Secrets with AWS Secrets Manager
Configure the AWS Secrets Manager as a secrets engine for Spinnaker.
See the AWS Secrets Manager User Guide for how to set up AWS Secrets Manager,
Authorize Spinnaker to access the AWS Secrets Manager
Remember to run the Operator (or Halyard’s daemon) and SpinnakerTM services with IAM roles that allow them to read the keys stored in the AWS Secrets Manager. The following example policy enables access to the AWS Secrets Manger and the KMS store:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}
]
}
Referencing secrets stored in AWS Secrets Manager
You can reference a KeyStore or KeyStore password stored in AWS Secrets Manager. Based on which type of secret you want to reference, use one of the following formats:
Keystore
keyStore: encryptedFile:secrets-manager!r:<some region>!s:<secret name>
Keystore password
keyStorePassword: encrypted:secrets-manager!r:<some region>!s:<secret name>!k:some-key
encryptedFile
orencrypted
- Required. Indicates that this is an encrypted file or an encrypted string, respectively.secrets-manager
- Required. Indicates that secrets are stored in AWS Secrets Manager!
- Required. Delimiter between parameters.r:<AWS region>
- Required. The AWS region your secret is stored in. For example, user:us-west-2
for a secret stored in theus-west-2
region.s:<Secret name>
- Required. The name of the secret stored in AWS Secrets Managerk<some-key>
- Required for encrypted strings. The Secret key. Omit for KeyStores.
For example, the following example references a KeyStore stored in us-west-2
:
encryptedFile:secrets-manager!r:us-west-2!s:dev--cert
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified January 25, 2021: (1b76da5)