Comment on page
AWS Secrets Manager Overview
Learn how to leverage AWS Secrets Manager as a secret store for the Nano Agent Registration Code (There is an assumption that you are familiar with AWS, IAM, and EKS and how the 3 interact).
Spyderbat Nano Agent registration code is a unique alpha-numeric combination that is used to associate the installed Nano Agents with your organization in Spyderbat backend and the data. This registration code can only be visible in the Spyderbat UI to the users in your organization with the relevant permissions (check out our article on User Roles nd Permissions for more info).
You may choose to store your organization's Nano Agent Registration Code in the AWS Secrets Manager, to facilitate the use of automation for agent deployment or to adhere to required internal processes, in which case you will need to follow the steps below.
First you will need to store the registration keys in Secrets Manager and get the ARN for it:
aws secretsmanager create-secret --name \<name\> --region \<region\>
- aws secretsmanager put-secret-value --secret-id \<name\> --region \<region\> --secret-string "{\"spyderbat-registration-key\":\"\<key\>\"}"
aws secretsmanager get-secret-value --secret-id \<name\> --region \<region\>
Next step is to create an IAM Policy that allows GetSecretValue and DescribeSecret for it. After that, add the AWS secrets store csi driver to your cluster if it is not already available.
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system --set syncSecret.enabled=true
kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
Create a role that will have access to the above mentioned policy and is federated to your eks cluster (see associate-iam-oidc-provider):
eksctl create iamserviceaccount --name spyderbat-serviceaccount --region="<region>" --cluster "<cluster_name>" --attach-policy-arn "<policy_arn>" --approve --namespace spyderbat
eksctl get iamserviceaccount --name spyderbat-serviceaccount --region="<region>" --cluster "<cluster_name>" --namespace spyderbat
Now that you have all those values, you can run a Helm chart install of the Nano Agent to reference that secret and mount it accordingly. You could utilize your own custom values.yaml file or by overriding via --set in the Helm CLI:
aws:
secretsmanager:
enabled: true
rolearn: "<role_arn>"
secretarn: "<secret_arn>"
helm repo add nanoagent https://spyderbat.github.io/nanoagent_helm/
helm repo update
helm install nanoagent nanoagent/nanoagent \ --set nanoagent.orcurl="<orc_url>" \ --namespace spyderbat \ --create-namespace \ --set CLUSTER_NAME="<cluster_name>"
The steps above represent one of the ways this task could be accomplished. If you have any questions feel free to contact us at [email protected].
Last modified 3mo ago