Moveworks Agent AWS Secrets Manager Setup Guide

🚧

This guide is only required for those who want to access secrets from a pre-existing secrets manager. Otherwise please follow the Moveworks Agent Installation Guide.

These instructions will guide you to configure permissions for a vm in AWS to pull secrets from secrets manager.

You have several option for how to do this.

  1. [Recommended] Assign the [movework_agent_secrets_access] policy to the existing role used by the vm.
  2. Create a new role with the [movework_agent_secrets_access] policy and assign this role to the vm.
  3. Create an inline policy and assign it to the existing role used by the vm.

[Recommended] Assign the [movework_agent_secrets_access] policy to the existing role used by the vm

Use AWS cloud formation to create Moveworks Agent IAM managed policy allowing Secrets Manager access

  1. Create new stack by clicking on Create stack.

  2. Use the Moveworks cloud formation template.

    AWSTemplateFormatVersion: "2010-09-09"
    
    Description: >-
      Template for generating Moveworks Agent IAM managed policy allowing
      Secrets Manager access.
    
    Resources:
      SecretsManagerPolicy:
        Type: 'AWS::IAM::ManagedPolicy'
        Properties:
          ManagedPolicyName: moveworks_agent_secrets_access
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - 'secretsmanager:GetSecretValue'
                  - 'secretsmanager:DescribeSecret'
                Resource: !Sub >-
                  arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:moveworks_agent/*
    

  3. Name the stack.

  4. Configure stack options and create stack.

  5. The secrets manager policy should be created.

Assign Policy to existing role

  1. Navigate to IAM → Roles → role.
  2. Attach policies.

Create new role

  1. Navigate to IAM → Roles → Create Role.
  2. Add the policy you just created. If you used cloud formation it should be named moveworks_agent_secrets_access.
  3. Name, review, and create.

Create Inline policy for existing role

  1. Click on Create inline policy.
  2. Create policy.

Sample inline policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": "arn:aws:secretsmanager:<region>:<roleid>:secret:moveworks_agent/*"
        }
    ]
}

Add Secrets

  1. Navigate to AWS Secrets Manager → Secrets → Store a new secret.
  1. Name your secrets consistently with the access policy. If the access policy grants resources to moveworks_agent/* make sure the secrets are named moveworks_agent/<secret_name>. [The policy created by the provided cloud formation template grants access to secrets under path moveworks_agent/*]
  1. Configure your desired rotation schedules and create the secret.
  2. Save the secret ARN for every secret you create.

    Some common secrets used by the Moveworks Agent. you may need more secrets for multiple LDAP domains or multiple REST integrations.
    1. moveworks_access_secret
    2. ldap_service_password
    3. jira_password

Check for access

Check for access to the secrets you created on the agent vm.

aws secretsmanager describe-secret --secret-id <Secret ARN>
aws secretsmanager get-secret-value --secret-id <Secret ARN>