Skip to main content
All CollectionsSetup & ConfigurationAxiom Runner
Axiom Runner - Setup and Secret Configuration
Axiom Runner - Setup and Secret Configuration

How to configure the Axiom runner

Updated over 2 months ago

Introduction

This guide will introduce you to the basic concepts of operating our product using Axiom Runner. It will explain the necessary steps of deployment and integration.

Overview of Axiom Runner

The Axiom Runner is a local agent that enables Axiom Security to extend its functionality to entities that are not directly accessible from the internet. It acts as a bridge between your internal resources and the Axiom SaaS application.

Here's a high-level overview of how the Axiom Runner works:

Communication Flow:

The Axiom Runner establishes a secure communication channel with the Axiom SaaS Application.

It receives tasks and instructions from the Axiom SaaS Platform.

The Runner executes these tasks on internal resources that are not directly accessible to the Axiom SaaS Platform.

Credential Management:

Sensitive information (like access credentials) is stored in the Secrets Manager.

The Axiom Runner retrieves these credentials as needed to perform its tasks.

This approach ensures that sensitive data never leaves your AWS environment.

Task Execution:

The Runner performs various tasks such as access provisioning, credential dispensation, and data collection.

It can interact with various internal resources like Kubernetes clusters, databases, and cloud services.

Result Reporting:

After executing tasks, the Runner reports results back to the Axiom SaaS Application.

This allows for centralized monitoring and management of your security operations.

Security:

All communications between components are encrypted.

The Runner operates with the principle of least privilege, accessing only the resources and information necessary for its tasks.

This architecture allows Axiom Security to provide comprehensive security management for your internal resources while maintaining the separation between your internal network and the SaaS application. The Axiom Runner acts as a secure, controlled gateway for these interactions.

Deployment Methods

Each deployment method for the Axiom Runner has its own advantages and considerations:

Binary:

  • Components:

    • Axiom Runner executable

  • Requirements:

    • Linux operating system (x64 or arm64)

    • Network connectivity to AWS services and Axiom backend

    • IAM permissions for AWS Secrets Manager and other necessary AWS services

  • Execution:

    • Runs directly on the host machine

    • Managed as a system service (e.g., systemd)

Docker:

  • Components:

    • Axiom Runner Docker image

    • Docker engine

  • Requirements:

    • Docker-compatible operating system

    • Network connectivity to AWS services and Axiom backend

    • IAM permissions for AWS Secrets Manager and other necessary AWS services

  • Execution:

    • Runs within a Docker container

    • Can be easily deployed and updated using container orchestration tools

Kubernetes:

  • Components:

    • Axiom Runner Docker image

    • Kubernetes cluster (e.g., EKS)

    • Kubernetes deployment manifests

    • OIDC provider for AWS IAM integration

  • Requirements:

    • Operational Kubernetes cluster

    • Network outbound connectivity to AWS services and Axiom backend

    • IAM roles and policies for Kubernetes service accounts

    • Properly configured OIDC provider

  • Execution:

    • Runs as a pod within the Kubernetes cluster

    • Leverages Kubernetes features for scaling, monitoring, and management

NOTE


Each method provides the core functionality of the Axiom Runner but differs in terms of deployment complexity, scalability, and integration with existing infrastructure.

The choice between these methods depends on your organization's specific needs, existing infrastructure, and operational expertise.

Choose the deployment method that best fits your existing infrastructure, team expertise, and scaling needs.

Deployment Synopsis in Steps:

  1. Create a runner group in Axiom Web Application

  2. Deploy the runner in your AWS account (Binary / Docker / EKS)

  3. Create integration secrets in the secret manager

  4. Create a new integration in Axiom Web Application using the axiom runner

1. Creating a Runner Group:

  1. Login into Axiom Web Application

  2. Enter the Preferences screen and navigate to Runner Groups

  3. Click on “Create a new Runner Group”

  4. In the group creation screen give the group a meaningful name and click on “Create”.

The group is now on the list.

Click on the key icon next to your group and put aside the following information:

  • Tenant ID

  • Runner Group ID

  • Runner API Key

Deploy the Runner in your AWS Account:

Steps:

  1. Deploy the Secrets Manager Role (Optional)

  2. Deploy the Runner (EC2 / Docker / EKS)

Deploy the Secrets Manager Role (Optional)

The following procedure will deploy a cloudformation template that creates a proxy role for the axiom runner to use in cases where the AWS secret store used is in another account.

