With Automox Secrets Storage, you can securely store and retrieve secrets (passwords, API keys, etc.) so that you can use them to execute Worklet policies without them being stored or exposed in plain text to any user.
Learn how to add, edit, and remove secrets, and associate them with worklet policies.
Prerequisites:
You have global administrator, zone administrator, or zone operator privileges for the zone that you want to manage secrets for.
Your zone is under a plan that includes worklets.
Note:
Secrets are currently compatible with the worklet policies.
You can use secrets in both PowerShell and Bash scripts.
Accessing Secrets Management
You can add, edit, and delete secrets from the Secrets & Keys page. In the Automox console, go to Settings at the top of the console and select Secrets & Keys. For details about keys, refer to Managing Keys.
Adding a Secret
You can add secrets to each of your zones. When you create worklet policies, you can use secrets to conceal sensitive information such as passwords or keys.
Note:
The Secret Name must be unique.
The character limit is 255 characters.
The maximum number of secrets within an organization is 1000.
You can add a maximum of 8 secrets at the same time. A maximum of 10 secrets can be associated with a single policy.
To add secrets, follow these steps:
From the Secrets Management page, click Add Secret.
Add a zone secret by entering a Secret Name and Value for the secret. These are required fields.
To check the value you entered, click the eye icon.
Optionally, you can add a description.
To add more secrets, click + Add Secret and repeat the previous steps.
Click Save Secrets.
Updating a Secret
You can update secrets in any zone you have access to.
From the Secrets Management page, find the secret you want to update.
Click Edit.
You can only modify the Description or the Value.
Note: It is not possible to change the Secret Name after it has been created.
Click Save.
Viewing Secrets
The following information is available from the Secrets Management page.
Table Column | Column Description |
Secret Name | The unique name for the secret you created. The character limit is 255. |
Description | Enter a description for the secret, but do not use the actual value of the secret. |
Date Updated | Date and time any changes to the description or value were last made. |
Associated Policies | Shows the number of associated policies. Click a number to view a list of associated policies, which allows you to link to a policy itself. |
Actions | You can select from these options:
|
Deleting a Secret
Follow these steps to remove a secret from a zone.
From the Secrets Management page, find the secret you want to remove.
Click Delete to remove the secret.
If the secret has no associated policies, you can delete the secret in the dialog window that appears and it is removed from the list.
If the secret is associated with a policy, see Deleting Secrets Associated With a Worklet Policy.
Deleting Secrets Associated With a Worklet Policy
This section describes how to delete a secret when it is referenced within a worklet policy.
On the Secrets Management page, when a number is listed in the Associated Policies column, then the secret is associated with a worklet policy. This means that a worklet exists that uses an environmental variable in its code that references the secret. Refer to Using Secrets in a Worklet Policy.
In this scenario, there are two options to delete a secret from the Secrets Management page.
Delete any variables from all policies that reference the secret. The policies remain intact.
Delete any policies that reference the secret, then the secret can be deleted.
From the Secrets Management page, find the secret you want to remove.
Click Delete to remove the secret.
If the secret is associated with a worklet, a list of associated policies appears.
You must remove any association with policies before you can delete the secret. Click the name of the policy to open the policy page.
Go to the list of Inputs where variables reference secrets within the policy.
Find the variable that references the secret that you want to remove and click delete (x). Note: Make sure to update any code that uses the variable.
Save the policy.
Repeat for each policy that the secret is associated with.
Return to the Secrets Management page. When there are no more policies associated with the secret, the number in the Associated Policies column shows 0.
Click Delete to remove the secret from the zone.
Using Secrets in a Worklet Policy
To securely use a secret within a worklet policy, you must add an environment variable that references the secret. This is done from the worklet policy page. Go to Manage > Policies to create or edit a worklet policy.
Adding a Variable to a Worklet Policy
This describes how to add variables to a worklet policy.
From the Create Worklet or Edit Worklet page, go to Inputs.
Click Add Input.
Enter a name in the Variable Name field to associate the secret with.
The variable name must contain at least 3 characters, must start with a letter, and only use alphanumeric characters or underscores (for example, api_key_1).
Click the Select Zone Secret drop-down menu to select an appropriate secret that you previously created on the Secrets Management page.
To add more variables, click Add Input.
Use the variable name(s) in the code of your worklet. This variable references the secret, but never reveals the contents.
Make any other required changes to the worklet and save the policy.
Editing Variables
This describes how to edit variables that are part of a worklet policy.
From Manage > Policies, go to the worklet that you want to edit variables for.
From the list of Inputs, find the variable that you want to edit.
You can edit the Variable Name, as needed.
If you edit the variable name, ensure that the use of the variable in the code matches any changes that were made.
You can change the secret from the Select Zone Secret drop-down menu.
If you do not see the secret you want to use, you must create it from the Secrets Management page in the same zone where the worklet policy is.
After making any changes, save the policy.
Mapping Variables to the Worklet Policy
The following examples show how variables can be directly or indirectly mapped in a worklet policy.
There are two ways of mapping variables into the code:
Mapping Variables Method 1:
You can reference input variables the same as any other Bash/Powershell variables by using the $ sign. For example: $CUSTOM_TOKEN
Input selection:
Explicitly calling variables into the code using the $ sign:
Mapping Variables Method 2:
It is also possible to use environment variables indirectly. For example, the AWS cli expects environment variables with credentials to already exist. The variables will be exported to Powershell/Bash without the need to reference them directly in the script by using the $ sign. For example: $VARIABLE_NAME.
Input selection:
Explicitly calling variables into the code using the $ sign:
Indirect call to the variables:
Deleting Variables
You can remove any variables from the worklet policy list of Inputs by clicking x to delete it.
Note: If you delete a variable, ensure that it is not referenced in any script that is part of the worklet policy.
Comments
0 comments
Article is closed for comments.