SecretsManager Configuration on EC2
Last updated
Last updated
If you are configuring the VoiceWorx platform on the AWS environment (EC2 instance), this document will help you to configure Secrets Manager in your AWS account.
The VoiceWorx application needs to use certain confidential information like credentials which are by default stored into web.config file, however Voiceworx gives an option to store them at a more secure place like AWS secrets manager and this document guides you to configure it.
This should be done before the VoiceWorx application is installed on the EC2 instance.
AWS Account with administrative access.
Remote access to the EC2 Instance (Microsoft Windows)
The voiceworx application uses certain AWS resources and as a best practice, instead of using credentials, it’s recommended to assign required permission to the EC2 instance via an IAM role.
Login to the AWS console and navigate to the Identity and Access Management (IAM) and choose Policies – as shown in the below screenshot.
Once clicked, you will be on the Policies dashboard and should see an option/button to Create Policy – as shown in the below screenshot. Click on it.
Now, you are on create policy interface. There should be two options, Visual Editor and JSON. Click on JSON and you should see an interface as shown below.
In the JSON editor, copy and paste the following code.
Once entered, click on the Next button.
Click on next until you see a Review policy screen as shown below.
Enter the name and optional Description and click on Create Policy button and policy is ready to use.
Note that in this policy, we are giving permissions to the S3, ElastiCache and Secrets Manager. If you notice any additional service like Lambda, then it’s selected as it’s a dependant service and permission is required.
To create a role, navigate to the Identity and access Management (IAM) > Roles.
As shown in the below screenshot,
Select type of trusted entity = AWS Service.
Choose a use case = EC2.
And then click on Next button
Once you click on next, you need to select a policy.
Search for the policy that you have already created in the previous step and select it.
click on next till you get review screen.
Enter the name and optional description and click on the Create role button and Role should get created.
Go to the EC2 dashboard, select the EC2 instance that is going to run VoiceWorx platform and click on Actions menu > Security > Modify IAM Role as shown in the below screenshot.
Select the role that we have created in the previous step and click on the Save button
Click on save and the role should be assigned to the selected EC2 instance.
Use command line utility called SmartOffice.Configuration.exe
C:\VoiceWorx> SmartOffice.Configuration.exe secrets us-east-1
Arguments:
First argument should be “secrets”
This represents Secrets Manager to be configured
Second Argument should be a valid AWS Region. Secrets Manager will be configured in that region.
Help:
You can use help command
C:\VoiceWorx> SmartOffice.Configuration.exe help
This should show you information on how to use the utility.
Input JSON (secrets)
Below is a sample input json
{
"key1": "Value1",
"key2": "value2",
"CryptoEncryptionKey": "CryptoKey234345746d6c37b0a63",
"MongoDbCon": "mongodb://…...;authSource=admin",
"OktaDomain": "https://CustomerDomain.okta.com"
}
These key-value pairs will be created as part of the secret into the secrets manager.
Once done, you can see a Secret named VoiceWorx into the Secrets Manager Dashboard. Below is a screen shot for the reference.
Logs
If you find any issue or think the utility did not work as expected, there might be something wrong like a permission issue.
The command line utility generates logs which may help for identifying and fixing the issue.
You should see a Logs folder in the same location of the exe. and individual logs files should be inside the Logs folder.
Congratulations!
You have successfully configured Secrets Manager for the VoiceWorx Application
Click on the create role button.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Action": "elasticache:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "elasticache.amazonaws.com"
}
}
},
{
"Action": [
"secretsmanager:*",
"kms:*",
"lambda:ListFunctions",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"redshift:DescribeClusters",
"tag:GetResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"lambda:*"
],
"Effect": "Allow",
"Resource": "arn:aws:lambda:*:*:function:SecretsManager*"
},
{
"Action": [
"serverlessrepo:CreateCloudFormationChangeSet",
"serverlessrepo:GetApplication"
],
"Effect": "Allow",
"Resource": "arn:aws:serverlessrepo:*:*:applications/SecretsManager*"
}
]
}