Skip to main content
Feedback

Boomi Secrets Management Service

Boomi's Secrets Management service allows customers to store their secrets in a remote secrets manager that they alone have access to. Boomi will never have access to this manager because only references to secrets are used in the Boomi Enterprise Platform.

note

You must have the SECRETS_MANAGEMENT feature on the chosen account to use Secrets Management. If you want to use Secrets Management on cloud runtimes, you will also need the RUNTIME_MANAGEMENT feature. Reach out to your Boomi account representative to activate these features.

Service Structure

  • Platform: In the Platform interface, you can configure environment extensions to point to specific secrets in your remote secrets manager.

  • Runtime: In the Boomi runtime, you can use the secrets management plug-in to retrieve secrets from a previously configured third-party secrets manager and invalidate the secret cache on the runtime to prepare the runtime for a rotated secret.

To learn more about how you can use the Secrets Management service on private clouds or through Managed Cloud Services, refer to Enabling Secrets Management on cloud runtimes.

  • AWS Secrets Manager: You can store secrets you want to reference in AWS's secrets manager.

  • Azure Secrets Manager: You can store secrets you want to reference in Azure's secrets manager.

  • Google Cloud Platform (GCP): You can store secrets you want to reference in GCP's secrets manager.

Execution errors are stored in Process Reporting container logs.

Enabling Secrets Manager on local runtimes

In the Platform, navigate to Integration > Runtime Management. Then, select an environment and click Environment extensions. Select the Use Secrets references checkbox to expose additional fields.

Setting up AWS

  1. In the Advanced Properties tab, set Enable AWS Secrets Manager to true, and enter the region you want to use with secrets management into AWS Secrets Manager Region field.

  2. Configure the AWS credentials for the runtime instance by following any of the methods defined in the Amazon Default provider chain documentation.

  3. Configure plaintext secrets in the AWS secrets manager with the account and region you allowed the runtime instance to access.

Setting up Azure Key Vault

  1. In the Advanced Properties tab, set Enable Azure Secrets Manager to true.

  2. Configure the Azure credentials for the runtime instance by following any of the methods defined in the Default AzureCredential documentation.

  3. Configure plaintext secrets in the AzureKeyVault you allowed the runtime instance to access.

Setting up GCP

  1. In the Advanced Properties tab, set Enable Google Cloud Platform Manager to true.

  2. Configure the GCP credentials for the runtime instance by following any of the methods defined in the GCP Application Default Credentials documentation.

  3. Configure plaintext secrets in the GCP secrets manager you allowed the runtime instance to access.

Enabling Secrets Management on private cloud runtimes

You can use Boomi's Secrets Management Service on a cloud runtime attachment by following the steps below. You can push AWS, Azure, and GCP credentials to individual runtime cloud attachments and private clouds.

As the cloud owner

  1. In the Advanced Properties tab, set the following properties for your runtime cloud at the cloud owner level.
  2. Set the Advanced Property Enable AWS Secrets Manager, Enable Azure Secrets Manager, or Enable GCP Secrets Manager to true.
  3. Set the Custom Property com.boomi.container.cloud.forker.security.v2 to true for AWS, Azure, or GCP.

GCP Users

You have to give your runtime cloud permission to access the JSON credentials file to authenticate your GCP instance. Use the Security Policy API to give your cloud runtime access to the file based on the kind of GCP account you have.

If you want all the tenants and attachments for your cloud to use your GCP credentials, you can set the custom property com.boomi.container.gcp.secretsmanager.defaultCredentialsProvider.enabled to true. This property is not enabled by default.

You must restart the runtime for the permission changes to be reflected. Double-check that you've entered valid credentials after copying the API request body as Boomi Secrets Management Service cannot validate them for you.

For GCP User Accounts

  • The JSON file and path is automatically generated for you. The filename given in the API body below is just an example; you do not need to rename your JSON file.

  • Use this permission in the API request permission java.io.FilePermission "<path to gcloud directory>/application_default_credentials.json, "read" 


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<bns:AtomSecurityPolicies xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bns="http://api.platform.boomi.com/" atomId="your atom id">
  <bns:common>
    <bns:policies privilegeType="java.io.FilePermission">
      <bns:arguments value="${user.home}/.config/gcloud/application_default_credentials.json"/>
      <bns:arguments value="read"/>
    </bns:policies>
    </bns:policies>
  </bns:common>
  <bns:runner/>
  <bns:worker/>
  <bns:browser/>
</bns:AtomSecurityPolicies>

For GCP Service Accounts

  • Download the service account credentials file from Google Cloud Console. You can place this file anywhere on your system.

  • Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path where the JSON credentials file is stored.

