Configure AWS Secrets Manager as a Secret Store
This feature is currently in closed-access beta. Functionality and documentation may change.
Secret Stores allow you to use your existing third-party secrets storage tool with strongDM. Your credentials are stored in a tool that is controlled by you, and those credentials are never transmitted to strongDM in any form. If you would like to learn more about how Secret Stores work, and why you might wish to use them, please read the Secret Stores Reference.
This guide will walk you through how to register AWS Secrets Manager as a secret store in strongDM, and how to use it to connect to resources.
Set up AWS Secrets Manager
To get started with AWS Secrets Manager, store credentials to some of your resources in it and note the correct paths to those credentials. Then, set up your relay server to be able to authorize to the Secrets Manager with an Access Key.
Set up Your Credentials
Set up your credentials in AWS Secrets Manager. This should be as simple as heading to Secrets Manager in the AWS management console and following the prompts to create your first secret.
<Tip>You may choose to organize your credentials by slug (for example, `postgres`) or namespace/path (for example, `/credentials/databases/postgres`). Either way, when asked for the path to your secret later, this name is that path.</Tip>
You can authenticate your gateway server with AWS in one of two ways.
Option 1: Access Keys
- Get an Access Key for AWS and set the necessary environment variables on your relay server (
- Edit the file
/etc/sysconfig/sdm-proxy(unless you have moved or renamed your
sdm-proxyfile) and add the following lines, substituting your ID and key:AWS_ACCESS_KEY_ID=aswf234rt4rsag4t3gAWS_SECRET_ACCESS_KEY=23452321h2893hf2ioufh2938229fh2oufgh23890fh29fh23bif2f0928hf02f3n2bf290fn9230f
- Restart the
sdm-proxyservice (with something like
sudo systemctl restart sdm-proxy, depending on your distribution).
Option 2: IAM
- In your AWS Management Console, navigate to IAM, click on Role, and click on Create Role.
- Select EC2 for Service.
- In policy select
SecretsManagerReadWrite, and click Next.
- Add role name and description, then go to EC2 and click on Instances
- Select the instance that houses the gateway, and click on Actions > Security > Modify IAM Role
- Choose the name of the IAM Role created earlier
Configure the Secret Store with the Admin UI
Once you have AWS Secrets Manager set up, credentials stored, and your relay server able to access said credentials, it's time to register the secret store with strongDM.
- In the Admin UI, go to the Settings page, and click the Secret Stores tab.
- Click the "add secret store" button to reveal the Add Secret Store form.
- Enter a Display Name, and set the appropriate Secret Store Type.
- Fill the AWS region for your AWS Secrets Manager.
If you've configured the relay server correctly for secret store access and authorization, you will see the green online indicator.
Now, create a resource that uses the secret store, assign it to a user, and verify that you can connect.
- In the Admin UI, add a new resource such as a server or datasource and choose the AWS Secrets Manager Secret Store type.
- Fill out the information for a resource whose credentials you have stored in your secret store.
- Select the AWS secret store you created for the Secrets Store field, then fill in the path to the secrets that you've stored in your management tool.
- Submit the form.
- Go to Users, and assign a user account access to the resource.
- Log in as that user in your local GUI (or have the user do so, if not yours) and verify that the resource exists, text a connection, and execute a query.
Congratulations, you've connected to a resource using Secret Stores.