How to use config values stored in AWS
This tutorial will provide a walkthrough on setting up and using configuration values located in AWS for configuration in your Gremlin agent installation.
Before you begin this tutorial, you'll need the following:
- An active AWS account
- A Gremlin account (sign up for a free trial)
- A Gremlin agent installation
- AWS credentials setup on the host running the Gremlin agent
Step 1a - Create config value in AWS SSM
To create a parameter in AWS SSM:
- Navigate to the SSM console (us-west-2 example).
- Navigate to 'Parameter Store' on the left side and click 'Create parameter'.
- Create a name for your parameter, and set the type to be either 'String' or 'SecureString', then enter your config value in the value field. When satisifed with the settings, create the parameter.
Step 1b - Create config value in AWS Secrets Manager
To create a secret in AWS Secrets Manager:
- Navigate to the Secrets Manager console (us-west-2 example).
- Click on "Store a new secret" on the right. When creating a secret, use the "Other type of secret" option, and use the "Plaintext" tab to enter the raw values you wish to use.
- If you wish, you can use a custom KMS key to encrypt the secret.
- Click 'Next' and set the name and any optional fields, and keep going until the secret is created.
Step 2 - Setup permissions for credentials
Whatever credentials you will have the Gremlin agent use will need the corresponding IAM permissions associated with them.
- For SSM parameters, the ssm:GetParameter action on the parameter resource is required.
- For Secrets Manager secrets, the secretsmanager:GetSecretValue action on the secret resource is required.
- If any of these values are encrypted with a KMS key, the kms:Decrypt action is required on the KMS key resource.
Step 3 - Set Gremlin config values to use ARN
Now in your gremlin configuration, you can set some of the configuration values to use the AWS ARN of the AWS resource you created. When the agent starts, it will reach out to AWS to retrieve the value stored there, and keeps it in memory. Here is an example configuration file with AWS ARNs used to store sensitive values:
You've setup your Gremlin agent to use remote configuration values, increasing the security of your configuration! Refer to the agent configuration to read all the supported values you can use an AWS ARN for.