Secret Store

This document covers the guide to integrating your secret store with TrueFoundry to let you store your secrets securely and then use them as environment variables in applications.

We support commonly used secret stores listed below:

1. AWS SSM
2. Google GSM

Connect your Secret Store

To connect a new secret store, one needs to follow the following steps:

1. Navigate to the Integrations section of your truefoundry dashboard, and go to the Secret Store section.
2. Click on the Connect Secret Store button at the top right corner.
3. Now add the name of the secret store you want to connect. Select the Integration Provider.
4. Fill in the credentials according to the selected integration provider and Submit.

Connect AWS SSM as a secret store

Follow the steps below to connect the secrets manager to TrueFoundry:

1. You might have the IAM role for truefoundry already created with the name - tfy-<short-region-name>-<name>-platform-role-<xxxyyyzzz>, if not create a new one. You can add the following permission to that role. You can also create a user with the permissions below, generate an access key and secret key and integrate the secret store via the access and secret keys.

{
    "Sid": "SSM",
    "Effect": "Allow",
    "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:PutParameter",
        "ssm:DeleteParameter",
        "ssm:DeleteParameters",
        "ssm:GetParameterHistory"
    ],
    "Resource": [
        "arn:aws:ssm:AWS_REGION:ACCOUNT_ID:parameter/tfy-secret/*"
    ]
}

2. Navigate to Integrations > Secret Store tab and click on Connect Secret Store
3. Fill in the IAM role with the correct AWS region in the form and Submit.

Connect Google Secret Manager

Follow the steps below to connect your Google Secrets Manager to TrueFoundry:

1. Create an IAM serviceaccount named tfy-<short-region-name>-<name>-platform-role, if not created before.
   1. Create a custom IAM role with the following permissions:
      json

      [
          "secretmanager.secrets.get",
          "secretmanager.secrets.list",
          "secretmanager.secrets.create",
          "secretmanager.secrets.delete",
          "secretmanager.secrets.update",
          "secretmanager.versions.access",
          "resourcemanager.projects.get",
        ]

      1. Navigate to IAM & Admin -> Roles.
      2. Click + CREATE ROLE.
      3. Enter the name a description.
      4. Click ADD PERMISSIONS and add the permissions listed above
      5. Click CREATE.
   2. Attach the custom IAM role to the service account
      1. In the IAM section, locate the service account created ealier.
      2. Click the Edit icon next to the service account.
      3. Click ADD ROLE and select the custom role you created
      4. Next to the Role, click on ADD IAM CONDITION
      5. Type a title, under CONDITION EDITOR tab, type in this condition
         resource.name.startsWith('projects/<GCP Project Number>/secrets/tfy')
      6. Click on SAVE.
2. Once the IAM serviceaccount is created, make sure to create a key in JSON format.
3. Navigate to Integrations > Secret Store tab and click on Connect Secret Store
4. Paste the GCP service account keyfile.json and Submit.