Fetching Secrets from SecretsManager

The Sysdig Access Key and the HTTP Proxy password can be fetched from AWS SecretsManager when deploying the orchestrator agent as of serverless agent version 4.0.0.

How to reference secrets

A secret reference has the following pattern, as described in the AWS documentation:

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id

A valid secret reference has two parts:

  • arn:aws:secretsmanager:region:aws_account_id:secret:secret-name which is the mandatory Secret ARN that identifies the secret.
  • :json-key:version-stage:version-id which are the optional parameters specifying the JSON key, the version stage, and the version id of the secret. Note that you must include all the colons : when using one of these parameters. If neither the stage version nor the version id are specified, the default behavior is to retrieve the secret with the AWSCURRENT staging label.

Referencing a plaintext secret

For example, the following string references the plaintext secret plaintext-secret depicted in the image below.

arn:aws:secretsmanager:us-east-1:############:secret:plaintext-secret-1LuuAy

Note that plaintext secrets can be referenced by using only the Secret ARN.

Referencing a key inside a JSON secret

As another example, the following string references the JSON key SysdigAccessKey in the JSON secret json-secret depicted in the image below.

arn:aws:secretsmanager:us-east-1:############:secret:json-secret-ffKpFB:SysdigAccessKey::

In this case, the secret reference contains:

  • arn:aws:secretsmanager:us-east-1:############:secret:json-secret-ffKpFB which is the Secret ARN;
  • :SysdigAccessKey:: which identifies the field SysdigAccessKey in the JSON secret.

Referencing a version-stage of a secret

Moreover, you can refer a certain version-stage of a secret. Note that if a version-stage is specified, you cannot specify a version-id.

For example, the following string references the version stage AWSPREVIOUS of the secret json-secret depicted in the image below.:

arn:aws:secretsmanager:us-east-1:############:secret:json-secret-ffKpFB:SysdigAccessKey:AWSPREVIOUS:

In this case, the secret reference contains:

  • arn:aws:secretsmanager:us-east-1:############:secret:json-secret-ffKpFB which is the Secret ARN;
  • :SysdigAccessKey:AWSPREVIOUS: which identifies the field SysdigAccessKey in the JSON secret and the version stage AWSPREVIOUS.

Referencing a version-id of a secret

You can also refer either a certain version-id of a secret. Note that if a version-id is specified, you cannot specify a version-stage label.

For example, the following string references the version id 65aaeb##-####-####-####-############ of the secret json-secret depicted in the image below.

arn:aws:secretsmanager:us-east-1:############:secret:json-secret-ffKpFB:SysdigAccessKey::65aaeb##-####-####-####-############

In this case, the secret reference contains:

  • arn:aws:secretsmanager:us-east-1:############:secret:json-secret-ffKpFB which is the Secret ARN;
  • :SysdigAccessKey::65aaeb##-####-####-####-############ which identifies the field SysdigAccessKey in the JSON secret and the version id 65aaeb##-####-####-####-############.

CloudFormation

When using the CloudFormation template orchestrator-agent.yaml >= 4.0.0 to deploy the orchestrator, you can fetch the Sysdig Access Key from AWS SecretsManager. To do so, you need to provide the template parameter Sysdig Access Key with the reference to the secret containing the access key.

The same applies to the HTTP Proxy password which can be configured through the field Configuration.HttpProxy.ProxyPassword under Mappings.

Mappings:
  ...
  Configuration:
    HttpProxy:
      ...
      ProxyPassword: ""

Examples

Fetching the Sysdig Access Key from a plaintext secret

The example below shows how to fetch the Sysdig Access Key stored in the plaintext secret plaintext-secret.

Fetching the Sysdig Access Key from a JSON secret

Instead, the example below shows how to fetch the Sysdig Access Key stored in the JSON secret json-secret. Since the JSON key SysdigAccessKey has been specified, the trailing colons : are required.

Terraform

When using the Terraform module fargate-orchestrator-agent >= 0.3.0 to deploy the orchestrator, you can fetch the Sysdig Access Key from the AWS SecretsManager. To do so, you need to provide the template parameter access_key with the reference to the secret containing the access key.

The same applies to HTTP Proxy passwords, see http_proxy_configuration.proxy_password in the Terraform fargate-orchestrator-agent module.

module "fargate-orchestrator-agent" {
  source  = "sysdiglabs/fargate-orchestrator-agent/aws"
  version = "0.3.1"

  ...

  http_proxy_configuration = {
    ...
    proxy_password = ""
  }
}

Examples

Fetching the Sysdig Access Key from a plaintext secret

The example below shows how to fetch the Sysdig Access Key stored in the plaintext secret plaintext-secret.

module "fargate-orchestrator-agent" {
  source         = "sysdiglabs/fargate-orchestrator-agent/aws"
  version        = "0.3.1"

  vpc_id         = "my_vpc_id"
  subnets        = ["my_subnet_a", "my_subnet_b"]

  ...

  access_key     = "arn:aws:secretsmanager:us-east-1:############:secret:plaintext-secret-1LuuAy"
}
Fetching the Sysdig Access Key from a JSON secret

Instead, the example below shows how to fetch the Sysdig Access Key stored in the JSON secret json-secret. Since the JSON key SysdigAccessKey has been specified, the trailing colons : are required.

module "fargate-orchestrator-agent" {
  source         = "sysdiglabs/fargate-orchestrator-agent/aws"
  version        = "0.3.1"

  vpc_id         = "my_vpc_id"
  subnets        = ["my_subnet_a", "my_subnet_b"]

  ...

  access_key     = "arn:aws:secretsmanager:us-east-1:############:secret:json-secret-ffKpFB:SysdigAccessKey::"
}

Known Limitations

Regional service

The secret must be in the same region in which the stack is deployed.

Secret update/rotation

Automatic secret rotation/update is not supported because sensitive data are injected into the orchestrator agent when the container starts. If the secret is subsequently updated (or rotated) after deploying the orchestrator agent, the container does not receive the updated value automatically.

Custom KMS encryption keys

Currently, both the CloudFormation and Terraform installers support only the AWS-managed KMS encryption keys. Custom KMS encryption keys are not supported.