Can I create vendor-managed, install-specific secrets?

QUESTION

Can I create vendor-managed, install-specific secrets?

ANSWER

If your secrets are accessible from an API-endpoint, you can create a Nuon Action script to retrieve the secret's values and use jq and the AWS CLI to write them to AWS Secrets Manager. Afterwards, the secret is available for use by other actions and components.

Requirements:

• Retain permissions in the Runner maintenance role that allow you to create secrets (example).

• Retain permissions to retrieve AWS SM secrets, typically scoped to an install by tags org naming convention (see example above).

• The values you want to store are accessible to the runner over the network: typically this means an API endpoint, which is the case in this example.

If in your case, you can fulfill these requirements, then you can write a nuon action that reads the values and writes them to secrets manager in the same account as the install. Typically, the action outputs would contain the ARN (aws cli output) which you can then use in other actions or components. Nuon action lifecycle triggers are a useful feature for controlling when this action runs (e.g. after a sandbox provisions or before a component is deployed).

An example flow:

1. Before the sandbox is provisioned, run an action to create or update a secret with a value from the api. e.g. an action hits acme.example.org/v1/license?install_id={{.nuon.install.id}}. and stores the value in secrets manager in a secret named /{{.nuon.install.id}}/license-key.

2. An action runs before the helm deployment that requires the license key and upserts it into a secret.

3. The helm deployment can then refer to the license key (e.g. existingSecret or envFrom w/ a secretRef)

DOCS

• https://docs.nuon.co/concepts/actions

• https://docs.nuon.co/guides/install-access-permissions#install-access-permissions

• Example Action (script)