Secure Credentials Store - Plugin Integration

I am using the AWS Assume Role plugin with the Amazon S3 plugin. Entering the credentials (e.g., Access Key, Access Key Secret, Role ARN, Role, etc.) directly in the Appian designer console when creating the connected system is non-ideal. An ideal solution would be to natively integrate with AWS Secrets Manager, which would allow for automated secrets rotation. In the interim I would like to use Appian's SCS. How can I inject the secrets in the Assume Role Plug-in using the SCS? From what I've read the Third Party Credentials can only be used by Java plugins. Do I need to create a new plugin? Do you have an example that goes through this kind of use case step-by-step? This is the only documentation I've found -- how would the custom plugin then inject the secrets into the AWS Assume Role plugin?

  Discussion posts and replies are publicly visible

Parents
  • 0
    Certified Lead Developer

    All plugins include their source code. That is a good inspiration. Did you consider to modify the AWS Assume Role plugin to directly work with the SCS?

  • Thank you  . I downloaded the source code for the assume role plugin. From the assumeRole function in the code, isn't it already setup to access the SCS?:

      @Function
      public TypedValue assumeRole(TypeService ts, SecureCredentialsStore scs,
        @Parameter(required = true) String secureCredentialsStoreKey,
        @Parameter(required = true) String region,
        @Parameter(required = true) String roleARN,
        @Parameter(required = true) String roleSessionName,
        @Parameter(required = false) String externalID)
    
      {
        AppianTypeFactory tf = AppianTypeFactory.newInstance(ts);
        AppianObject returnValue = (AppianObject) tf.createElement(AppianType.DICTIONARY);
        Map<String, String> store = null;
        try {
          store = scs.getSystemSecuredValues(secureCredentialsStoreKey);
        } catch (InsufficientPrivilegesException | ObjectNotFoundException e) {
          LOG.error("Error accessing the AWS credentials from the secure credentials store " + secureCredentialsStoreKey, e);
          errorMessage = "Error accessing the AWS credentials from the secure credentials store " + secureCredentialsStoreKey + " Error is: " +
            e.getMessage();
          returnValue.put("errorMessage", tf.createString(errorMessage));
          return tf.toTypedValue(returnValue);
        }

    If so, can you please explain how to access these values in the plugin (from the designer console)?

  • 0
    Certified Lead Developer
    in reply to aimeeo8980

    Did the plugin ZIP file include some documentation in a PDF file?

  •  it does not. Instead there is a word doc that includes the same information listed on the app market page.

  • 0
    Certified Lead Developer
    in reply to aimeeo8980

    Yeah ... some plugins are not well documented. In general, you need to create a SCS item and pass the name (key) to the plugin. The plugin will then fetch values from fields with predefined names. You should be able to find the field names in the source code.

    I never used this plugin, so. I can only support you with generic things.

  • Thank you for your prompt replies  Slight smile! From the assume role plugin doc:

    The Appian Secure Credential Store is leveraged for the credentials to integrate with Amazon STS. Before executing the plug-in, create an new secure credential store with the following 2 attributes. These values are obtained from Amazon AWS IAM console.

    1. accesskeyid: this is the access key id for connecting to AWS S3
    2. accesskeysecret: this is the access key secret for connecting to AWS S3

    So it appears that this plugin has the capability to retrieve credentials from SCS, and according to the SCS Appian Documentation, the Third-Party Credentials page is where the SCS is managed: 


    The credentials stored in the Secure Credentials Store are managed using the Third-Party Credentials admin page in the Admin Console.

    Therefore, there should be a way to call on the stored credentials when creating a connected system in the designer console. However, what is unclear, is that once I've stored the credentials in SCS using the Third-Party Credentials page, how can I pass them to this plug-in?

Reply
  • Thank you for your prompt replies  Slight smile! From the assume role plugin doc:

    The Appian Secure Credential Store is leveraged for the credentials to integrate with Amazon STS. Before executing the plug-in, create an new secure credential store with the following 2 attributes. These values are obtained from Amazon AWS IAM console.

    1. accesskeyid: this is the access key id for connecting to AWS S3
    2. accesskeysecret: this is the access key secret for connecting to AWS S3

    So it appears that this plugin has the capability to retrieve credentials from SCS, and according to the SCS Appian Documentation, the Third-Party Credentials page is where the SCS is managed: 


    The credentials stored in the Secure Credentials Store are managed using the Third-Party Credentials admin page in the Admin Console.

    Therefore, there should be a way to call on the stored credentials when creating a connected system in the designer console. However, what is unclear, is that once I've stored the credentials in SCS using the Third-Party Credentials page, how can I pass them to this plug-in?

Children