AWS Secrets Manager

Maverics can integrate with AWS to inject secrets stored in AWS Secrets Manager into Maverics user flows to protect app resources. Maverics can also decrypt KMS-encrypted secrets stored in Secrets Manager.

Prerequisites

In order to use Secrets Manager with Maverics, you will need the following:

• A new IAM user

• Sufficient permissions for your new IAM user as defined in AWS IAM Configuration below.

• AWS AccessKey, Secret Access Key, and Region for the IAM user associated with Secrets Manager

• Maverics secrets in Secrets Manager (plain text or key/value)

See the documentation linked in each entry for more details.

Update your Maverics configuration with AWS secrets

The AWS Secrets Manager supports plain text and key/value JSON
structured secrets. You must revise your Maverics configuration with references to secrets in AWS. For more information, see Create and manage secrets with AWS Secrets Manager.

Plain text secrets

Use the secret ID or secret name as placeholder for any multi-line secrets or passwords.

apps:
  - name: exampleSAMLApp
    type: saml
    audience: https://app.enterprise.com
    consumerServiceURL: https://app.enterprise.com/acs
    requestVerification:
      certificate: <dev/exampleSAMLApp/signingCertificate>
     # ...

Key/value JSON secrets

Use the format of <secret ID:secret key> as placeholder for any secrets or passwords.

connectors:
   - name: azure
     type: azure
     oauthClientID: <dev/app100:clientID>
     oauthClientSecret: <dev/app100:clientSecret>
     # ...

If a secret key is provided, the value of the key from the JSON object is returned. If only the secret ID is provided, the entire JSON secret is returned.

Reference using ARN

Secrets may also be referenced via the Secret ARN values in place of the secret name.

apps:
  - name: exampleSAMLApp
    type: saml
    audience: https://app.enterprise.com
    consumerServiceURL: https://app.enterprise.com/acs
    requestVerification:
      certificate: <arn:aws:secretsmanager:us-east-2:1234567890:secret:dev/exampleSAMLApp/signingCertificate-ruPjk>
     # ...

AWS IAM Configuration

The Secrets Manager policy settings should allow only what Maverics needs in order to fetch secret value.

See AWS documentation for more: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

AWS IAM Resource Policy

The following example is a resource-based policy that you can attach to a secret. This example is useful when you want to grant access to a single secret to multiple users or roles.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountId:role/EC2RoleToAccessSecrets"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}

AWS IAM User Permissions Policy

Create access keys for an AWS IAM user with tightly scoped permissions. The following JSON shows an appropriate policy for an IAM user with access to the minimal permissions required for secret retrieval:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": "*"
  }
}

AWS Decrypt customer managed keys policy

If a secret is encrypted using a customer managed key, you must grant access to decrypt the secret by attaching the following policy to an identity.

1. Attach the policy to the IAM identity either by adding/editing permissions, or by creating an inline policy.

2. Set the resource for the kms:Decrypt action as the KMSkey ARN.

For complete information, see Attach a permissions policy to an identity.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "SecretARN"
    },
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "KMSKeyARN"
    }
  ]
}

Maverics Configuration

To load secrets from AWS Secrets Manager, set the MAVERICS_SECRET_PROVIDER
environment variable using the following pattern:

MAVERICS_SECRET_PROVIDER='awssecretsmanager://amazonaws.com'

By default, Maverics will use the AWS environment configuration.

To override the AWS environment configuration, accessKeyID, secretAccessKey and region can be specified on the connection string. Ensure the fields are properly URL encoded.

MAVERICS_SECRET_PROVIDER='awssecretsmanager://amazonaws.com?accessKeyID=aws-access-key-id&secretAccessKey=aws-secret-access-key&region=us-east-2'

./maverics_darwin_amd64 -secretProvider "awssecretsmanager://amazonaws.com" -config maverics.json

If referencing environment variables:

source ./maverics.env && ./maverics_darwin_amd64

We also support AWS configuration sources, such as ~/.aws/config and ~/.aws/credentials.