Skip to main content

AWS Secrets Manager

Single-command setup:

We built a script that handles all the AWS setup for you in a single command. You can run the whole process by pasting it in your terminal. The result will be the AWS credentials you need to provite to Runops:

curl -sL https://runops.page.link/create-secret-and-user > aws-setup.sh
source aws-setup.sh runops-demo-db \
'{"MYSQL_HOST":"10.118.129.3","MYSQL_USER":"demo-user","MYSQL_PASS":"GtK23d<ejkLy0ST2","MYSQL_DB":"demo"}'

Step by step setup:

These steps reproduce what the one-line script does for you.

Use these steps as an alternative to the single-command setup.

You must run all these commands in the same terminal window as we will save values from some commands and use them in later commands.

1. First we add the credentials of our database to the Secrets Manager:

# this is a working demo database
SECRET_ARN=$(aws secretsmanager create-secret \
--name mysql-target-prod \
--description "mysql credentials for production" \
--secret-string '{"MYSQL_HOST":"10.118.129.3","MYSQL_USER":"demo-user","MYSQL_PASS":"GtK23d<ejkLy0ST2","MYSQL_DB":"demo"}' | jq -r ".ARN")

2. Then we need to provide a way for the agent to read this secret when running Tasks:

Let's create a user in AWS for Runops:

aws iam create-user --user-name runops
read AWS_SECRET_ACCESS_KEY AWS_ACCESS_KEY_ID < <(aws iam create-access-key --user-name runops | jq -r '.AccessKey.SecretAccessKey, .AccessKey.AccessKeyId')

Then we need a policy that enables this user to read the credentials:

RUNOPS_POLICY=$(aws iam create-policy --policy-name runops2 --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetSecret",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "'"$SECRET_ARN"'"
        }
    ]
}' | jq -r ".Policy.Arn")

And lastly we attach this policy to the user through a role:

aws iam attach-user-policy --policy-arn $RUNOPS_POLICY --user-name runops

Tying it all together

The agent requires configurations from your Secrets Manager and to link it to your Runops account. After finishing the Credentials configuration of your Secrets Manager you should have all the values for this step. Let's export the variables with the required configurations to make your deployment easier:

#Runops config
TOKEN='GET IT IN THE RUNOPS DASHBOARD'
AWS_REGION=us-east-1