GCP Secrets Manager
InsightCloudSec has the ability to use the Google Cloud Platform (GCP) Secret Manager to authenticate into SQL storage. It also has the ability to use the Secret Manager to authenticate into Memorystore.
This feature allows a user to create a Secret in GCP Secret Manager containing the credentials of the SQL instance hosting the database for InsightCloudSec/Memorystore hosting the Redis data for InsightCloudSec, and for InsightCloudSec to pull credentials using a Service Account.
Prerequisites for SQL
To use Secrets Manager authentication for your SQL database, you will need the following:
- An SQL Database with a
divvy
anddivvykeys
database. - Compute Engine instances that use a Service Account with at least the " Secret Manager Viewer" role.
- A properly configured prod.env file on each instance running InsightCloudSec.
Prerequisites for Memorystore
To use Secrets Manager authentication for your Memorystore instance, you will need the following:
- A Memorystore instance.
- Compute Engine instances that use a Service Account with at least the " Secret Manager Viewer" role.
- A properly configured prod.env file on each instance running InsightCloudSec.
Steps for Using Secret Manager
Note: Before you get started you will need to ensure that the Secret Manager API is enabled.
1. Login as an Admin to the GCP console in the account where your SQL database exists.
2. Navigate to the "Secret Manager" located under the Security section of the navigation.
3. Click "Create Secret" to launch the form and complete the details.
- Add "Name"
- Add "Secret Value" (example below)
- Select "Regions" - these are the regions that your GCP instances are running in
- Labels - (optional)
4. Click "Create Secret".
5. Modify the prod.env
file on each InsightCloudSec instance.
- Note: This step is completed outside of the GCP Console. The
prod.env
files are located in the folder in which InsightCloudSec resides.
All environment information for the Primary and Secure databases can be replaced with a single variable. Be sure to update the value of region
with the region where your Secret is stored in GCP.
Product name to be replaced
You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn't affect the configuration or the product's functionality, and we will notify you as we replace these component names.
prod.env
1# MySQL 5.7 Primary database2DIVVY_SECRETS_PROVIDER_CONFIG=GCPServiceAccount,region=us-east1,secret_name=divvycloud-credentials34# Redis5DIVVY_REDIS_HOST=10.10.0.36DIVVY_REDIS_PORT=637978# Divvy Required - do not modify9VIRTUAL_ENV=/10DIVVY_DB_NAME=divvy11DIVVY_SECRET_DB_NAME=divvykeys1213# Uncomment and adjust the below values if behind a proxy. Please note that14# 169.254.169.254 are used for AWS STS AssumeRole.15#http_proxy=http://proxy.acmecorp.com:800016#https_proxy=http://proxy.acmecorp.com:800017#no_proxy=mysql,redis,169.254.169.25418# May be needed if proxy is performing MITM operations. This tells the local container where to expect the update to the CA bundle.19#REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
The file above prod.env
is what you want to have after you update. The original file (shown below) is an example of a prod.env
that typically appears before updates.
prod.env
1# MySQL 5.7 Primary database2DIVVY_DB_HOST=10.0.0.33DIVVY_DB_PORT=33064DIVVY_DB_USERNAME=divvy5DIVVY_DB_PASSWORD=yourpasswordhere67# MySQL 5.7 Secure database8DIVVY_SECRET_DB_HOST=10.0.0.39DIVVY_SECRET_DB_PORT=330610DIVVY_SECRET_DB_USERNAME=divvy11DIVVY_SECRET_DB_PASSWORD=yourpasswordhere1213# Redis14DIVVY_REDIS_HOST=10.10.0.315DIVVY_REDIS_PORT=63791617# Divvy Required - do not modify18VIRTUAL_ENV=/19DIVVY_DB_NAME=divvy20DIVVY_SECRET_DB_NAME=divvykeys2122# Uncomment and adjust the below values if behind a proxy. Please note that23# 169.254.169.254 are used for AWS STS AssumeRole.24#http_proxy=http://proxy.acmecorp.com:800025#https_proxy=http://proxy.acmecorp.com:800026#no_proxy=mysql,redis,169.254.169.25427# May be needed if proxy is performing MITM operations. This tells the local container where to expect the update to the CA bundle.28#REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
If you are storing Memorystore Redis values in Secrets Manager, replace the following values:
prod.env
1# add:2DIVVY_REDIS_SECRETS_PROVIDER_CONFIG=GCPServiceAccount,region=us-east1,secret_name=divvycloud-credentials34# comment out:5#DIVVY_REDIS_HOST=10.10.0.36#DIVVY_REDIS_PORT=6379