-
Notifications
You must be signed in to change notification settings - Fork 19
Manage Secrets Groups
To be able to run group create, the user executing the command must have access to various KMS, DynamoDB and IAM functionality. The idea is to create the Secrets Group using admin credentials and then attach users or roles to the Secret Group. Alternatively you need to grant the necessary permission to a user.
Secrets are logically grouped into Secret Groups. If you don't already have a Secrets Group, you will need to create one (this will allocate the necessary AWS resources):
$ strongbox --region eu-west-1 group create team.project
If you delete a Strongbox Secrets Group, the KMS key will be scheduled for deletion after 7 days. You cannot create a new Secrets Group with the same name until those 7 days have passed, unless you reuse the KMS key. If you accidentally deleted the Secrets Group, and you want to recreate it, you need to do so before the KMS key is deleted. If this is the case or you have some other good reason for reusing the KMS key, you can do so with --allow-key-reuse.
WARNING: make sure that you indeed want to reuse the KMS key before using this command
$ strongbox --region eu-west-1 group create --allow-key-reuse team.project
When a Secrets Group is created, a read-only and an admin policy is also created. You can attach roles, users and groups to these roles in order to provided the needed access to KMS and DynamoDB for Strongbox to work.
This can be done in the GUI or in the CLI.
$ strongbox --region eu-west-1 group attach-readonly --group team.project --type role <some-iam-role>
$ strongbox --region eu-west-1 group attach-admin --group team.project --type role <some-iam-role>