Secrets management#
This page guides you through the general steps to access and retrieve secrets from AWS Secrets Manager or Azure Key Vault using Arcion Replicant.
Overview#
Secrets management allows you to protect sensitive information like passwords, keys, tokens, and so on. To ensure effective and secure secrets management for enterprises, Arcion supports the following secrets management services:
Replicant works seamlessly with both AWS Secrets Manager and Azure Key Vault. When you start a replication job, specify the necessary options for using a secrets management service. This means youdon’t need to separately run Replicant to fetch secrets. Replicant automatically fetches the necessary credentials for a replication job according to your specifications.
Use a secrets management service#
Follow these steps to use a secrets management service with Arcion Replicant in a replication job:
Configure secrets management details#
Replicant requires an optional configuration file containing all the details about secrets management. The configuration file specifies the following details:
- The secrets management service: AWS Secrets Manager or Azure Key Vault
- Password rotation and the number of secrets cache retries
- Authentication credentials and secret details
For more information about the secrets management configuration file, seeConfigure Secrets Manager details andConfigure Key Vault details.
If you don’t specify the secrets management configuration file, Arcion looks for authentication credentials in the following locatons:
- The
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables. We recommend setting these variables. - The
aws.accessKeyIdandaws.secretKeyJava system properties. - Web identity token from the environment or container.
- The shared
credentialsfile in the default location. - The Amazon ECS container credentials. You must set the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URIsystem environment variable and Secrets Manager must have the permission to access the variable. - Amazon EC2 instance IAM role-provided credentials through the Amazon EC2 metadata service.
Environment variables holding service principal authentication credentials. For example, you can use the following commands in a bash shell to set the environment variables:
export AZURE_TENANT_ID=TENANT_IDexport AZURE_CLIENT_ID=CLIENT_IDexport AZURE_CLIENT_SECRET=CLIENT_SECRETReplaceTENANT_ID,CLIENT_ID, andCLIENT_SECRET with the actualauthentication credentials values.
Arcion then uses the values of these environment variables to authenticate with Azure Active Directory (Azure AD). These variables represent the same set of credentials you specify undernamespaces when you use the secrets management configuration file.
Specify secrets URI in the connection configuration file#
To locate and access a secret in AWS Secrets Manager or Azure Key Vault, Arcion uses the following URI format for each secret:
arcion-sm://NAMESPACE/KEYThe preceding URI structure contains the following elements:
NAMESPACErepresents the secret name in AWS Secrets Manager, or the key vault name in Azure Key Vault. ReplaceNAMESPACEwith the namespace name you specify under thenamespacesfield of the secrets management configuration file. For more information, see the description ofnamespacesforAWS Secrets Manager andAzure Key Vault.
KEY, for AWS Secrets Manager, represents the key of the secret whose value Arcion must retrieve. For Azure Key Vault,KEYrepresents the secret name whose value which Arcion must retrieve.
The following sample connection configuration file for asource MySQL specifies thehost,port,username, andpassword credentials using secrets URI:
type:MYSQLhost:arcion-sm://mysql_src/hostport:arcion-sm://mysql_src/portusername:arcion-sm://mysql_src/usernamepassword:arcion-sm://mysql_src/passwordslaveServerIds: [1]maxConnections:20maxRetries:10retryWaitDurationMs:1000Run Replicant#
Run Replicant with the following options:
--use-sm-providerSpecifies the secrets management service you want to use:
AWSUse AWS Secrets Manager as the secrets management service.
AZUREUse Azure Key Vault as the secrets management service.
NONE- Replicant expects credentials to be in plain text in the configuration file. Therefore, Replicant doesn't look for credentials in any secrets management service.
--secret-managerLocation to the secrets management YAML configuration file. For more information, seeUse AWS Secrets Manager andUse Azure Key Vault.
For example, the following commandtests the connection to a MySQL server using secrets from AWS Secrets Manager:
./bin/replicant test-connection conf/conn/mysql.yaml\--validate conf/validate/validate.yaml\--use-sm-provider AWS\--secret-manager conf/secretmanager/aws_example.yaml