I am using the AWS Assume Role plugin with the Amazon S3 plugin. Entering the credentials (e.g., Access Key, Access Key Secret, Role ARN, Role, etc.) directly in the Appian designer console when creating the connected system is non-ideal. An ideal solution would be to natively integrate with AWS Secrets Manager, which would allow for automated secrets rotation. In the interim I would like to use Appian's SCS. How can I inject the secrets in the Assume Role Plug-in using the SCS? From what I've read the Third Party Credentials can only be used by Java plugins. Do I need to create a new plugin? Do you have an example that goes through this kind of use case step-by-step? This is the only documentation I've found -- how would the custom plugin then inject the secrets into the AWS Assume Role plugin?
Discussion posts and replies are publicly visible
All plugins include their source code. That is a good inspiration. Did you consider to modify the AWS Assume Role plugin to directly work with the SCS?
Thank you Stefan Helzle . I downloaded the source code for the assume role plugin. From the assumeRole function in the code, isn't it already setup to access the SCS?:
@Function public TypedValue assumeRole(TypeService ts, SecureCredentialsStore scs, @Parameter(required = true) String secureCredentialsStoreKey, @Parameter(required = true) String region, @Parameter(required = true) String roleARN, @Parameter(required = true) String roleSessionName, @Parameter(required = false) String externalID) { AppianTypeFactory tf = AppianTypeFactory.newInstance(ts); AppianObject returnValue = (AppianObject) tf.createElement(AppianType.DICTIONARY); Map<String, String> store = null; try { store = scs.getSystemSecuredValues(secureCredentialsStoreKey); } catch (InsufficientPrivilegesException | ObjectNotFoundException e) { LOG.error("Error accessing the AWS credentials from the secure credentials store " + secureCredentialsStoreKey, e); errorMessage = "Error accessing the AWS credentials from the secure credentials store " + secureCredentialsStoreKey + " Error is: " + e.getMessage(); returnValue.put("errorMessage", tf.createString(errorMessage)); return tf.toTypedValue(returnValue); }
If so, can you please explain how to access these values in the plugin (from the designer console)?
Yeah ... some plugins are not well documented. In general, you need to create a SCS item and pass the name (key) to the plugin. The plugin will then fetch values from fields with predefined names. You should be able to find the field names in the source code.
I never used this plugin, so. I can only support you with generic things.
Thank you for your prompt replies Stefan Helzle ! From the assume role plugin doc:
The Appian Secure Credential Store is leveraged for the credentials to integrate with Amazon STS. Before executing the plug-in, create an new secure credential store with the following 2 attributes. These values are obtained from Amazon AWS IAM console.
So it appears that this plugin has the capability to retrieve credentials from SCS, and according to the SCS Appian Documentation, the Third-Party Credentials page is where the SCS is managed:
The credentials stored in the Secure Credentials Store are managed using the Third-Party Credentials admin page in the Admin Console.
Therefore, there should be a way to call on the stored credentials when creating a connected system in the designer console. However, what is unclear, is that once I've stored the credentials in SCS using the Third-Party Credentials page, how can I pass them to this plug-in?
aimeeo8980 said:once I've stored the credentials in SCS using the Third-Party Credentials page, how can I pass them to this plug-in
As stefan mentioned, you would pass the Key to the plug-in when calling it from Appian.
Mike Schmitt - the form looks like this. How do I access the key values pairs from the third-party credentials store for the fields on this form?
You don't do that directly. You pass the SCS item name, and the plugin will fetch the key-value pairs.
Stefan Helzle , thank you for your continued support with this discussion post. What remains unclear to me is how I pass the SCS item name so that the plugin fetches the key-value pairs -- at what point is this done? Is there an example/documentation for this?
Your screenshot above is a Connected System - as far as I know, SCS keys aren't used for connected systems, but instead passed directly into the plug-in (if applicable) when it's called. The one example I've worked with is the sFTP plug-in, which in older versions had a field in the node itself called "SCS External System Key", which would consume the key itself at runtime.
Okay, I think this makes sense now Mike Schmitt -- the only option at the moment is to modify the source code of the existing plugin and create a custom plug-in which calls on the external system key?
For me it looks like the plugin provides a function that you call and it returns credentials in some form. But, you cannot use this to configure a connected system. I think it is meant to user other plugins or plain HTTP connections to access other AWS resources.
Yes, that is pretty much your only option at the moment.