You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+50-11Lines changed: 50 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,17 +37,12 @@ The Google Cloud Platform (GCP) Secret Manager Orchestrator Extension remotely m
37
37
* PEM encoded certificate and unencrypted or encrypted private key with full certificate chain
38
38
* PEM encoded certificate only
39
39
40
-
For use cases including an encrypted private key, please refer to [Certificate Encryption Details](#certificate-encryption-details) for more information on handling/storing the encryption password for the private key.
41
-
42
-
This extension also optionally supports the management of secret tags. **If** the optional Entry Parameter of "Tags" exists in the store type definition:
43
-
* Inventory will return all tags assigned to a secret in the comma delimited format of "TagKey1:TagValue1,TagKey2:TagValue2,...,TagKeyN:TagValueN".
44
-
* The same format of one-to-many tag key/value pairs ("TagKey1:TagValue1,TagKey2:TagValue2,...,TagKeyN:TagValueN") can be added to the "Tags" field during the setup of Management-Add jobs to assign tags to the secret **as long as each tag key/value pair is already set up as a valid Organization level tag key/value combination in GCP**.
45
-
46
-
Additional notes regarding tags:
47
-
* This integration does **not** support Project level tags when adding new certificates (secrets). Only Organization level tags will be recognized.
48
-
* The Tags field will be ignored when renewing/replacing a certificate since in this scenario the extension is only adding a new secret version and not replacing the entire secret. Assigning tags is only attempted when adding a completely new certificate (secret).
49
-
* When adding a new secret, any errors attempting to add tags **will not** impact the adding of the secret. If a Management-Add job successfully adds a new certificate (secret) but fails to assign the tag, the job will be reported back with a status of Warning along with detailed messages why each tag could not be assigned. The certificate (secret) itself, however, **will** be added.
50
-
* If multiple tags are provided, and errors occur on some but not others, the successful ones will be assigned to the certificate (secret) and warning messages will be written to the log and job status for the others.
40
+
Additional features:
41
+
* For use cases including an encrypted private key, please refer to [Certificate Encryption Details](#certificate-encryption-details) for more information on handling/storing the encryption password for the private key.
42
+
* For information on Tag Support, please refer to [Tag Support](#tag-support)
43
+
* For information on Label Support, please refer to [Label Support](#label-support)
44
+
* For information on Automatic vs User Managed Replication, please refer to [Region Replication](#region-replication)
45
+
* For information on Secret and Secret Version Retention, please refer to [TTL and TTL Version Retention](#ttl-and-ttl-version-retention)
51
46
52
47
53
48
@@ -379,6 +374,50 @@ For GCP Secret Manager secrets containing private keys, the GCP Secret Manager O
379
374
380
375
If the Store Password has a value, this will be used to encrypt the private key during a Management Add job. If no value is setforthe Store Password, the one time password that Keyfactor Command generates when triggering a Management-Add job will be used to encrypt the private key and this password will be stored as a secretin GCP Secret Manager with a name of Alias + Password Secret Location Suffix. For example, if the certificate alias is set as "Alias1" and the Password Secret Location Suffix is set as "_Key", the certificate and encrypted private key will be stored in a secret named "Alias1" and the password forthe key encryption will be storedin a secret named "Alias1_Key". Please note that if using the generated password Keyfactor Command provides and storing the password in Secret Manager, each renewal/replacement of a certificate will encrypt the private key with a new generated password, which will then be stored as a new version of the password secret.
381
376
377
+
## Tag Support
378
+
379
+
This extension supports the management of secret tags. **If** the optional Entry Parameter "Tags" exists in the store type definition:
380
+
* Inventory will return all tags assigned to a secret in the comma delimited format of "TagKey1:TagValue1,TagKey2:TagValue2,...,TagKeyN:TagValueN".
381
+
* The same format of one-to-many tag key/value pairs ("TagKey1:TagValue1,TagKey2:TagValue2,...,TagKeyN:TagValueN") can be added to the "Tags" field during the setup of Management-Add jobs to assign tags to the secret **as long as each tag key/value pair is already set up as a valid Organization level tag key/value combination in GCP**.
