BlogsCreate Account

Secret Store

Suggest Edits

This document covers the guide to integrating your secret store with TrueFoundry to let you store your secrets securely and then use them as environment variables in applications.

We support commonly used secret stores listed below:

  1. AWS SSM
  2. Google GSM

Connect your Secret Store

To connect a new secret store, one needs to follow the following steps:

  1. Navigate to the Integrations section of your truefoundry dashboard, and go to the Secret Store section.
  2. Click on the Connect Secret Store button at the top right corner.
  3. Now add the name of the secret store you want to connect. Select the Integration Provider.
  4. Fill in the credentials according to the selected integration provider and Submit.
List of all secret stores

List of all secret stores

Connect AWS SSM as a secret store

Follow the steps below to connect the secrets manager to TrueFoundry:

  1. You might have the IAM role for truefoundry already created with the name - tfy-<short-region-name>-<name>-platform-role-<xxxyyyzzz>, if not create a new one. You can add the following permission to that role. You can also create a user with the permissions below, generate an access key and secret key and integrate the secret store via the access and secret keys.
{
    "Sid": "SSM",
    "Effect": "Allow",
    "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:PutParameter",
        "ssm:DeleteParameter",
        "ssm:DeleteParameters",
        "ssm:GetParameterHistory"
    ],
    "Resource": [
        "arn:aws:ssm:AWS_REGION:ACCOUNT_ID:parameter/tfy-secret/*"
    ]
}
  1. Navigate to Integrations > Secret Store tab and click on Connect Secret Store
  2. Fill in the IAM role with the correct AWS region in the form and Submit.

Connect Google Secret Manager

Follow the steps below to connect your Google Secrets Manager to TrueFoundry:

  1. Create an IAM serviceaccount named tfy-<short-region-name>-<name>-platform-role, if not created before.
    1. Attach the IAM role of Secret Manager Admin to the bucket created above.
    2. Once the IAM serviceaccount is created, make sure to create a key in JSON format.
  2. Navigate to Integrations > Secret Store tab and click on Connect Secret Store
  3. Paste the GCP service account keyfile.json and Submit.

Updated 2 months ago

What’s Next