Download the CloudFormation template from here or Launch Console directly.

Deploy CloudFormation template:

You need to provide a Stack name, External ID for the role, and can optionally change the role name (please add “Axiom-Security” to any role name you choose).

After the stack is created, navigate to the Outputs tab and copy the Role ARN and External ID, you will need it for deploying the runner on EKS and/or a standalone EC2.

Deploying the Runner (Binary/Docker)

Currently only support operating system is Linux (x64 and arm64)

Versions

Follow these steps to download and run the latest Axiom runner on your Machine:

To find and deploy a specific release visit:
https://gallery.ecr.aws/j1l0w7h1/actionsrunner-service

Kubernetes

AWS EKS

The following steps will help you install Axiom Runner on your EKS cluster.

The procedure requires the installation of two deployment files:

  1. CloudFormation template for installing OIDC required resources (link)

  2. Kubernetes deployment YAML for installing the deployment, service account, role, etc. (link)

It’s recommended to start the runner with at least 1vCPU, 2GB RAM and 50GB disk storage.

💡 Before you begin, The templates requires to have a OIDC provider for your EKS cluster.

Step 1: Deploy Cloud Formation template

  1. Navigate to the AWS CloudFormation console or use the AWS CLI to deploy the template.

  2. Provide the following parameters:

    • KubernetesNamespace: The namespace where you want to deploy the Axiom runner (default is 'axiom').

    • RoleName: Name for the IAM role that will be created (default is 'axiomrunner-role').

    • OIDCProviderURL: OIDC Provider URL without 'https://' (e.g., 'oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE').

    • OIDCProviderARN: ARN of the OIDC Provider (e.g., 'arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE').

  3. Review the stack details and acknowledge that AWS CloudFormation might create IAM resources.

  4. Create the stack and wait until the stack creation is complete.

After the stack is successfully created, navigate to the Outputs tab and copy the value of the AxiomRunnerIAMRole key. This is the ARN of the role created for the Axiom runner.


Helm

1. Download and unzip the Helm chart:

wget https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiomrunner/releases/latest/axiom-runner-helm-v2.zip

unzip axiom-runner-helm-v2.zip

2. Install the chart with default parameters:

helm upgrade --install axiom-runner-v2 ./axiom-runner-helm-v2 -n your-namespace \
    --set runner.RUNNER_ROLE_ARN=arn:aws:iam::your-account-id:role/your-runner-role \
    --set runner.RUNNER_GROUP_ID=your-runner-group-id \
    --set runner.RUNNER_API_KEY=your-api-key \
    --set runner.TENANT_ID=your-tenant-id

Make sure to replace your-namespace, your-account-id, your-runner-role, your-runner-group-id, your-api-key, and your-tenant-id with your specific values.

This command installs the Axiom Runner with the minimum required parameters. For more advanced configurations, please refer to the full documentation in the README.md that comes with the helm zip.

Deployment yaml file

  1. In your Kubernetes YAML file:

    • Replace <IAM_ROLE_HERE> with the role ARN you copied from the previous step.

    • Fill the deployment's environment variables with your values (runner group id, runner api key, axiom tenant ID).

  2. Apply the Kubernetes template:

kubectl apply -f eks-runner-kubernetes.yaml -n <NAMESPACE>

Replace <NAMESPACE> with the same namespace you specified in the CloudFormation template.

Docker

Option 1: Download Script

  1. Download script and execute it

    sudo wget https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiomrunner/releases/latest/axiom-runner-docker.zip && \
    unzip axiom-runner-docker.zip && \
    cd axiom-runner-docker && \
    chmod +x axiom-runner-docker.sh && \
    ./axiom-runner-docker.sh start --tenantid "YOUR_TENANT_ID" --runnergroupid "YOUR_RUNNER_GROUP_ID" --apikey "YOUR_API_KEY"

  2. To stop the runner ./axiom-runner-docker.sh stop

  3. To register the axiom-runner as a systemctl run

    sudo ./axiom-runner-docker.sh register --tenantid "your_tenant_id" --runnergroupid "your_runnergroupid" --apikey "your_apikey"

