GCP Secrets Manager

Configuring InsightCloudSec to Authenticate Using Secrets Manager

InsightCloudSec has the ability to use the Google Cloud Platform (GCP) Secret Manager to authenticate into SQL storage. It also has the ability to use the Secret Manager to authenticate into Memorystore.

This feature allows a user to create a Secret in GCP Secret Manager containing the credentials of the SQL instance hosting the database for InsightCloudSec/Memorystore hosting the Redis data for InsightCloudSec, and for InsightCloudSec to pull credentials using a Service Account.

Prerequisites for SQL

To use Secrets Manager authentication for your SQL database, you will need the following:

  • An SQL Database with a divvy and divvykeys database.
  • Compute Engine instances that use a Service Account with at least the " Secret Manager Viewer" role.
  • A properly configured prod.env file on each instance running InsightCloudSec.

Prerequisites for Memorystore

To use Secrets Manager authentication for your Memorystore instance, you will need the following:

  • A Memorystore instance.
  • Compute Engine instances that use a Service Account with at least the " Secret Manager Viewer" role.
  • A properly configured prod.env file on each instance running DivvyCloud.

Steps for Using Secret Manager

Note: Before you get started you will need to ensure that the Secret Manager API is enabled.

1. Login as an Admin to the GCP console in the account where your SQL database exists.

2. Navigate to the "Secret Manager" located under the Security section of the navigation.

3. Click "Create Secret" to launch the form and complete the details.

14011401

Create New GCP Secret

  • Add "Name"
  • Add "Secret Value" (example below)
  • Select "Regions" - these are the regions that your GCP instances are running in
  • Labels - (optional)

4. Click "Create Secret".

5. Modify the prod.env file on each InsightCloudSec instance.

  • Note: This step is completed outside of the GCP Console. The prod.env files are located in the folder in which InsightCloudSec resides.

All environment information for the Primary and Secure databases can be replaced with a single variable. Be sure to update the value of region with the region where your Secret is stored in GCP.

📘

Value Names (DivvyCloud vs. InsightCloudSec)

Some values specified on this page use our former product name (DivvyCloud vs. InsightCloudSec).

Updates to the naming of these configuration components will be communicated when changes are made.

# MySQL 5.7 Primary database
DIVVY_SECRETS_PROVIDER_CONFIG=GCPServiceAccount,region=us-east1,secret_name=divvycloud-credentials

# Redis
DIVVY_REDIS_HOST=10.10.0.3
DIVVY_REDIS_PORT=6379

# Divvy Required - do not modify
VIRTUAL_ENV=/
DIVVY_DB_NAME=divvy
DIVVY_SECRET_DB_NAME=divvykeys

# Uncomment and adjust the below values if behind a proxy. Please note that
# 169.254.169.254 are used for AWS STS AssumeRole.
#http_proxy=http://proxy.acmecorp.com:8000
#https_proxy=http://proxy.acmecorp.com:8000
#no_proxy=mysql,redis,169.254.169.254
# May be needed if proxy is performing MITM operations. This tells the local container where to expect the update to the CA bundle.
#REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

The file above prod.env is what you want to have after you update. The original file (shown below) is an example of a prod.env that typically appears before updates.

# MySQL 5.7 Primary database
DIVVY_DB_HOST=10.0.0.3  
DIVVY_DB_PORT=3306
DIVVY_DB_USERNAME=divvy
DIVVY_DB_PASSWORD=yourpasswordhere

# MySQL 5.7 Secure database
DIVVY_SECRET_DB_HOST=10.0.0.3
DIVVY_SECRET_DB_PORT=3306
DIVVY_SECRET_DB_USERNAME=divvy
DIVVY_SECRET_DB_PASSWORD=yourpasswordhere

# Redis
DIVVY_REDIS_HOST=10.10.0.3
DIVVY_REDIS_PORT=6379

# Divvy Required - do not modify
VIRTUAL_ENV=/
DIVVY_DB_NAME=divvy
DIVVY_SECRET_DB_NAME=divvykeys

# Uncomment and adjust the below values if behind a proxy. Please note that
# 169.254.169.254 are used for AWS STS AssumeRole.
#http_proxy=http://proxy.acmecorp.com:8000
#https_proxy=http://proxy.acmecorp.com:8000
#no_proxy=mysql,redis,169.254.169.254
# May be needed if proxy is performing MITM operations. This tells the local container where to expect the update to the CA bundle.
#REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

If you are storing Memorystore Redis values in Secrets Manager, replace the following values:

# add:
DIVVY_REDIS_SECRETS_PROVIDER_CONFIG=GCPServiceAccount,region=us-east1,secret_name=divvycloud-credentials

# comment out:
#DIVVY_REDIS_HOST=10.10.0.3
#DIVVY_REDIS_PORT=6379

Did this page help you?