Prerequisites

  • AWS Console Access
  • AWS IAM access
    • Ability to create IAM roles and Policies
    • Ability to access IAM users

Setup

  1. Create new AWS policy

    1. Navigate to the Create New Policy section in the AWS IAM console.
    2. Switch to the JSON tab.
    3. Enter the following policy.
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSecretsManagerAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:TagResource",
                "secretsmanager:UpdateSecret"
            ],
            "Resource": "*"
        }
    ]
}
    1. Optionally provide tags.
    2. Name your policy as “envsecrets” and hit create.

  2. Create an AWS Role

    1. Navigate to the create role section of the AWS IAM console
    2. Select AWS account for the Trusted entity type
    3. Select Another AWS account under An AWS account
      1. Enter 284838358097 for the Account ID. This is envsecrets’s account ID.
    4. Under Options check Require external ID
      1. Enter your organisation ID for the External ID. You can obtain your organisation ID by visiting the organisation settings in your envsecrets dashboard.
      2. Leave require MFA unchecked
    5. Attach the “envsecrets” policy you created above.
    6. Name your role as “envsecrets” and complete the role setup.
    7. Copy the new role’s ARN.

  3. Configuration

    1. Go to integrations catalog in your envsecrets dashboard and choose “AWS Secrets Manager.”
    2. On the setup/connection page, enter your AWS region and ARN of the “envsecrets” role you created above and save.

Activation

  1. Go to the integrations dashboard in your envsecrets organisation and under “AWS Secrets Manager” choose “Sync New Environment With Your AWS Secrets Manager Account.”
  2. In the page that opens, select your envsecrets project, environment and enter the name with which you wish you save your secret in AWS Secrets Manager.
  3. Complete and save the form.

Usage

Platform

  1. Navigate to the environment for which you activated the integration.
  2. Click on the “Sync” button.
  3. Choose the ASM Secret to which you want to sync your secrets.
  4. Approve the sync.

CLI

  1. Use the command: envs sync --env [name-of-your-remote-environment]
  2. Choose the ASM integration.

Once your secrets are synced, it is recommended you go to your ASM Secret and validate the new values.

Every new version of your secret in envsecrets will create a new version of the existing secret in AWS Secrets Manager.

GitlabGCP Secrets Manager