    ## run to remove the systemctl service
    sudo ./axiom-runner-docker.sh deregister

Option 2: Manual

  1. Create a folder for the runner and navigate to it:

    1. mkdir -p axiom-runner && cd axiom-runner

  2. Pull latest Axiom runner image

    1. docker pull public.ecr.aws/j1l0w7h1/actionsrunner-service:latest

  3. Create .env file

    1. cat << EOF > .env
      TENANT_ID=$TENANT_ID
      RUNNER_GROUP_ID=$RUNNER_GROUP_ID
      RUNNER_API_KEY=$RUNNER_API_KEY
      SECRETS_STORE_ENGINE=aws-secrets-manager
      WORKFLOW_RESULT_TASK_QUEUE=AxiomWorkflowResultHandlerTaskQueue
      WORKFLOW_RESULT_ACTIVITY_NAME=HandleWorkflowResult
      AXIOM_ACTIONS_ADDRESS_AND_PORT=axiomactions.axiom.security:443
      EOF

    2. Replace `TENANT_ID`, `RUNNER_GROUP_ID`, and `RUNNER_API_KEY` with your actual values.

    3. If AWS secret manager proxy role is used add the following values to .env file

      1. AWS_SECRETS_MANAGER_ROLE_EXTERNAL_ID=$value

      2. AWS_SECRETS_MANAGER_REGION=$value

      3. AWS_SECRETS_MANAGER_ROLE_ARN=$value

  4. Start the Axiom runner using docker

    1. docker run -d --name axiom-runner \

      --env-file $(pwd)/.env \

      --network host \

      public.ecr.aws/j1l0w7h1/actionsrunner-service:latest

Binary

Option 1: Download Script

  1. Download script and execute it

    wget https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiomrunner/releases/latest/axiom-runner-binary.zip && \
    unzip axiom-runner-binary.zip && \
    cd axiom-runner-binary && \
    chmod +x axiom-runner.sh && \
    ./axiom-runner.sh start --tenantid "your_tenant_id" --runnergroupid "your_runnergroupid" --apikey "your_apikey"


    To stop the runner ./axiom-runner.sh stop

  2. To register the axiom-runner as a systemctl run

    sudo ./axiom-runner.sh register --tenantid "your_tenant_id" --runnergroupid "your_runnergroupid" --apikey "your_apikey"

    ## run to remove the systemctl service
    sudo ./axiom-runner.sh deregister

Option 2: Manual

  1. Create a folder for the runner and navigate to it:

    1. mkdir -p axiomrunner && cd axiomrunner

  2. Download the Axiom runner binary and make it executable

    1. amd64 - wget https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiomrunner/releases/latest/regular-amd64_linux_amd64_v1/axiomrunner

    2. arm64 - wget https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiomrunner/releases/latest/regular-amd64_linux_arm64_v1/axiomrunner

  3. chmod +x axiomrunner

  4. Create the .env File

    1. cat << EOF > .env

      TENANT_ID=your-tenant-id

      RUNNER_GROUP_ID=your-runner-group-id

      RUNNER_API_KEY=your-api-key

      SECRETS_STORE_ENGINE=aws-secrets-manager

      WORKFLOW_RESULT_TASK_QUEUE=AxiomWorkflowResultHandlerTaskQueue

      WORKFLOW_RESULT_ACTIVITY_NAME=HandleWorkflowResult

      AXIOM_ACTIONS_ADDRESS_AND_PORT=axiomactions.axiom.security:443

      EOF

  5. Start the axiomrunner

    1. ./axiomrunner --env-file .env &> axiom-runner.log &

Additional Start params

  1. Optional parameters when using optional Secrets Manager Role:
    - AWS_SECRETS_MANAGER_REGION
    - AWS_SECRETS_MANAGER_ROLE_ARN
    - AWS_SECRETS_MANAGER_ROLE_EXTERNAL_ID

That's it! Your Axiom runner should now be up and running.

The logs should indicate something similar to this:

{"level":"info","time":1668672573,"message":"Started Axiom Runner Namespace = <namespace> | TaskQueue = <taskqueue> | WorkerID = [email protected]@ |"}

AWS EKS

The following steps will help you install Axiom Runner on your EKS cluster.

