Azure Key Vault: Configure Groundplex Nodes

Overview

The node configuration file (secrets-config.json) contains the information that the Snaplex needs to access the appropriate secrets.

  • An Azure Key Vault set up with the required access policies and appropriate roles assigned to the managed identities
  • An appropriate managed identity associated with your Groundplex node (Virtual Machine)
  • Permissions to update the Groundplex nodes
In the node configuration file, you will enter the information you collected when setting up the Vault.
  1. Create a secrets-config.json file.
    1. Copy and paste the JSON structure and fill in the required values.
       {
        "AZURE" : [
          {
            "alias": "secret-alias-name",
            "url": "https://key-vault-name.vault.azure.net/",
            "user_identity": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
            "project_space": "/snaplogic/shared"
          },
          ...
        ]
      }
      
      alias The name of this configuration object.
      Important: Do not use any of the reserved default aliases (such as DEFAULT_AWS) in your custom secrets-config.json file.
      url The URL of the Azure Key Vault. This URL establishes peer communication with your Groundplex nodes.
      user_identity Optional. The client ID of your user-assigned managed identity. Pass an empty value to this key or remove this key to use your system-assigned managed identity.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: /<org>/<project_space>/<project>, /<org>/shared, /<org>/<project_space>/shared

      For every Azure Key Vault, you need a configuration object inside the AZURE array with the appropriate values.

    2. Save the file.
  2. Configure each JCC node in your Groundplex.
    1. Copy the secrets-config.json file to the /etc/snaplogic directory.
    2. Restart the JCC service.
      On Linux, /opt/snaplogic/bin/jcc.sh restart
Configure dynamic SnapLogic accounts to connect to your secrets manager and to authenticate.