Configure key-based authentication

Overview

A secrets-config.json node configuration file provides the information that the Groundplex nodes need to access secrets using key-based authentication.

Tip: You can restrict the use of secrets to accounts in a specific project space by adding the project_space setting to the secrets-config.json file when you configure your Groundplex.
  • An AWS account with permissions to create secrets in Secrets Manager.
  • Permissions to access, update, and restart the Groundplex nodes
  1. In AWS Secrets Manager, set up secrets.
    Optional. Replicate the secret to other regions.
  2. Create a secrets-config.json file.
    1. Copy and paste the following JSON structure and replace the placeholders with the appropriate values. 
       {
  "AWS": [
    {
      "alias": "config-name",
      "project_space": "/snaplogic/shared",
      "aws_region": "us-east-2",
      "aws_secret_access_key": "",
      "aws_access_key_id": "",
      "aws_session_token": "",
      "profile_name": ""
    }
  ]
}
      alias A unique name for the configuration object in this file.
      Important: The DEFAULT_AWS alias is reserved for use with role-based authentication.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: 
      /<org>/<project_space>/<project>, 
                  /<org>/shared, /<org>/<project_space>/shared

      AWS secrets are stored in the region where they were created. You can optionally replicate them in other regions.

      To view the secret's metadata, navigate to the AWS Secrets Manager console, switch to a region that stores the secret, and select the secret from the Secrets list.

      aws_region The AWS region code. The region's friendly name is displayed next to your profile name. To determine the region code, expand the region dropdown.

      Example: If the region is N. California, the region code is us-west-1.
      aws_secret_access_key The Secret key found in the Secret value section of the secret's metadata.
      You can access AWS resources by requesting temporary security credentials. AWS Security Token Service (AWS STS) returns an access key-value pair and a session token.
      aws_access_key_id Provided by AWS Security Token Service (AWS STS).
      aws_session_token Optional. Provided by AWS Security Token Service (AWS STS).
      profile_name Optional. The name of the AWS profile that is configured with the credentials to use. Learn more.
      Note: aws_secret_access_key and aws_access_key_id must be provided either in the secrets-config.json or in the ~/.aws/credentials file of the specified profile.
    2. Save the file.
  3. Configure each Groundplex node.
    1. Copy the secrets-config.json file to the /etc/snaplogic directory.
    2. Restart the JCC service.
      On Linux, /opt/snaplogic/bin/jcc.sh restart
Configure Snap accounts to connect to the secrets manager.