Visit dbi servicesContact us

Secrets

This sections explains how to feed the YaK with secrets

In order to connect securely to your cloud provider and operate your instances, the YaK uses secrets. Some secrets must be retrieved from your cloud provider and passed to the YaK for connection and operation, some others must be generated by a privileged user and public/private key exchange need to take place.

You will need a minimum of 2 secrets types:

  • Your cloud provider credentials, to deploy to your favorite cloud (AWS, Azure, OCI)

  • A SSH key (For Linux servers) or a WinRM certificate (For Windows servers), to connect to your instances once deployed.

Contact your company's cloud administrator to retrieve these details.

Pre-requisite: user needs an active account and access to his/her cloud provider portal to retrieve the relevant secrets.

Basic settings

To declare your secrets, follow these steps:

  • Navigate to the Configuration menu -> Secrets -> Click "Declare"

  • Name your secret (Ex: MyCloudSecret, MySSHKey...)

  • Select the secret type that you need to declare (cloud providers credentials, ssh key, winrm)

  • Follow the section specific to what your are declaring (see hereafter):

AWS

  • Select secret type "AWS Credentials"

  • Retrieve your tokens from your AWS account and fill-in the fields in the form:

    • Access key ID

    • Secret access key

    • Session token

  • Fill the form with the keys retrieved from your AWS account.

  • Click "Save"

🔗 - Link to AWS documentation: https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-short-term.html

Azure

  • Select secret type "Azure Credentials"

  • Retrieve your tokens from your Azure account and fill-in the fields in the form:

    • Azure client ID (aka Application ID)

    • Azure secret

    • Azure subscription ID

    • Azure tenant (aka Directory ID)

  • Fill the form with the required information

  • Click "Save"

🔗 - Links to Azure documentation: https://learn.microsoft.com/en-us/azure/azure-portal/ https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id

OCI

  • Select secret type "OCI Credentials"

  • Retrieve your tokens from your OCI account and fill-in the fields in the form:

    • OCI Region (your OCI Region ID)

    • OCI Tenancy

    • OCI User Fingerprint

    • OCI User ID

    • OCI private key value

  • These values are generated as part of the configuration snippet when adding an API signing key pair from your user profile in the Oracle cloud portal. Connect to your Oracle cloud portal and navigate to your Profile (top right) -> My profile -> Resources -> API keys -> Add API key and generate your API key to get the snippet file definition.

  • Retrieve the values from the snippet

  • Fill the form with the required information

  • Click "Save"

If you do not have access to this menus, please contact your cloud administrator to retrieve these information

🔗 - Links to OCI documentation:

https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#five https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm https://docs.oracle.com/en-us/iaas/visual-builder-studio/doc/get-required-oci-input-values.html https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/contactingsupport_topic-Locating_Oracle_Cloud_Infrastructure_IDs.htm

SSH key

In order to connect securely to the linux targets once created, a ssh pair of keys must be generated and the private key must be transferred to the instances.

  1. Generate a SSH key:

SSH keys can be generated from any machine running openSSH with the "ssh-keygen" command

Example:

$ ssh-keygen

Do not set passphrase when generating the SSH key

  1. Copy the content of the private key file:

##This is just an example, generate your own private key

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABASDILVb1
MiZ78g848c6Dk6KYwkJZXloSIruLe+Sid0Xd+Lb1rAxbwzAhXWRMzzBT5k3WciXk2fMhUD
p4YSahpYvquZK950aXiZNDOJpKZP8wjf4g4nQyiJZ/0G0J9mIaI2h/fr8TA67KHYtu/Eyf
PN9bKJwII3aiGlu5/Viq2cgYT8jJ01AK8cY3tSqKdlrN2GyxllBFl42QplbxA2USPJ1E6v
VIjtbmJjdz[...........................................]qAc4HxP02t/N2ZN
q+dDNWeShfVz4zjApPQCzdiGqLAlzUy67KNxQgljhaOEaYTQgrLE8XNGsIFNZwGvsEo/xZ
XnN2p
-----END OPENSSH PRIVATE KEY-----

  1. From the YaK User Interface:

    1. Navigate to the Configuration menu -> Secrets -> Click "Declare"

    2. Name your secret (Ex: MySSHKey...)

    3. Select secret type "ssh key"

  2. Paste the entirety of the private key copied in step 2 into the corresponding field of the form.

  3. Click "Save"

WinRM

WinRM is a management protocol used by Windows to remotely communicate with another server.

  1. Retrieve and copy your WinRM certificate and private key (contact your PKI system administrator for more details)

    • Alternatively, self-signed certificates and private keys can be used. Note that the certificate must be in .pem format, if a PFX file has been generated, make sure to convert it to a private key that pywinrm can use (see notes section in the following Ansible documentation)

  2. From the YaK User Interface:

    1. Navigate to the Configuration menu -> Secrets -> Click "Declare"

    2. Name your secret (Ex: MyWinRMCertificate...)

    3. Select secret type "winrm"

  3. Paste your certificate value in the WINRM_CERTIFICATE field (.pem format)

  4. Paste your private key value in the WINRM_CERTIFICATE_PRIVATE_KEY field (.pem format)

  5. Click "Save"

Refer to your company's security policy and ensure that the use of self-signed certificates complies with your internal rules.

PreviousConfigurationNextTemplates

Last updated