ContextQMD
Back to Infisical

AWS ElastiCache

docs/documentation/platform/dynamic-secrets/aws-elasticache.mdx

0.159.255.9 KB
Original Source

import DynamicSecretUsernameTemplateParamField from "/snippets/documentation/platform/dynamic-secrets/dynamic-secret-username-template-field.mdx";

The Infisical AWS ElastiCache dynamic secret allows you to generate AWS ElastiCache credentials on demand based on configured role.

Prerequisites

  1. Create an AWS IAM user with the following permissions:
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "elasticache:DescribeUsers",
        "elasticache:ModifyUser",
        "elasticache:CreateUser",
        "elasticache:CreateUserGroup",
        "elasticache:DeleteUser",
        "elasticache:DescribeReplicationGroups",
        "elasticache:DescribeUserGroups",
        "elasticache:ModifyReplicationGroup",
        "elasticache:ModifyUserGroup"
      ],
      "Resource": "arn:aws:elasticache:<region>:<account-id>:user:*"
    }
  ]
}
  1. Create an access key ID and secret access key for the user you created in the previous step. You will need these to configure the Infisical dynamic secret.
<Note> New leases may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration. It is recommended to use a retry strategy when establishing new ElastiCache connections. This may prevent errors when trying to use a password that isn't yet live on the targeted ElastiCache cluster.

While a leasing is being created, you will be unable to create new leases for the same dynamic secret. </Note>

<Note> Please ensure that your ElastiCache cluster has transit encryption enabled and set to required. This is required for the dynamic secret to work. </Note>

Set up Dynamic Secrets with AWS ElastiCache

<Steps> <Step title="Open Secret Overview Dashboard"> Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret. </Step> <Step title="Click on the 'Add Dynamic Secret' button"> ![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png) </Step> <Step title="Select AWS ElastiCache"> ![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-aws-elasti-cache.png) </Step> <Step title="Provide the inputs for dynamic secret parameters"> <ParamField path="Secret Name" type="string" required> Name by which you want the secret to be referenced </ParamField> 
<ParamField path="Default TTL" type="string" required>
	Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
</ParamField>

<ParamField path="Max TTL" type="string" required>
	Maximum time-to-live for a generated secret.
</ParamField>

<ParamField path="Region" type="string" required>
The region that the ElastiCache cluster is located in. _(e.g. us-east-1)_
</ParamField>

<ParamField path="Access Key ID" type="string" required>
This is the access key ID of the AWS IAM user you created in the prerequisites. This will be used to provision and manage the dynamic secret leases.
</ParamField>

<ParamField path="Secret Access Key" type="string" required>
	This is the secret access key of the AWS IAM user you created in the prerequisites. This will be used to provision and manage the dynamic secret leases.
</ParamField>

<ParamField path="CA(SSL)" type="string">
	A CA may be required if your DB requires it for incoming connections. This is often the case when connecting to a managed service.
</ParamField>
</Step> <Step title="(Optional) Modify ElastiCache Statements"> ![Modify ElastiCache Statements Modal](/images/platform/dynamic-secrets/modify-elasticache-statement.png) <DynamicSecretUsernameTemplateParamField /> <ParamField path="Customize ElastiCache Statement" type="string"> If you want to provide specific privileges for the generated dynamic credentials, you can modify the ElastiCache statement to your needs. This is useful if you want to only give access to a specific resource. </ParamField> </Step> <Step title="Click `Submit`"> After submitting the form, you will see a dynamic secret created in the dashboard. 
<Note>
	If this step fails, you may have to add the CA certificate.
</Note>
</Step> <Step title="Generate dynamic secrets"> Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials. To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section. 
![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)

When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.

![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)

<Tip>
	Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.
</Tip>


Once you click the `Submit` button, a new secret lease will be generated and the credentials from it will be shown to you.

![Provision Lease](/images/platform/dynamic-secrets/lease-values.png)
</Step> </Steps>

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the expiration time of the lease or delete a lease before it's set time to live.

Renew Leases

To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the Renew button as illustrated below.

<Warning> Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret </Warning>