382
+
383
+
Additional notes regarding tags:
384
+
* This integration does **not** support Project level tags when adding new certificates (secrets). Only Organization level tags will be recognized.
385
+
* The Tags field will be ignored when renewing/replacing a certificate since in this scenario the extension is only adding a new secret version and not replacing the entire secret. Assigning tags is only attempted when adding a completely new certificate (secret).
386
+
* When adding a new secret, any errors attempting to add tags **will not** impact the adding of the secret. If a Management-Add job successfully adds a new certificate (secret) but fails to assign the tag, the job will be reported back with a status of Warning along with detailed messages why each tag could not be assigned. The certificate (secret) itself, however, **will** be added.
387
+
* If multiple tags are provided, and errors occur on some but not others, the successful ones will be assigned to the certificate (secret) and warning messages will be written to the log and job status for the others.
388
+
389
+
## Label Support
390
+
391
+
This extension supports the management of secret labels. **If** the optional Entry Parameter "Labels" exists in the store type definition:
392
+
* Inventory will return all labels attached to each secret in the comma delimited format of "LabelName1:LabelValue1,LabelName2:LabelValue2,...,LabelNameN:LabelValueN"
393
+
* The same format of one-to-many label name/value pairs can be added to new secrets during Management-Add jobsin the Labels Entry Parameter. These values can also be modified when renewing/replacing an existing secret.
394
+
395
+
Additional notes regarding labels:
396
+
* A blank Labels Entry Parameter will not remove any existing labels from an existing secret being replaced (certificate renewal use case).
397
+
* A non blank Labels Entry Parameter will cause all pre-existing labels to be removed and replaced for the secret being replaced.
398
+
* Improperly formatted Labels may cause pre-existing labels to be removed but none or only valid ones added, but this will not prevent the secret from being added/replaced.
399
+
400
+
## Region Replication
401
+
402
+
This extension supports replicating secrets to one-to-many valid GCP regions, along with optionally specifying a valid GCP Key Management Service (KMS) patha foreach region. **If** the optional Entry Parameter "Replication Regions" existsin the store type definition:
403
+
* Inventory will return all replication regions and KMS paths attached to each secret in the comma delimited format of "Region1:KMSPath1,Region2:KMSPath2,...,RegionN:KMSPathN"
404
+
* The same format of one-to-many region/KMS path pairs can be added to new secrets during Managment-Add jobsin the Replication Regions Entry Parameter. Modification of these values is **NOT** supported when renewing/replacing an existing secret. Region/KMS values entered when renewing/replacing a certificate in Management-Add job will be ignored.
405
+
* Replication regions without KMS paths can also be provided - i.e. "Region1,Region2,...,RegionN", but GCP enforces the convention that **all** supplied regions must have an associated valid KMS path or all of them must **not** have a KMS path. Cannot mix some with and some without.
406
+
407
+
Additionsl notes regarding replication regions:
408
+
* Each region must be a [GCP allowed region for secrets](https://docs.cloud.google.com/secret-manager/docs/locations).
409
+
* In order to apply KMS paths to replication regions:
410
+
- A valid KMS Key Ring and Crypto Key must be created for the applicable region.
411
+
- The Cloud KMS CryptoKey Encrypter/Decrypter role must be applied to the service-{PROJECT ID}@gcp-sa-secretmanager.iam.gserviceaccount.com service principle where {PROJECT ID} is the numeric project id for the project the secret is being added to.
412
+
- The Cloud Key Management Service API must be enabled.
413
+
414
+
## TTL and TTL Version Retention
415
+
416
+
This extension supports supplying TTL (Time To Live) and Destroy Version TTL values. **If** the optional Entry Parameters of "TTL Duration" and "Version Destroy TTL Duration" exist in the store type definition:
417
+
* A numeric value (in days) can be entered for either or both values specifying when a secret will be deleted (TTL Duration) and how many days after secret deletion each version will be destroyed (Version Destroy TTL Duration).
418
+
* These values will be returned in Inventory jobs as well as modified when renewing/replacing a secret.
419
+
* Blank values supplied during Management job when replacing a secret will not affect current values for the secret.
0 commit comments