Share Secrets with the Sym Runtime
Most Integrations will require some form of authentication, such as an API key. In this section, we will describe how to share these sensitive secrets with Sym securely through AWS Secrets Manager.
Does Sym have access to your AWS Secrets Manager?
This page assumes that you have already configured all the resources described in Manage Secrets with AWS Secrets Manager.
Create an AWS Manager Secret
The aws_secretsmanager_secret
resource is a Terraform resource that manages AWS Secrets Manager secret metadata.
Note that this only declares the secret, but does not populate its value.
resource "aws_secretsmanager_secret" "my_secret" {
name = "sym/main/my-secret"
description = "A secret needed for interacting with an external service"
tags = {
# This SymEnv tag is required and MUST match the `environment` in your `runtime_connector` module
# because the aws/secretsmgr only grants access to secrets tagged with a matching SymEnv value
SymEnv = "main"
}
}
Populate the secret value
You can populate the secret in two ways:
- A plain value
- A JSON blob
A JSON blob is useful if your values are closely related, such as an Aptible bot username and password. In general, you will want to use the plain value.
Using the AWS CLI
You can use the AWS CLI put-secret-value command to populate the value
Plain value
# The secret-id must match the `name` parameter of the `aws_secretsmanager_secret` resource
aws secretsmanager put-secret-value --secret-id "sym/main/my-secret" --secret-string "YOUR-SECRET-VALUE"
JSON blob
# The secret-id must match the `name` parameter of the `aws_secretsmanager_secret` resource
# Make sure the JSON is a valid JSON string
aws secretsmanager put-secret-value --secret-id "sym/main/my-secret" --secret-string '{"username":"[email protected]", "password": "EXAMPLE-PASSWORD"}'
Using the AWS console
Alternatively, this can be done in a browser by visiting the AWS console. Find the secret in AWS Secrets Manager, and update the value manually. See AWS's documentation: Modify a Secret.
Share the Secret with the Sym Runtime
The sym_secret
resource tells Sym how to find a specific secret by providing the source (AWS Secrets Manager) and the name of the secret, so that Sym knows where to look and what to look for.
The configuration will vary depending on if you populated your AWS Secrets Manager Secret with a plain value or with a JSON blob.
Plain value
In this case, the Sym Runtime will use the value in your AWS Secrets Manager Secret directly.
resource "sym_secret" "my_api_key" {
# The source of your secrets and the permissions needed to access
# i.e. AWS Secrets Manager, access with IAM Role.
# This resource was defined in "Manage Secrets with AWS Secrets Manager"
source_id = sym_secrets.this.id
# Name of the key in AWS Secrets Manager
path = aws_secretsmanager_secret.my_secret.name
}
JSON blob
In this case, the Sym Runtime will parse the value in your AWS Secrets Manager Secret as JSON and attempt to extract the value defined by the json_key
setting.
For example, if your secret was populated with the following:
{
"username": "[email protected]",
"password": "EXAMPLE-PASSWORD"
}
You can extract the values as follows
resource "sym_secret" "bot_username" {
# The source of your secrets and the permissions needed to access
# i.e. AWS Secrets Manager, access with IAM Role.
# This resource was defined in "Manage Secrets with AWS Secrets Manager"
source_id = sym_secrets.this.id
# Name of the key in AWS Secrets Manager
path = aws_secretsmanager_secret.my_secret.name
settings = {
json_key = "username"
}
}
resource "sym_secret" "bot_password" {
# The source of your secrets and the permissions needed to access
# i.e. AWS Secrets Manager, access with IAM Role.
# This resource was defined in "Manage Secrets with AWS Secrets Manager"
source_id = sym_secrets.this.id
# Name of the key in AWS Secrets Manager
path = aws_secretsmanager_secret.my_secret.name
settings = {
json_key = "password"
}
}
Full Configuration Example
############ General AWS Secrets Manager Setup ##############
# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
source = "symopsio/runtime-connector/aws"
version = ">= 1.0.0"
# The aws/secretsmgr addon is required to access secrets
addons = ["aws/secretsmgr"]
environment = "main"
}
# An Integration that tells the Sym Runtime resource which AWS Role to assume
# (The AWS Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
type = "permission_context"
name = "main-runtime"
external_id = module.runtime_connector.settings.account_id
settings = module.runtime_connector.settings
}
# This resource tells Sym which role to use to access your AWS Secrets Manager
resource "sym_secrets" "this" {
type = "aws_secrets_manager"
name = "main-sym-secrets"
settings = {
context_id = sym_integration.runtime_context.id
}
}
############ Plain Value Secret Setup ##############
# An AWS Secrets Manager Secret to hold your API Key. Set the value with:
# aws secretsmanager put-secret-value --secret-id "sym/main/my-api-key" --secret-string "YOUR-API-KEY"
resource "aws_secretsmanager_secret" "my_api_key" {
name = "sym/main/my-api-key"
description = "API Key for Sym to interact with external services"
tags = {
# This SymEnv tag is required and MUST match the `environment` in your `runtime_connector` module
# because the aws/secretsmgr only grants access to secrets tagged with a matching SymEnv value
SymEnv = "main"
}
}
# This resource tells Sym how to access your Secret
resource "sym_secret" "my_api_key" {
# The source of your secrets and the permissions needed to access
# i.e. AWS Secrets Manager, access with IAM Role.
source_id = sym_secrets.this.id
# Name of the key in AWS Secrets Manager
path = aws_secretsmanager_secret.my_api_key.name
}
############ JSON Value Secret Setup ##############
# An AWS Secrets Manager Secret to hold your credentials. Set the value with:
# aws secretsmanager put-secret-value --secret-id "sym/main/my-credentials" --secret-string '{"username": "foo", "password": "bar"}'
resource "aws_secretsmanager_secret" "my_credentials" {
name = "sym/main/my-credentials"
description = "JSON Credentials for Sym to interact with external services"
tags = {
# This SymEnv tag is required and MUST match the `environment` in your `runtime_connector` module
# because the aws/secretsmgr only grants access to secrets tagged with a matching SymEnv value
SymEnv = "main"
}
}
resource "sym_secret" "bot_username" {
# The source of your secrets and the permissions needed to access
# i.e. AWS Secrets Manager, access with IAM Role.
# This resource was defined in "Manage Secrets with AWS Secrets Manager"
source_id = sym_secrets.this.id
# Name of the key in AWS Secrets Manager
path = aws_secretsmanager_secret.my_secret.name
settings = {
json_key = "username"
}
}
resource "sym_secret" "bot_password" {
# The source of your secrets and the permissions needed to access
# i.e. AWS Secrets Manager, access with IAM Role.
# This resource was defined in "Manage Secrets with AWS Secrets Manager"
source_id = sym_secrets.this.id
# Name of the key in AWS Secrets Manager
path = aws_secretsmanager_secret.my_secret.name
settings = {
json_key = "password"
}
}
These secrets can now be used in Sym Integrations to enable Sym Strategies and SDK methods.
Configuring sym_integration
Resources
sym_integration
ResourcesWith your sym_secret
resources, you can now configure the specific Integration that you require for your Flow and impl.py
.
Updated 12 days ago