Secrets
This sections explains how to feed the YaK with secrets
Last updated
This sections explains how to feed the YaK with secrets
Last updated
In order to connect securely to your cloud provider and operate your instances, the YaK uses secrets. Some secrets must be retrieved from your cloud provider and passed to the YaK for connection and operation, some others must be generated by a privileged user and public/private key exchange need to take place.
You will need a minimum of 2 secrets types for cloud setups:
Your cloud provider credentials, to deploy to your favorite cloud (, , )
A (For Linux servers) or a (For Windows servers), to connect to your instances once deployed.
On-premises configuration only requires (For Linux servers) or a (For Windows servers)
Contact your company's cloud administrator to retrieve these details.
Pre-requisite: user needs an active account and access to his/her cloud provider portal to retrieve the relevant secrets.
To declare your secrets, follow these steps:
Navigate to the Configuration menu -> Secrets -> Click "Declare"
Name your secret (Ex: MyCloudSecret, MySSHKey...)
Select the secret type that you need to declare (cloud providers credentials, ssh key, winrm)
Follow the section specific to what your are declaring (see hereafter):
Select secret type "AWS Credentials"
Retrieve your tokens from your AWS account and fill-in the fields in the form:
Access key ID
Secret access key
Session token
Fill the form with the keys retrieved from your AWS account.
Click "Save"
Select secret type "Azure Credentials"
Retrieve your tokens from your Azure account and fill-in the fields in the form:
Azure client ID (aka Application ID)
Azure secret
Azure subscription ID
Azure tenant (aka Directory ID)
Fill the form with the required information
Click "Save"
Select secret type "OCI Credentials"
Retrieve your tokens from your OCI account and fill-in the fields in the form:
OCI Region (your OCI Region ID)
OCI Tenancy
OCI User Fingerprint
OCI User ID
OCI private key value
These values are generated as part of the configuration snippet when adding an API signing key pair from your user profile in the Oracle cloud portal. Connect to your Oracle cloud portal and navigate to your Profile (top right) -> My profile -> Resources -> API keys -> Add API key and generate your API key to get the snippet file definition.
Retrieve the values from the snippet
Fill the form with the required information
Click "Save"
In order to connect securely to the linux targets once created, a ssh pair of keys must be generated and the private key must be transferred to the instances.
Generate a SSH key:
SSH keys can be generated from any machine running openSSH with the "ssh-keygen" command
Example:
Do not set passphrase when generating the SSH key
Copy the content of the private key file:
From the YaK User Interface:
Navigate to the Configuration menu -> Secrets -> Click "Declare"
Name your secret (Ex: MySSHKey...)
Select secret type "ssh key"
Paste the entirety of the private key copied in step 2 into the corresponding field of the form.
Click "Save"
WinRM is a management protocol used by Windows to remotely communicate with another server.
Retrieve and copy your WinRM certificate and private key (contact your PKI system administrator for more details)
From the YaK User Interface:
Navigate to the Configuration menu -> Secrets -> Click "Declare"
Name your secret (Ex: MyWinRMCertificate...)
Select secret type "winrm"
Paste your certificate value in the WINRM_CERTIFICATE field (.pem format)
Paste your private key value in the WINRM_CERTIFICATE_PRIVATE_KEY field (.pem format)
Click "Save"
Refer to your company's security policy and ensure that the use of self-signed certificates complies with your internal rules.
To declare a server: - An infrastructure must exist - Cloud provider secrets and SSH key (for Linux servers) or WinRM certificate (for Windows servers) must have been created and attached to the server or to the infrastructure - To create a Windows Server on AWS, not only a cert_key for winrm is required, but also a sshkey. This is specific to AWS and is required to recover the Windows Server Administrator password from AWS Portal.
- Link to AWS documentation:
- Links to Azure documentation: \
- Links to OCI documentation:
\
Alternatively, self-signed certificates and private keys can be used. Note that the certificate must be in .pem format, if a PFX file has been generated, make sure to convert it to a private key that pywinrm can use (see notes section in the following Ansible )