PingAuthorize Server Documentation Index
Configuration Reference Home

Amazon Secrets Manager Cipher Stream Provider

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Amazon Secrets Manager Cipher Stream Provider is used to create a cipher stream provider that uses a passphrase obtained from the Amazon AWS Secrets Manager service to generate the encryption key for protecting the contents of the encryption settings database. It may only be used with string secrets (in which the Secrets Manager service returns the secret in the form of a JSON object) and not with secrets stored in a binary form.

Once it is created, this Amazon Secrets Manager Cipher Stream Provider should not be altered in any way. If you would like to change the cipher stream provider that the server uses, even to use a different secret (or a different version of the same secret) from the AWS Secrets Manager, you will need to create a new cipher stream provider configuration object and update the global configuration to activate that new provider. If this is done with the server online, then the encryption settings database will automatically be re-encrypted with the new cipher stream provider. However, as a safeguard against unexpected failures, it is still recommended that you export the encryption settings definitions before switching the active cipher stream provider.

Parent Component
Relations from This Component
Properties
dsconfig Usage

Parent Component

The Amazon Secrets Manager Cipher Stream Provider component inherits from the Cipher Stream Provider

Relations from This Component

The following components have a direct aggregation relation from Amazon Secrets Manager Cipher Stream Providers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
↓ description  None
↓ enabled
↓ aws-external-server
↓ secret-id
↓ secret-field-name
↓ secret-version-id
↓ secret-version-stage
↓ encryption-metadata-file

Basic Properties

description

Description
A description for this Cipher Stream Provider
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether this Cipher Stream Provider is enabled for use in the PingAuthorize Server.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

aws-external-server

Description
The external server with information to use when interacting with the AWS Secrets Manager.
Default Value
None
Allowed Values
The DN of any Amazon Aws External Server.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

secret-id (Read-Only)

Description
The Amazon Resource Name (ARN) or the user-friendly name of the secret to be retrieved.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

secret-field-name (Read-Only)

Description
The name of the JSON field whose value is the passphrase that will be used to generate the encryption key for protecting the contents of the encryption settings database.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

secret-version-id (Read-Only)

Description
The unique identifier for the version of the secret to be retrieved. If this is provided, then its value will typically be in the form of a UUID. This property must not be provided if the secret-version-stage property is provided. If neither the secret-version-id property nor the secret-version-stage property is provided, then the current version of the secret will be used.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

secret-version-stage (Read-Only)

Description
The staging label for the version of the secret to be retrieved. If this is provided, then its value will typically be in the form of a UUID. This property must not be provided if the secret-version-id property is provided. If neither the secret-version-id property nor the secret-version-stage property is provided, then the current version of the secret will be used.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

encryption-metadata-file (Read-Only)

Description
The path to a file that will hold metadata about the encryption performed by this Amazon Secrets Manager Cipher Stream Provider. When initially configuring this cipher stream provider, the metadata file should not exist (although its parent directory must exist). The first time the provider is initialized and the secret is successfully retrieved from AWS Secrets Manager, a new metadata file will be generated with an appropriate set of properties for generating the cipher to use to interact with the encryption settings database. On subsequent uses, the existing metadata file will be read to determine these settings so that the existing encryption settings database can be opened.
Default Value
config/aws-secrets-manager-encryption-metadata.json
Allowed Values
A filesystem path
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Cipher Stream Providers:

dsconfig list-cipher-stream-providers
     [--property {propertyName}] ...

To view the configuration for an existing Cipher Stream Provider:

dsconfig get-cipher-stream-provider-prop
     --provider-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Cipher Stream Provider:

dsconfig set-cipher-stream-provider-prop
     --provider-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Amazon Secrets Manager Cipher Stream Provider:

dsconfig create-cipher-stream-provider
     --provider-name {name}
     --type amazon-secrets-manager
     --set enabled:{propertyValue}
     --set aws-external-server:{propertyValue}
     --set secret-id:{propertyValue}
     --set secret-field-name:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Cipher Stream Provider:

dsconfig delete-cipher-stream-provider
     --provider-name {name}