and the permissions needed to access
    # i.e. AWS Secrets Manager, access with IAM Role.
    # This resource was defined in "Manage Secrets with AWS Secrets Manager"
    source_id = sym_secrets.this.id

    # Name of the key in AWS Secrets Manager
    path = aws_secretsmanager_secret.my_secret.name

    settings = {
        json_key = "username"
    }
}

resource "sym_secret" "bot_password" {
    # The source of your secrets and the permissions needed to access
    # i.e. AWS Secrets Manager, access with IAM Role.
    # This resource was defined in "Manage Secrets with AWS Secrets Manager"
    source_id = sym_secrets.this.id

    # Name of the key in AWS Secrets Manager
    path = aws_secretsmanager_secret.my_secret.name

    settings = {
        json_key = "password"
    }
}

These secrets can now be used in Sym Integrations to enable Sym Strategies and SDK methods.

Configuring sym_integration Resources

With your sym_secret resources, you can now configure the specific Integration that you require for your Flow and impl.py.


Did this page help you?