Configure Connection Details of Secrets Management Tools

As a security best practice, you store sensitive data such as database credentials, application credentials, authentication tokens, API keys, and other secrets in a secrets management tool. To access the tools and technologies in your cloud environments from within the Lazsa Platform, the platform must have authenticated access to your secrets management tool. You must provide the connection details of your secrets management tool in the Lazsa Platform and assign the read-only permissions to the Lazsa Platform in your secrets management tools.

Currently , the Lazsa Platform supports the following secrets management tools:

• AWS Secrets Manager

• Azure Key Vault

To provide the connection details of secrets management tools in the Lazsa Platform, perform these steps:

1. Sign in to the Lazsa Platform and click Configuration in the left navigation pane.

2. On the Platform Setup screen, on the Cloud Platform, Tools & Technologies tile, click Configure.
3. On the Cloud Platform, Tools & Technologies screen, in the Vault Configuration section, click Configure.

   (After you save connection details for at least one secrets management tool, you see the Modify button here.)

4. On the Vault Configuration screen, click the AWS Secrets Manager tile or the Azure Key Vault tile to configure the connection properties of your active accounts for these tools.

   

   AWS Secrets Manager

   1. To save the connection properties of your AWS Secrets Manager account, provide the following details:

      Field	Description
      Name	Give a name to your configuration. Your AWS Secrets Manager connection details are saved by this name in the Lazsa Platform.
      Description	Provide a description of your configuration. When you save multiple connection details in the Lazsa Platform, a brief description always helps you identify the saved connection details easily.
      Region	AWS Region that specifies where your AWS Secrets Manager resources are managed.
      Master AWS Account	Calibo's Master AWS Account ID is auto-populated. You need to mention this ID in the IAM role policy that you create to allow the Lazsa Platform to access your AWS Secrets Manager. If you use the CFT for IAM role policy provided by Calibo, this ID is already mentioned in the template.
      External ID	This is the unique identifier generated by Calibo. You need to mention this ID in the IAM role policy that you create to allow the Lazsa Platform to access your AWS Secrets Manager. If you use the CFT for IAM role policy provided by Calibo, this ID is already mentioned in the template.
      Cross Account Role ARN	After you create an IAM role and attach a policy to establish a trusted relationship between your AWS account and Calibo's account, you can provide the ARN here.
      Download CFT	Download this CloudFormation Template provided by Calibo. This template creates an IAM role and the required policy to allow the Lazsa Platform to access your AWS Secrets Manager.

   2. To password-protect your AWS Secrets Manager connection details, enable the Secure configuration details with a password option, enter a password, and then retype it to confirm.

      This is optional but recommended. When you share the connection details with multiple users, password protection helps you ensure authorized access to the connection details.

   3. Click Test Connection to check if you can connect to the configured AWS Secrets Manager account successfully.

   4. After you save and activate the configured connection details, you can see them listed on the Cloud Platform, Tools & Technologies screen.

   Azure Key Vault

   1. To save the connection properties of your Azure Key Vault subscription, provide the following details :

      Field	Description
      Name	Give a name to your configuration. Your Azure Key Vault connection details are saved by this name in the Lazsa Platform.
      Description	Provide a description of your configuration. When you save multiple connection details in the Lazsa Platform, a brief description always helps you identify the saved connection details easily.
      Subscription ID	A GUID that uniquely identifies your subscription to use Azure services.
      Tenant ID	Provide the Azure Active Directory tenant ID that is used for authenticating requests to the key vault.
      Client ID	This is the unique Application (client) ID assigned to your app by Azure AD when the app was registered. To find your Application (Client) ID in your Azure subscription, go to Azure AD > Enterprise applications > Application ID.
      Client Secret	This is the secret string that your application uses to authenticate itself while requesting a token from Azure Key Vault.

   2. To password-protect your Azure Key Vault connection details, enable the Secure configuration details with a password option, enter a password, and then retype it to confirm.

      This is optional but recommended. When you share the connection details with multiple users, password protection helps you ensure authorized access to the connection details.

   3. Click Test Connection to check if you can connect to the configured Azure Key Vault subscription successfully.

   4. After you save and activate the configured connection details, you can see them listed on the Cloud Platform, Tools & Technologies screen.

Related Topics

What's next? Configure Source Code Repository Connection Details