Secret Store
This document covers the guide to integrating your secret store with TrueFoundry to let you store your secrets securely and then use them as environment variables in applications.
We support commonly used secret stores listed below:
Connect your Secret Store
To connect a new secret store, one needs to follow the following steps:
- Navigate to the
Integrations
section of your truefoundry dashboard, and go to theSecret Store
section. - Click on the
Connect Secret Store
button at the top right corner. - Now add the name of the secret store you want to connect. Select the Integration Provider.
- Fill in the credentials according to the selected integration provider and Submit.
Connect AWS SSM as a secret store
Follow the steps below to connect the secrets manager to TrueFoundry:
- You might have the IAM role for truefoundry already created with the name -
tfy-<short-region-name>-<name>-platform-role-<xxxyyyzzz>
, if not create a new one. You can add the following permission to that role. You can also create a user with the permissions below, generate an access key and secret key and integrate the secret store via the access and secret keys.
{
"Sid": "SSM",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:DeleteParameters",
"ssm:GetParameterHistory"
],
"Resource": [
"arn:aws:ssm:AWS_REGION:ACCOUNT_ID:parameter/tfy-secret/*"
]
}
- Navigate to Integrations > Secret Store tab and click on Connect Secret Store
- Fill in the IAM role with the correct AWS region in the form and Submit.
Connect Google Secret Manager
Follow the steps below to connect your Google Secrets Manager to TrueFoundry:
- Create an IAM serviceaccount named
tfy-<short-region-name>-<name>-platform-role
, if not created before.- Attach the IAM role of Secret Manager Admin to the bucket created above.
- Once the IAM serviceaccount is created, make sure to create a key in JSON format.
- Navigate to Integrations > Secret Store tab and click on Connect Secret Store
- Paste the GCP service account
keyfile.json
and Submit.
Updated 2 months ago
What’s Next