[AGENTCFG-14] Updating AWS Secrets and SSM documentation to match suggested guidelines #40
Conversation
docs/aws/secrets.md
Outdated
| @@ -4,6 +4,33 @@ | |||
|
|
|||
| ## Configuration | |||
|
|
|||
| ### IAM Permission needed | |||
|
|
|||
| Add this permission as a permission policy to the user role that has been attached to the EC2 instance upon which the given agent is running. | |||
There was a problem hiding this comment.
We should give example, explain the logic and redirect to the official docs. Customers should not just copy/paste our example without understanding what they're doing. I will also add a direct link to AWS Secret IAM documentation in there.
| Add this permission as a permission policy to the user role that has been attached to the EC2 instance upon which the given agent is running. | |
| Create a similar IAM as the example bellow to allow resources to access a specific secrets and then attach it to the EC2 instance upon which the given agent is running. You can use similar IAM to allow your ECS/EKS Agent pod to access the required secrets. Please refer to [AWS Secrets official documentation](insert here link to docs) for more detail on allowing resources to access secrets. |
There was a problem hiding this comment.
I've made most of the changes that you suggested. The thing is that this Permission policy step that is referred to in the secrets.md and ssm.md does not differ based on the service (EC2, ECS, etc), so I don't think that it should be specified here that you need to make a different policy if you are using a different service. The service-specific instructions are in the aws.md doc. In general, the aws.md doc is where i envision most of the setup instructions to be. I only included this permission policy step in the secrets.md and ssm.md docs, as the permission policy is the only step that has different values if you are using secrets vs ssm.
docs/aws/ssm.md
Outdated
| @@ -6,22 +6,31 @@ | |||
|
|
|||
| ### IAM Permission needed | |||
|
|
|||
| Add this permission as a permission policy to the user role that has been attached to the EC2 instance upon which the given agent is running. | |||
There was a problem hiding this comment.
Same here, we should highlight that this is an example and redirect to the correct AWS docs. We should also change permission for IAM for clarity and explain they can do the same for other types of resources like ECS/EKS/Fargate...
There was a problem hiding this comment.
Refer to this comment
What does this PR do?
We want to avoid hardcoding any secret information in the config, and so after QA-ing the secret backend for AWS Secrets and SSM, I am updating the documentation so that it matches the suggested way of retrieving secrets from these services.
Motivation
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes