Introduction

This tutorial will provide a walkthrough on setting up and using configuration values located in AWS for configuration in your Gremlin agent installation.

Prerequisites

Before you begin this tutorial, you'll need the following:

• An active AWS account
• A Gremlin account (sign up for a free trial)
• A Gremlin agent installation
• AWS credentials setup on the host running the Gremlin agent

Step 1a - Create config value in AWS SSM

To create a parameter in AWS SSM:

1. Navigate to the SSM console (us-west-2 example).
2. Navigate to 'Parameter Store' on the left side and click 'Create parameter'.
3. Create a name for your parameter, and set the type to be either 'String' or 'SecureString', then enter your config value in the value field. When satisifed with the settings, create the parameter.

Step 1b - Create config value in AWS Secrets Manager

To create a secret in AWS Secrets Manager:

Step 2 - Setup permissions for credentials

Whatever credentials you will have the Gremlin agent use will need the corresponding IAM permissions associated with them.

• For SSM parameters, the <span class="code-class-custom">ssm:GetParameter</span> action on the parameter resource is required.
• For Secrets Manager secrets, the <span class="code-class-custom">secretsmanager:GetSecretValue</span> action on the secret resource is required.
• If any of these values are encrypted with a KMS key, the <span class="code-class-custom">kms:Decrypt</span> action is required on the KMS key resource.

Step 3 - Set Gremlin config values to use ARN

Now in your gremlin configuration, you can set some of the configuration values to use the AWS ARN of the AWS resource you created. When the agent starts, it will reach out to AWS to retrieve the value stored there, and keeps it in memory. Here is an example configuration file with AWS ARNs used to store sensitive values:

## Gremlin Identifier
identifier: arn:aws:ssm:us-west-2:123412341234:parameter/gremlin-identifier

## Gremlin Team Id
team_id: arn:aws:ssm:us-west-2:123412341234:parameter/gremlin-team-id

## Gremlin Team Secret
#team_secret: arn:aws:secretsmanager:us-west-2:123412341234:secret:gremlin/team-secret-djfgdjkf

## Gremlin Team Certificate
team_certificate: arn:aws:secretsmanager:us-west-2:123412341234:secret:gremlin/team-cert-ovbndf

## Gremlin Team Certificate
team_private_key: arn:aws:secretsmanager:us-west-2:123412341234:secret:gremlin/team-key-asdgiovb

Note: When using the Gremlin Helm Chart, you can pass these values like you would with raw secret values (requires chart version 0.12.0 or later):

helm install gremlin gremlin/gremlin \
     --namespace gremlin \
     --set      gremlin.hostPID=true \
     --set      gremlin.hostNetwork=true \
     --set      gremlin.collect.processes=true \
     --set      gremlin.container.driver=any \
     --set      gremlin.secret.managed=true \
     --set      gremlin.secret.type=certificate \
     --set      gremlin.secret.clusterID=${GREMLIN_CLUSTER_ID} \
     --set      gremlin.secret.teamID=${GREMLIN_TEAM_ID} \
     --set      gremlin.serviceUrl=${GREMLIN_SERVICE_URL} \
     --set      gremlin.secret.certificate=arn:aws:secretsmanager:us-west-2:123412341234:secret:gremlin/team-cert-ovbndf \
     --set      gremlin.secret.key=arn:aws:secretsmanager:us-west-2:123412341234:secret:gremlin/team-key-asdgiovb \
     --set      gremlin.serviceAccount.annotations."eks\.amazonaws\.com\/role-arn"="arn:aws:iam::123412341234:role/K8sServiceAccountRole" \
     --set      chao.serviceAccount.annotations."eks\.amazonaws\.com\/role-arn"="arn:aws:iam::123412341234:role/ChaoK8sServiceAccountRole"

‍

Conclusion

You've setup your Gremlin agent to use remote configuration values, increasing the security of your configuration! Refer to the agent configuration to read all the supported values you can use an AWS ARN for.