How to configure SOPs

1.Creating IAM User and attaching policies -

a. Go to AWS Management Console.

b. Go to IAM and click policies in the left hand side toolbar. 

c. Click create policy and then press Next. Click on JSON and add the below policy and click Next.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreateRole", "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "arn:aws:iam::349271159511:role/*" } ] }

d. Give the name to the policy and create policy.

e. Now click users in the console left side

f. Click Add user and provide the name to that user and click Next

g. In permission options click Attach policies directly. Select Administration Access, AWSKeyManagementServicePoweruser and also attach the policy which you have created in the previous steps and then click Next

h. Verify the name of the user and the 3 policies attached or not and then click create user.

2. Create KMS Key -

a. Go to AWS Management Console

b. Go to KMS and then custom managed keys and then click create key

c. In configure key use default options and then click Next and then provide name in alias and the give the administrator access to the IAM user created in the previous step and then select the users you to give permissions to encrypt and decrypt using this key and then click Next

d. Attach the below policy in the key policy and then click finish. Make sure to provide the IAM user you created in the below highlighted placeholder.

{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::349271159511:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::349271159511:role/aws-reserved/sso.amazonaws.com/ap-south-1/AWSReservedSSO_AdministratorAccess_3b9b4bb9eebf66ac" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::349271159511:user/<IAM USER>" }, "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:ap-south-1:349271159511:key/29adbf26-7b85-4469-8c9e-f8050fd19a8e" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::349271159511:role/aws-reserved/sso.amazonaws.com/ap-south-1/AWSReservedSSO_AdministratorAccess_3b9b4bb9eebf66ac" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }

e. Copy the arn value after creating KMS Key.

 

3. Placing the kms arn value in the deployment manifest file -

a. Go to the below file and paste the arn value -

code upyog/UPYOG-DevOps/tree/UPYOG-Bootcamp-jenkins/config-as-code/sops.yaml

b. Go to the below code and add the arn key in .sops.yaml file -

c. Next, cd to config-as-code and run the below command -

d. Now to see the encrypted secrets. We can decrypt the secrets using below command -