Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOC-1329: Update AWS Secrets Manager docs #2787

Merged
merged 4 commits into from
Jan 27, 2025
Merged

DOC-1329: Update AWS Secrets Manager docs #2787

merged 4 commits into from
Jan 27, 2025

Conversation

MarcL
Copy link
Contributor

@MarcL MarcL commented Jan 24, 2025

  • Updates the AWS Secret Manager docs to clarify the IAM actions needed to access the secrets.
  • Added an example of a more restrictive IAM policy example to show users how to avoid exposing all the secrets in their secret manager to n8n.

Fixes: DOC-1329
Related: PAY-2426

@netlify Netlify
Copy link

netlify bot commented Jan 24, 2025
edited
Loading

Deploy Preview for n8n-docs ready!

Name Link
🔨 Latest commit 89931f4
🔍 Latest deploy log https://app.netlify.com/sites/n8n-docs/deploys/6797a40ec48a7f00089c3144
😎 Deploy Preview https://deploy-preview-2787--n8n-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 24, 2025
edited
Loading

Overall readability score: 44.88 (🟢 +0)

File Readability
external-secrets.md 52.82 (🟢 +2.53)
View detailed metrics

🟢 - Shows an increase in readability
🔴 - Shows a decrease in readability

File Readability FRE GF ARI CLI DCRS
external-secrets.md 52.82 38.01 9.38 14.6 14.96 6.77
  🟢 +2.53 🟢 +8.26 🟢 +0.04 🟢 +0.2 🟢 +0.23 🟢 +0.15

Averages:

  Readability FRE GF ARI CLI DCRS
Average 44.88 35.74 11.36 14.57 14.19 8.42
  🟢 +0 🟢 +0.01 🟢 +0 🟢 +0 🟢 +0 🟢 +0
View metric targets
Metric Range Ideal score
Flesch Reading Ease 100 (very easy read) to 0 (extremely difficult read) 60
Gunning Fog 6 (very easy read) to 17 (extremely difficult read) 8 or less
Auto. Read. Index 6 (very easy read) to 14 (extremely difficult read) 8 or less
Coleman Liau Index 6 (very easy read) to 17 (extremely difficult read) 8 or less
Dale-Chall Readability 4.9 (very easy read) to 9.9 (extremely difficult read) 6.9 or less

MarcL
MarcL commented Jan 27, 2025
View reviewed changes
Copy link
Contributor Author

@MarcL MarcL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@imchairmanm - Minor clarification. What do you think?

docs/external-secrets.md Outdated
@@ -50,9 +50,11 @@ Your secret names can't contain spaces, hyphens, or other special characters. n8
}
```

If you'd like to be more restrictive and avoid n8n having access to all of your secrets, you'll still need to allow `secretsmanager:ListSecrets` and `secretsmanager:BatchGetSecretValue` access to all resources. This doesn't allow access to the secret values but is needed to retrieve any ARN-scoped secrets. You will need to scope `secretsmanager:GetSecretValue` to the specific Amazon Resource Names (ARNs) for the secrets you wish to share with n8n. Ensure you use the correct region and account ID in each resource ARNs. You can find the ARN details in the AWS dashboard for your secrets.
You can also be more restrictive and give n8n access to select AWS Secret Manager secrets. You still need to allow the `secretsmanager:ListSecrets` and `secretsmanager:BatchGetSecretValue` permissions to access all resources. These permissions allow n8n to retrieve ARN-scoped secrets, but don't provide access to the secret values.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can also be more restrictive and give n8n access to select AWS Secret Manager secrets.

We're trying to say that we could allow access to specific secrets and not all here and I don't think that's clear in that sentence. Perhaps this?

You can also be more restrictive and give n8n access to select selected AWS Secret Manager secrets.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, sorry @MarcL I don't know if I quite understand your comment. Is it that "select" in the original context doesn't necessarily communicate "a specific selection" (that was my intent) or is it something else that's confusing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a typo in my suggestion. 🤦‍♂️

I meant to say:

You can also be more restrictive and give n8n access to select specific AWS Secret Manager secrets.

I didn't think it was as clear that you can scope it down to specific secrets that you expose to n8n and you don't have to expose them all with the general wildcard *.

Does that make sense?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! Perfectly. Thanks for the added context, I'll make this change and publish.

@imchairmanm imchairmanm merged commit 7ed27bd into main Jan 27, 2025
7 checks passed
@imchairmanm imchairmanm deleted the doc-1329-clarify-secrets-manager-docs-for-aws-iam-access branch January 27, 2025 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imchairmanm imchairmanm imchairmanm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MarcL @imchairmanm