  • Use this permission in the API request permission java.lang.RuntimePermission "getenv.(GOOGLE_APPLICATION_CREDENTIALS)", "read"


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<bns:AtomSecurityPolicies xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bns="http://api.platform.boomi.com/" atomId="<your atom id>">
  <bns:common>
    <bns:policies privilegeType="java.io.FilePermission">
      <bns:arguments value="${user.home}/<Path to service account key file location>/key-file.json"/>
      <bns:arguments value="read"/>
    </bns:policies>
     <bns:policies privilegeType="java.lang.RuntimePermission">
      <bns:arguments value="getenv.(GOOGLE_APPLICATION_CREDENTIALS)"/>
      <bns:arguments value="read"/>
    </bns:policies>
  </bns:common>
  <bns:runner/>
  <bns:worker/>
  <bns:browser/>
</bns:AtomSecurityPolicies>

For Cloud-based GCP Instances

  • This permission is for users who don't have a local instance of GCP on their system.

  • Use this permission in the API request permission java.net.SocketPermission "metadata.google.internal:80", "connect,resolve"


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<bns:AtomSecurityPolicies xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bns="http://api.platform.boomi.com/" atomId="your atom id">
  <bns:common>
    <bns:policies privilegeType="java.net.SocketPermission">
    <bns:arguments value="metadata.google.internal:80"/>
    <bns:arguments value="connect,resolve"/>
    </bns:policies>
  </bns:common>
  <bns:runner/>
  <bns:worker/>
  <bns:browser/>
</bns:AtomSecurityPolicies>

As a user with a cloud runtime attachment

  1. Ensure you have the AWS or Azure credentials for a user, role, application, or entity with access to the desired secrets manager. For GCP, ensure you have the credentials for a User Account or Service Account.

    • AWS users will need to specify an AccessKeyID, SecretAccessKey, and AWS Region for a user with access to the desired AWS secret(s).

    • Azure users will need to specify the ClientID, TenantID and Client Secret for a user or an authorized application with access to the desired Key Vault secret(s).

    • GCP User Accounts will need to specify gcpAccountType, gcpClientId, gcpClientSecret, and gcpRefreshToken for a user with access to the desired GCP secret(s).

    • GCP Service Accounts will need to specify gcpAccountType, gcpClientId, gcpPrivateKeyId, gcpPrivateKey, and gcpClientEmail for a service with access to the desired GCP secret(s).

  2. Send your secrets manager credentials to your runtime to connect your cloud runtime attachment to a secrets manager with the API call below.

    • Send a POST request to the following platform endpoint: <platform_url>/api/rest/v1/<AccountID>/cloudAttachmentSecretsConfiguration/<runtimeID>

    • Double-check that you've entered valid credentials after copying the API request body as Boomi Secrets Management Service cannot validate them for you.

AWS Request Body


{
  "containerId": "<runtimeId>",
  "secretsManagerProvider": {
    "AWS": {
      "awsAccessKeyId": "<Enter Access Key ID>",
      "awsSecretAccessKey": "<Enter Secret Access Key>",
      "awsRegion": "<Enter AWS Region of Secrets Manager>"
    }
  }
}

Azure Request Body


{
  "containerId": "<runtimeID>",
  "secretsManagerProvider": {
    "AZURE": {
      "azureClientId": "<Enter Client ID>",
      "azureTenantId": "<Enter Tenant ID>",
      "azureClientSecret": "<Enter Client Secret>"
    }
  }
}

GCP User Account Request Body


{
  "containerId": "<runtimeID>",
  "secretsManagerProvider": {
    "GCP": {
      "gcpAccountType": "userAccount",
      "userAccount": {
        "gcpClientId": "<Enter GCP Client ID>",
        "gcpClientSecret": "<Enter GCP Client Secret>",
        "gcpRefreshToken": "<Enter GCP Refresh Token>"
      }
    }
  }
}

GCP Service Account Request Body


{
  "containerId": "<runtimeID>",
  "secretsManagerProvider": {
    "GCP": {
      "gcpAccountType": "serviceAccount",
      "serviceAccount": {
        "gcpProjectId": "<Enter GCP Project ID>",
        "gcpClientId": "<Enter GCP Service Account Client ID>",
        "gcpPrivateKeyId": "<Enter GCP Private Key ID>",
        "gcpPrivateKey": "<Enter GCP Private Key in PEM format>",
        "gcpClientEmail": "<Enter GCP Service Account Email>"
      }
    }
  }
}

Now that the Secrets Management service is set up, you can add secrets either using the Environment Extensions page in Platform, or with the Environment Extensions API. Refer to Adding Secrets to learn more.

Secrets caching

Your secrets are never stored in the file system; they are contained in an individual Java classloader. These cached secrets are only stored for one hour, and do not persist between restarts, the creation of a new execution worker, or the creation of a new forked process execution.

To coordinate the caching of secrets with your secret rotation practices, use the refreshSecretsManager API to reset the secret cache on all in an account. This ensures that the in your account directly retrieve secrets from the external secrets manager the next time the secret is referenced.

On this Page