Integrate Agent with Secrets Manager Using IAM User Credentials

Use the information in this topic to configure an Alation Agent installed on AWS or non-AWS infrastructure to read secrets from AWS Secrets Manager using IAM user credentials. With the Alation Agent, AWS Secrets Manager, and your on-premise data source all running on your own infrastructure, your data source credentials will never leave your VPC, and they are not stored in Alation or the Alation Agent.

• Prerequisites

• Step 1: Create a Security Policy to Access Secrets Manager

• Step 2: Configure an IAM User

• Step 3: Install the Authentication Service Add-on on the Alation Agent

• Step 4: Configure the Alation Agent to Use the IAM User’s Credentials

• Step 5: Create an Authentication Profile

Note

To see other options for integrating with AWS Secrets Manager, see Integrate with AWS Secrets Manager.

Prerequisites

• You must be on Alation Cloud Service version 2024.1.5 or later.

• You must be using Alation Agent version 1.7.2.4360 or later.

• You must install Authentication Service Add-on version 5.14.0.1968 or later on the Alation Agent.

• You must have a supporting OCF connector installed on the Agent. To find out if a specific connector supports this feature, see the documentation for the specific connector in the Open Connector Framework (OCF) Overview section.

  Note

  You can use the Native Data Sources API to migrate a data source from an OCF connector that’s not on an Alation Agent to an OCF connector that is on an Alation Agent.

• You must have the Server Admin role to set up the integration in Alation.

Step 1: Create a Security Policy to Access Secrets Manager

This step is performed in the AWS IAM console

For the AWS Secrets Manager integration, you’ll need an AWS IAM policy granting access to AWS Secrets Manager. Here and below, a substitute name read_secrets_policy is used to refer to this policy.

If you haven’t established a read_secrets_policy yet, create one:

1. Log in to the AWS IAM management console.

2. From the left-hand menu, under Access management, select Policies.

3. Click Create policy. The policy editor will open.

4. Under Select a service, type secrets in the search bar and select Secrets Manager. This will display actions relevant to the service.

5. Under Actions allowed, expand the Read list and select the checkbox for the action GetSecretValue.

6. Under Resources, select All.

   

   Note

   You can restrict the permissions by providing access to specific resources only:

   1. Instead of All, select Specific.

   2. Click Add ARNs to specify the resources by entering the resource’s region, ARN (Amazon Resource Name), and secret.

   You can adjust the resource permissions anytime by editing this policy.

7. Click Next. The Review and create screen will open.

8. Under Policy details, in the Policy name field, provide a meaningful name.

9. Review the details, and click Create policy to create the policy. It will be added to the list of policies under your AWS account. Your policy JSON will look similar to the following:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": "secretsmanager:GetSecretValue",
           "Resource": "*"
       }
     ]
   }
   

Step 2: Configure an IAM User

This step is performed in the AWS IAM console

To configure an IAM user:

1. In the AWS user interface, open the IAM console (IAM dashboard).

2. In the left menu, under Access Management, select Users.

3. Select the user for whom you want to create access keys, or create a dedicated user for Alation.

4. Ensure that the user has the read_secrets_policy policy. If not, attach the policy to the user.

5. Open the Security credentials tab of the user’s page and locate the Access keys section. Click Create access key in this section.

6. Create an access key ID and a secret access key. See Managing access keys for IAM users - AWS Identity and Access Management for more details.

7. Save the user’s access key and secret access key for future reference.

Step 3: Install the Authentication Service Add-on on the Alation Agent

This step is performed in Alation or on the Alation Agent machine

To enable the Alation Agent to communicate with AWS Secrets Manager, you must install the Authentication Service add-on on the Agent.

See Install the Authentication Service Add-on for help installing the Authentication Service add-on.

Step 4: Configure the Alation Agent to Use the IAM User’s Credentials

This step is performed on the Alation Agent machine

To configure the Alation Agent to use the IAM user’s credentials:

1. On the Alation Agent’s host machine, ensure you have root access.

   sudo su
   

2. Change the directory to /etc/hydra/auth/.

   cd /etc/hydra/auth/
   

3. Create a directory called .aws under the /etc/hydra/auth/ directory.

   mkdir .aws
   

4. Change the directory to .aws.

   cd .aws
   

5. Create a file called credentials where the AWS credentials will be stored. Use your favorite text editor to add an authentication profile in the following format, substituting the placeholders with the actual values you created above. The text you put in the square brackets is the profile name you will use later in the process.

   [auth_profile_name]
   aws_access_key_id=YOUR_ACCESS_KEY_ID
   aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
   

   Note

   Make note of the profile name you used in the file. You will need it in the next step.

6. Change the credentials file’s permissions to protect it from being read by unauthorized parties.

   sudo chmod 540 credentials
   

7. Ensure that the Authentication Service add-on has access to read the credentials file.

   sudo chgrp alationdocker credentials
   

   Note

   This command must be run with sudo because Linux security policies prevent non-privileged users, even the file owner, from changing any file ownerships.

   The Authentication service runs as the alationdocker group.

8. Save the file and exit the text editor.

Step 5: Create an Authentication Profile

This step is performed in Alation

To create an authentication profile for the Secrets Manager integration:

1. Log in to your Alation instance as a Server Admin.

2. Click the Admin Settings gear icon on top right to open the Admin Settings page.

3. Click Authentication to open the Authentication tab. Locate the section Authentication Configuration Methods for External Systems.

4. Next to See configurations for, click the drop-down menu and select the relevant Alation Agent.

5. Click Add Configuration, and then select AWS Secrets Manager as the method type. The Authentication Configuration Method page will open in a new browser tab.

6. In Config Name, enter a unique name for the configuration. Save it for future reference when configuring the data source.

7. Under Region, select the appropriate AWS region for the Secrets Manager service (the region under which your secrets are stored).

8. Under Authentication Type, select IAM User Profile. The Profile Name field appears.

9. In the Profile Name field, enter the profile name you used in the credentials file.

10. Click Save. Alation attempts to create a connection, and if the connection is successful, the configuration is saved.

Now, you can use your integration with an OCF connector. See next: Configure Authentication with AWS Secrets Manager for a Data Source.