Quick Start for Windows¶
If you are running Mac or Linux we provide a start script.
Before you start you need to make sure the right permissions are set in order for the script to create the resources required to get Fidelius running locally. With the following steps you will be able to:
- Create a DynamoDb table with the proper format to store secrets
- Build the required docker containers
- Start Fidelius locally with some services mocked talking to your DynamoDb table in order for you to be allowed to experience all of Fidelius features.
Demo Features
- Login as a Dev user
- Login as an Ops user
- Login as a Master user
- Create secrets
- View secrets
- Update secrets
- Delete secrets
Prerequisites¶
Fidelius requires the following tools to be installed:
Step 1 - Create a KMS key¶
Create a KMS key with an alias credstash in AWS KMS. Reference can be found here
Step 2 - Create User Role¶
Create a user role that will be used to run the setup script. This role will also assume the application role. This role should have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:CreateTable", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT_NUMBER>:table/credential-store" }, { "Action": [ "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" } ] }
Step 3 - Create Cross Account Role¶
Create a AWS role that your user role can assume. This role should be called Cross_Account_Fidelius. This can be changed
in the future. The role needs to have this IAM permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "dynamodb:PutItem", "dynamodb:BatchWriteItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:kms:<REGION>:<ACCOUNT_NUMBER>:key/<KMS_KEY_ID>", "arn:aws:dynamodb:<REGION>:<ACCOUNT_NUMBER>:table/credential-store" ] } ] }
Step 4 - Grant Assume Role¶
Grant permission for your user role from step 2 to assume into Cross_Account_Fidelius role create on Step 3.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<ACCOUNT_NUMBER>:role/Cross_Account_Fidelius" } ] }
Step 5 - Update Trust Relationship¶
Add your user role to Trust Relationship on Cross_Account_fidelius
arn:aws:iam::AWSACCOUNTID:role/YOUR_USER_ROLE
Step 6 - Set Environment Variables¶
Set environment variables
If you need a proxy, set environment variable http_proxy
export http_proxy=proxy.com:80
Set the location of your AWS_DIRECTORY that contains your credentials
export AWS_DIRECTORY=~/.aws
Set your AWS_ACCOUNT_NUMBER that will be used to create the resources needed for Fidelius to launch
export AWS_ACCOUNT_NUMBER=12345678910
Step 7 - Run Fidelius¶
Refresh your AWS tokens then proceed to 7A.
7A. Build Containers¶
cd containers docker-compose build
7B. Build Fidelius demo services¶
cd demo-services/fake-account-service mvn clean install
7C. Build Fidelius setup container¶
cd demo-services/fidelius-setup mvn clean install
7D. Build Fidelius backend service¶
cd fidelius-service mvn clean install
7E. Build Fidelius UI¶
cd fidelius-ui npm install npm run build
7F. Build Fidelius containers¶
docker-compose -f setup-docker-compose.yml build docker-compose -f local-docker-compose.yml build
7G. Start Fidelius Setup¶
docker-compose -f setup-docker-compose.yml up
Wait for process to complete
docker-compose -f local-docker-compose.yml up
Step 8 - Navigate to Fidelius¶
Navigate to the links above to experience Fidelius Secrets Manager.
Fidelius User Endpoints
| ROLE | URL |
|---|---|
| Dev | https://localhost:443 |
| Ops | https://localhost:444 |
| Master | https://localhost:445 |
Next Steps¶
After having Fidelius running locally with default configurations, you might want to configure the steps so that you can run or deploy Fidelius for your organization.
The application configurations can be found at Configuration
