Azure Key Vault: Configure Groundplex nodes

Overview

A secrets-config.json node configuration file provides the information that the Groundplex nodes need to access secrets. This page describes how to create that file. The file requires a configuration object with a unique name for each Azure Key Vault.

Restart each Groundplex node after creating or updating the secrets-config.json file.

Tip: You can restrict the use of secrets to accounts in a specific project space by adding the project_space setting to the secrets-config.json file when you configure your Groundplex.
  • An Azure Key Vault set up with the required access policies and appropriate IAM roles assigned to the managed identities for the Groundplex nodes. Refer to Set up Azure configuration for details.
  • Permissions to access, update, and restart the Groundplex nodes.
Create a node configuration file and restart the Groundplex nodes. You will need the following values from the Azure Portal:
  • The URI of your Key Vault: Overview > Essentials > Vault URI.
  • For user-assigned managed identities, the client ID: Managed Identities > Your managed identity name > Overview > Essentials > Client ID.
  1. Create a secrets-config.json file.
    1. For each Azure Key Vault, copy and paste the following JSON structure and fill in the required values. 
       {
  "AZURE" : [
    {
      "alias": "name-for-this-secret-config-object",
      "url": "https://key-vault-name.vault.azure.net/",
  "user_identity": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
      "project_space": "/<org>/<project_space>[/<project_name>]"
    },
  ]
}
      alias A unique name for this configuration object in the file. For example, Azure-kv-1.
      url The URL of the Azure Key Vault. The Groundplex nodes use this URL to establish peer communication with the Azure Key Vault. For example: https://my-com.vault.azure.net/
      user_identity Optional. The client ID of your user-assigned managed identity. To use a system-assigned managed identity, leave the field empty or remove it.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: 
      /<org>/<project_space>/<project>, 
                  /<org>/shared, /<org>/<project_space>/shared

      For every Azure Key Vault, you need a configuration object inside the AZURE array with the appropriate values.

    2. Save the file.
  2. Copy the secrets-config.json file to the appropriate folder on each Groundplex node VM:
    • On a VM with the Linux OS: /etc/snaplogic
    • On a Windows VM: \opt\snaplogic\etc
  3. From the directory that contains the secrets-config.json file, restart the node:
    • On a VM with the Linux OS: jcc.sh restart
    • On a VM with Windows OS: jcc.bat restart
Configure Snap accounts to connect to the secrets manager.