Skip to main content

Secrets Manager

This plugin enables integrating with known secrets manager making connection environment variable to be expanded dynamically for each connection.

WARNING

This uses a experimental plugin system. It downloads from our public registry the plugin and install it on runtime when running your agent.

AWS Secrets Manager Provider

Allows expands environment variable from an AWS secret key into a connection.

Required Configuration

AWS credentials

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_REGION

IAM Role

  • secretsmanager:GetSecretValue
  • secretsmanager:GetResourcePolicy
  • secretsmanager:DescribeSecret
  • secretsmanager:ListSecretVersionIds

Connection Configuration

After the plugin is enabled for a connection, configure the environment variables for the connection as:

  • Name of the environment key
  • Value of the environment key as provider:secret-key:key

Example:

  • MYSECRET=aws:prod-secret-key:MYSECRET

The environment key value will be replaced when the user is opening a session with the agent.

Managing the Plugin

Enabling it (required)

ACCESS_TOKEN=$(cat ~/.hoop/config.toml  |grep -i Token |awk {'print $3'} |sed 's|"||g')
curl https://app.hoop.dev/api/plugins -H "Authorization: Bearer $ACCESS_TOKEN" -d@- <<EOF
{
    "name": "secretsmanager",
    "source": "hoop/secretsmanager",
    "priority": 100,
    "connections": []
}
EOF

Associate a connection or updating it (required)

ACCESS_TOKEN=$(cat ~/.hoop/config.toml  |grep -i Token |awk {'print $3'} |sed 's|"||g')
CONNECTION_ID=
CONNECTION_NAME=
curl https://app.hoop.dev/api/plugins/secretsmanager -XPUT -H "Authorization: Bearer $ACCESS_TOKEN" -d@- <<EOF
{
    "name": "secretsmanager",
    "source": "hoop/secretsmanager",
    "priority": 100,
    "connections": [    
        {
            "id": "$CONNECTION_ID",
            "name": "$CONNECTION_NAME",
            "config": []
        }
    ]
}
EOF

Configuring (required)

info

The values need to be encoded as base64

curl https://app.hoop.dev/api/plugins/secretsmanager -XPUT -H "Authorization: Bearer $ACCESS_TOKEN" -d@- <<EOF
{
    "AWS_ACCESS_KEY_ID": "QUtJQUlPU0ZPRE5ON0VYQU1QTEU=",
    "AWS_SECRET_ACCESS_KEY": "d0phbHJYVXRuRkVNSS9LN01ERU5HL2JQeFJmaUNZRVhBTVBMRUtFWQ==",
    "AWS_REGION": "dXMtZWFzdC0x"
}
EOF

Testing it

Assuming that you have a bash connection created, check if the environment variables are expanded for your connection:

hoop exec bash -i 'env'
info

The plugin configuration (aws credentials) is not shared in any circustances with the user interacting with the connection. These credentials are kept in memory only. The context of the session will have only the secret values expanded in the connection environment variables.