Contents x
Step 3 - Create secrets in Secrets Manager
    • PDF
    Contents

    Step 3 - Create secrets in Secrets Manager

      • PDF
      Article Summary

      To enable Glasswall Halo's access to the S3 bucket (s3name) that contains the CDR reports, an IAM user and role is required.

      • Create an IAM user (external_secrets_iam_user) and assign a role (external_secrets_iam_role) with policy that allows read and write on the S3 bucket which will store the CDR reports. This bucket should have been created in the Prerequisites step.
      • Create AWS_ACCESS_KEY_ID secret that stores the IAM user access key ID.
      • Create AWS_SECRET_ACCESS_KEY secret that stores the IAM user Secret access key.

      3.1 - MongoDB connection string

      To enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, the MongoDB connection string should be created in the Secrets Manager

      • Retrieve the DocumentDB connection string (MongoDB compatible) from the AWS Console as shown in the example below.
      mongodb://${username}:${password}@${endpoint}:${port}/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false
      • Enter your connection string (highlighted in the screenshot) by replacing ${mongodb_connstring}, and enter your AWS region by replacing ${region} (as below).
      aws secretsmanager create-secret --name "mongodb-connectionstring" --secret-string "${mongodb_connstring}" --region "${region}"

      Add the MongoDB passwords to AWS Secret Manager as a secret

      Note: if you have previously configured and setup MongoDB within AWS and have created your MongoDB connection string as listed above, you can skip this step.

      If not, to enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, and Asynchronous API to create and manage the requests, MongoDB needs to be deployed using Helm charts listed in Step 8. 

      Two users will be created by the MongoDB Helm chart and the corresponding user's password needs to be set in the Vault secret. 

      Sensitive data, such as passwords, should be stored as key-value pairs in JSON format in the Vault secret.

      aws secretsmanager create-secret --name "mongodb-cdrp-password" --secret-string "<cdrp-user-password>" --region "${region}"
aws secretsmanager create-secret --name "mongodb-admin-password" --secret-string "<admin-user-password>" --region "${region}"

      3.2 - Amazon DocumentDB Certificate Authority (CA)

      For the cdrplatform-policy-api service to successfully authenticate to MongoDB, it should trust the Amazon DocumentDB Certificate Authority.

      • Create a secret called cdrp-rds-ca-bundle in Secrets Manager and add the content of the Certificate Authority provided by Amazon.

      3.3 - Menlo API Key

      To enable API key based authentication in Menlo API, add a secret menlo-api-key with an API key you would like to use.

      aws secretsmanager create-secret  --name "menlo-api-key" --secret-string "<strong-api-key>" --region "${region}"

       

      Was this article helpful?
      What's Next