Secrets management

With secrets management, you can configure on-host integrations with New Relic Infrastructure's agent to use sensitive data (such as passwords) without having to write them as plain text into the integration's configuration file. Currently Amazon AWS Vault and AWS KMS are supported.

Define secrets

To use secrets in an integration configuration YAML file:

  1. Define a variables section, where each entry is a name for a secret object.
  2. In each entry, include the source of the secret and the proper configuration to retrieve those secrets.
  3. In the integration configuration section, set ${variable.property} placeholders that will be automatically replaced by the properties of the secret object.

If the secrets retrieval fails, the integration won't be executed, as the Infrastructure agent does not have all the data it requires to execute.

For example, the following configuration will retrieve an object named creds from Vault. (You can define the object's name for the secret.) Let's assume that the stored object is a JSON with a property named user and another property named password. We want to use them to set the basic HTTP credentials of the status_url property from an Nginx on-host integration:

integration_name: com.newrelic.nginx
variables:
  creds:
    vault:
      http:
        url: http://my.vault.host/v1/newengine/data/secret
        headers:
          X-Vault-Token: my-vault-token
instances:
  - name: nginx-server-metrics
    command: metrics
    arguments:
      status_url: http://${creds.user}:${creds.password}@example.com/status
      status_module: discover
      remote_monitoring: true
    labels:
      env: production
      role: load_balancer

Secrets variables

Define secrets in each integration configuration under a variables section. Each entry is a user-defined secret name that will store the properties of the retrieved secrets. Each variable can contain the following properties:

YAML key Description

ttl

Type: String

Amount of time before a secret is refreshed. This can be a number followed by a time unit (s, m or h).

Examples: 30s, 10m, 1h

Default: 1h

aws-kms

Type: YAML properties

AWS KMS secret retrieval configuration

vault

Type: Vault

Vault secret retrieval configuration

AWS KMS secrets

To retrieve your secrets from Amazon KMS, you can set the following properties in your aws-kms section. Not all fields are required. For example, you will need either data, file, or http to provide the encoded KMS string.

YAML key Description

data

Type: String

Base64 encoded KMS string to decrypt

file

Type: String

Path to file containing Base64 encoded KMS string to decrypt

http

Type: YAML properties

HTTP configuration to use to request Base64 encoded KMS string to decrypt. For more information, see Vault http.

credential_file

Type: String

Path to AWS credentials file

config_file

Type: String

Path to AWS config file

region

Type: String

AWS KMS region

type

Type: String (plain, equal, or json)

Secret value format:

  • plain: a raw string to be stored directly into the destination variable.
  • equal: a key=property one-line string to be stored as object properties into the destination variable.
  • json: a JSON object to be stored as properties into the destination variable.

Secrets of type plain or json use dot notation; for example, ${mysecret.nestedkey}.

The following example will allow retrieving a plain password string from AWS KMS. It must be decrypted from the provided data encoded string.

variables:
  myPassword:
    aws-kms:
      data: T0hBSStGTEVY
      region: ap-southeast-2
      credential_file: "./my-aws-credentials-file"
      config_file: "./my-aws-config-file"
      type: plain

Vault secrets

Vault must enable an http field containing the HTTP configuration used to connect to Vault. The http entry can contain the following entries:

YAML key

Description

url

Type: String

URL to request data from

tls_config

Type: YAML properties

Use the TLS configuration properties

headers

Type: YAML map

Request headers

tls_config properties

Secrets must use dot notation, for example, ${mysecret.nestedkey}.

YAML key Description

enable

Type: Boolean

Enable TLS

Default: false

insecure_skip_verify

Type: Boolean

Skip verifying server’s certificate chain and host

Default: false

min_version

Type: UInt16

The minimum SSL/TLS version that is acceptable

Default: 0 (which uses TLS version 1.0)

max_version

Type: UInt16

The maximum SSL/TLS version that is acceptable

Default: 0 (which uses TLS version 1.3)

ca

Type: String

TLS certificate

""

The following example will retrieve a secret using a Vault token from a secured server, and skip the server certificates verification:

variables:
  mydata:
    vault:
      http:
        url: https://my.vault.host/v1/newengine/data/secret
        headers:
          X-Vault-Token: my-vault-token
        tls_config:
          insecure_skip_verify: true

For more help

Recommendations for learning more: