AWS Secrets: Configure key-based authentication

Overview

The node configuration file (secrets-config.json) contains the information that the Snaplex needs to access the appropriate secrets.

Tip: You can restrict the use of secrets to accounts in a specific project space by adding the project_space setting to the secrets-config.json file when you configure your Groundplex.
  • AWS Secrets Manager permissions to create secrets
  • Permissions to update the Groundplex nodes
  1. In AWS Secrets Manager, set up secrets.
    Optional. Replicate the secret to other regions.
  2. Create a secrets-config.json file.
    1. Copy and paste the JSON structure and fill in the required values. 
       {
  "AWS": [
    {
      "alias": "config-name",
      "project_space": "/snaplogic/shared",
      "aws_region": "us-east-2",
      "aws_secret_access_key": "",
      "aws_access_key_id": "",
      "aws_session_token": "",
      "profile_name": ""
    }
  ]
}
      alias The name of this configuration object.
      Important: Do not use any of the reserved default aliases (such as DEFAULT_AWS) in your custom secrets-config.json file.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: /<org>/<project_space>/<project>, /<org>/shared, /<org>/<project_space>/shared

      AWS secrets are stored in the region where they were created. You can optionally replicate them in other regions.

      To view the secret's metadata, navigate to the AWS Secrets Manager console, switch to a region that stores the secret, and select the secret from the Secrets list.

      aws_region The AWS region code. The region's friendly name is displayed next to your profile name. To determine the region code, expand the region dropdown.

      Example: If the region is N. California, the region code is us-west-1.
      aws_secret_access_key The Secret key found in the Secret value section of the secret's metadata.
      You can access AWS resources by requesting temporary security credentials. AWS Security Token Service (AWS STS) returns an access key-value pair and a session token.
      aws_access_key_id Provided by AWS Security Token Service (AWS STS).
      aws_session_token Optional. Provided by AWS Security Token Service (AWS STS).
      profile_name Optional. The name of the AWS profile that is configured with the credentials to use. Learn more.
      Note: aws_secret_access_key and aws_access_key_id must be provided either in the secrets-config.json or in the ~/.aws/credentials file of the specified profile.
    2. Save the file.
  3. Configure each JCC node in your Groundplex.
    1. Copy the secrets-config.json file to the /etc/snaplogic directory.
    2. Restart the JCC service.
      On Linux, /opt/snaplogic/bin/jcc.sh restart
Configure dynamic SnapLogic accounts to connect to your secrets manager and to authenticate.