Several STA customers have asked us to provide a mechanism for securely storing secrets in the STA config. Some of them said that they would like to prevent users that use the STA from seeing the Coralogix private key for example. Other customers were wondering whether it would be possible to share several configuration values between multiple STA installations without having to share all of the configuration or manually synchronize the configuration between the instances. The following steps will help you address both concerns.
The STA supports the following two configuration storing methods:
In both methods the STA now supports the following mechanisms for mechanisms for storing configuration values securely:
You can now mix and match these as needed. For example, you can store the STA configuration on an S3 bucket and have some of the values stored as secrets in AWS Secrets Manager and encrypt (some or all of them) by using the STA’s encryption. Here is how to do it:
It is possible to provide an S3 bucket name at the CloudFormation/Terraform template, that way, the STA will start by copying the configuration to that bucket (if it is empty) or downloading the configuration from it and applying it automatically.
If you want to configure an existing STA that uses local configuration (the default) to use an S3 bucket to hold its configuration, here are the steps you need to take:
sta-edit-config
s3://
as prefix. For example: "sync_config_from": "s3://my-sta-config-bucket"
,NOTE: The new config file includes a configuration to use an S3 bucket. If you'll choose to continue, any additional configuration from now on will have to be done using the configured bucket. Are you sure you want to continue?
Configuration updated successfully.
To strengthen the security of the STA, it is now possible to configure the STA to store any of the values for the various configuration settings as secrets stored in AWS Secrets Manager. Here are the steps you need to take to get it done:
sta-get-status-short
and verify that all services mentioned in the output are in any of the following statuses only: “OK”, “NOT_RUNNING_NOW” or “RUNNING_NOW”sta-edit-config
${{<aws_secret_region_name>;<aws_secret_arn>[;<secret_keyvalue_keyname>]}}
${{eu-west-1;arn:aws:secretsmanager:eu-west-1:746543792062:secret:test-sta-od-encrypt-secrets-RfAkDs;private_key}}
To strengthen the security of the STA even more, it is now possible to configure the STA to store any of the values for the various configuration settings as encrypted values that can only be decrypted by the root user on the STA. It is possible to store these encrypted values anywhere one can store STA configuration: local, S3 and AWS Secrets Manager. Currently encrypted values are only supported on “on-demand” and on-prem STA installations. This is something that we plan to fix on future STA versions. Here are the steps you need to take to get it done:
sta-get-status-short
and verify that all services mentioned in the output are in any of the following statuses only: “OK”, “NOT_RUNNING_NOW” or “RUNNING_NOW”sta-encrypt-config-value
and enter the value you want to encrypt and then hit Ctrl+D (If you need to abort just click Ctrl+C)${{b64:enc:ASSDDSFsdfdsfSDFDSDSFDSFsdfdsf12322DFFD==}}
sta-edit-config
This feature, in addition to being a security related feature can also be used to simplify the configuration of multiple STA instances. You can create an AWS secret for several configuration values and then use the same secret reference in multiple STA instances and set the permissions to the STA instances correctly. That way you are essentially sharing configuration values between multiple STA instances while storing them only once.
We hope you found this guide helpful. If you have any further questions, don’t hesitate to contact us via the chat.