Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

GCP Secrets Manager

InsightCloudSec has the ability to use the Google Cloud Platform (GCP) Secret Manager to authenticate into SQL storage. It also has the ability to use the Secret Manager to authenticate into Memorystore.

This feature allows a user to create a Secret in GCP Secret Manager containing the credentials of the SQL instance hosting the database for InsightCloudSec/Memorystore hosting the Redis data for InsightCloudSec, and for InsightCloudSec to pull credentials using a Service Account.

Prerequisites for SQL

To use Secrets Manager authentication for your SQL database, you will need the following:

An SQL Database with a divvy and divvykeys database.
Compute Engine instances that use a Service Account with at least the " Secret Manager Viewer" role.
A properly configured prod.env file on each instance running InsightCloudSec.

Prerequisites for Memorystore

To use Secrets Manager authentication for your Memorystore instance, you will need the following:

A Memorystore instance.
Compute Engine instances that use a Service Account with at least the " Secret Manager Viewer" role.
A properly configured prod.env file on each instance running InsightCloudSec.

Steps for Using Secret Manager

Note: Before you get started you will need to ensure that the Secret Manager API is enabled.

1. Login as an Admin to the GCP console in the account where your SQL database exists.

2. Navigate to the "Secret Manager" located under the Security section of the navigation.

3. Click "Create Secret" to launch the form and complete the details.

Add "Name"
Add "Secret Value" (example below)
Select "Regions" - these are the regions that your GCP instances are running in
Labels - (optional)

4. Click "Create Secret".

5. Modify the prod.env file on each InsightCloudSec instance.

Note: This step is completed outside of the GCP Console. The prod.env files are located in the folder in which InsightCloudSec resides.

All environment information for the Primary and Secure databases can be replaced with a single variable. Be sure to update the value of region with the region where your Secret is stored in GCP.

Product name to be replaced

You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn't affect the configuration or the product's functionality, and we will notify you as we replace these component names.


prod.env
1
# MySQL 5.7 Primary database
2
DIVVY_SECRETS_PROVIDER_CONFIG=GCPServiceAccount,region=us-east1,secret_name=divvycloud-credentials
3

4
# Redis
5
DIVVY_REDIS_HOST=10.10.0.3
6
DIVVY_REDIS_PORT=6379
7

8
# Divvy Required - do not modify
9
VIRTUAL_ENV=/
10
DIVVY_DB_NAME=divvy
11
DIVVY_SECRET_DB_NAME=divvykeys
12

13
# Uncomment and adjust the below values if behind a proxy. Please note that
14
# 169.254.169.254 are used for AWS STS AssumeRole.
15
#http_proxy=http://proxy.acmecorp.com:8000
16
#https_proxy=http://proxy.acmecorp.com:8000
17
#no_proxy=mysql,redis,169.254.169.254
18
# May be needed if proxy is performing MITM operations. This tells the local container where to expect the update to the CA bundle.
19
#REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

The file above prod.env is what you want to have after you update. The original file (shown below) is an example of a prod.env that typically appears before updates.


prod.env
1
# MySQL 5.7 Primary database
2
DIVVY_DB_HOST=10.0.0.3	
3
DIVVY_DB_PORT=3306
4
DIVVY_DB_USERNAME=divvy
5
DIVVY_DB_PASSWORD=yourpasswordhere
6

7
# MySQL 5.7 Secure database
8
DIVVY_SECRET_DB_HOST=10.0.0.3
9
DIVVY_SECRET_DB_PORT=3306
10
DIVVY_SECRET_DB_USERNAME=divvy
11
DIVVY_SECRET_DB_PASSWORD=yourpasswordhere
12

13
# Redis
14
DIVVY_REDIS_HOST=10.10.0.3
15
DIVVY_REDIS_PORT=6379
16

17
# Divvy Required - do not modify
18
VIRTUAL_ENV=/
19
DIVVY_DB_NAME=divvy
20
DIVVY_SECRET_DB_NAME=divvykeys
21

22
# Uncomment and adjust the below values if behind a proxy. Please note that
23
# 169.254.169.254 are used for AWS STS AssumeRole.
24
#http_proxy=http://proxy.acmecorp.com:8000
25
#https_proxy=http://proxy.acmecorp.com:8000
26
#no_proxy=mysql,redis,169.254.169.254
27
# May be needed if proxy is performing MITM operations. This tells the local container where to expect the update to the CA bundle.
28
#REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

If you are storing Memorystore Redis values in Secrets Manager, replace the following values:


prod.env
1
# add:
2
DIVVY_REDIS_SECRETS_PROVIDER_CONFIG=GCPServiceAccount,region=us-east1,secret_name=divvycloud-credentials
3

4
# comment out:
5
#DIVVY_REDIS_HOST=10.10.0.3
6
#DIVVY_REDIS_PORT=6379

Did this page help you?

Getting Started

Welcome to InsightCloudSec