Skip to content

Commit 391b531

Browse files
akclaceakclace
committed
Added AWS SSM secret provider doc
1 parent 9b1f7f5 commit 391b531

File tree

1 file changed

+17
-1
lines changed

1 file changed

+17
-1
lines changed

content/docs/Configuration/Secrets.md

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ OpenRun supports secret management when working with apps. Secrets can be passed
88

99
## Supported Providers
1010

11-
OpenRun currently supports AWS Secrets Manager (ASM) and HashiCorp Vault as providers for secrets management. Secrets can also be read from the environment of the OpenRun server, which can be used in development and testing. Secrets can also be read from a local properties file.
11+
OpenRun currently supports AWS Secrets Manager (ASM), AWS SSM and HashiCorp Vault as providers for secrets management. Secrets can also be read from the environment of the OpenRun server, which can be used in development and testing. Secrets can also be read from a local properties file.
1212

1313
## AWS Secrets Manager
1414

@@ -26,6 +26,22 @@ creates two ASM configs. `asm` uses the default profile and `asm_prod` uses the
2626

2727
To access a secret in app parameters from `asm_prod` config, use `--param MYPARAM='{{secret_from "asm_prod" "MY_SECRET_KEY"}}'` as the param value. Use `--param MYPARAM='{{secret "MY_SECRET_KEY"}}'` to read from the default provider.
2828

29+
## AWS Systems Manager (SSM)
30+
31+
To enable SSM, add one or more entries in the `openrun.toml` config. The config name should be `ssm` or should start with `ssm_`. For example
32+
33+
```toml {filename="openrun.toml"}
34+
[secret.ssm]
35+
36+
[secret.ssm_prod]
37+
profile = "myaccount"
38+
39+
```
40+
41+
creates two SSM configs. `ssm` uses the default profile and `ssm_prod` uses the `myaccount` profile. The default config is read from the home directory ~/.aws/config and ~/.aws/credentials as documented in [AWS docs](https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html). The user id under which the OpenRun server was started is looked up for the aws config file.
42+
43+
To access a secret in app parameters from `ssm_prod` config, use `--param MYPARAM='{{secret_from "ssm_prod" "MY_SECRET_KEY"}}'` as the param value. Use `--param MYPARAM='{{secret "MY_SECRET_KEY"}}'` to read from the default provider.
44+
2945
## HashiCorp Vault
3046

3147
To enable Vault secret provider, add one or more entries in the `openrun.toml` config. The config name should be `vault` or should start with `vault_`. For example

0 commit comments

Comments
 (0)