The procedure requires the installation of two deployment files:

  1. CloudFormation template for installing OIDC required resources (provided below)

  2. Kubernetes YAML for installing the deployment, service account, role, etc. (to be provided separately).

It’s recommended to start the runner with at least 1vCPU, 2GB RAM and 50GB disk storage.

💡 Before you begin, The templates requires to have a OIDC provider for your EKS cluster.

Step 1: Deploy Cloud Formation template

  1. Navigate to the AWS CloudFormation console or use the AWS CLI to deploy the template.

  2. Provide the following parameters:

    • KubernetesNamespace: The namespace where you want to deploy the Axiom runner (default is 'axiom').

    • RoleName: Name for the IAM role that will be created (default is 'axiomrunner-role').

    • OIDCProviderURL: OIDC Provider URL without 'https://' (e.g., 'oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE').

    • OIDCProviderARN: ARN of the OIDC Provider (e.g., 'arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE').

  3. Review the stack details and acknowledge that AWS CloudFormation might create IAM resources.

  4. Create the stack and wait until the stack creation is complete.

After the stack is successfully created, navigate to the Outputs tab and copy the value of the AxiomRunnerIAMRole key. This is the ARN of the role created for the Axiom runner.

Step 2: Deploy Axiom Runner on your EKS cluster

  1. In your Kubernetes YAML file:

    • Replace <IAM_ROLE_HERE> with the role ARN you copied from the previous step.

    • Fill the deployment's environment variables with your values (runner group id, runner api key, axiom tenant ID).

  2. Apply the Kubernetes template:

kubectl apply -f eks-runner-kubernetes.yaml -n <NAMESPACE>

Replace <NAMESPACE> with the same namespace you specified in the CloudFormation template.

Create a new Integration in Axiom Web Application

  1. In the main navigation menu click on "Integrations".

  2. Choose the relevant integration type and click on the "+" icon.

  3. Every integration screen contains "Use Axiom Runner" checkbox. Check it and in the dropdown list select the runner group you created earlier.

  4. When using the axiom runner it expects a secret with a specific pattern to be located in your secret manager (Currently only AWS Secret Manager is supported)
    See this section for detailed instructions

If the axiom runner cannot find the secret or the secret is with incorrect values you will receive such error.
This can also be validated with the axiom runner logs.

Updating and Maintenance

To keep your Axiom Runner up to date and properly maintained:

Version Checking

Update Process:

- For Docker deployments: Pull the latest image and redeploy your container.

- For EC2 deployments: Download the latest binary and restart the service.

- For EKS deployments: Update your Kubernetes deployment with the latest image.

  • Log Monitoring: Regularly review logs for any errors.

  • Performance Monitoring: Monitor the resource usage of your Axiom Runner and adjust resources as needed.

  • Backup: As of the axiom runner itself it is fully stateless so no backups are needed

Limitations

While the Axiom Runner is a powerful tool, it's important to be aware of its limitations:

  1. AWS-Centric: Currently, the Axiom Runner is designed to work primarily with AWS services. Integration with other cloud providers may be limited.

  2. Secrets Manager: At present, only AWS Secrets Manager is supported for storing sensitive information.

  3. Network Connectivity: The Axiom Runner requires consistent network connectivity to function properly. It may not be suitable for environments with intermittent connectivity

FAQ and Debugging Issues

If you encounter issues while setting up or running the Axiom Runner, here are some common problems and their solutions:

  1. Axiom Runner shows "cannot access secret manager" error from AWS This error often occurs when the IAM role is not properly configured or associated with the runner. Possible cause: The <IAM_ROLE_HERE> placeholder in the Kubernetes YAML file was not replaced with the correct role ARN.

    Solution:

    • Double-check your Kubernetes YAML file.

    • Ensure that you've replaced <IAM_ROLE_HERE> with the exact role ARN you copied from the CloudFormation stack outputs (AxiomRunnerIAMRole).

    • The line should look similar to this:

      yamlCopyeks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/axiomrunner-role

    • After making the change, reapply the Kubernetes YAML file:

      kubectl apply -f eks-runner-kubernetes.yaml -n <NAMESPACE>

  2. Test connection fails due to secret not properly configured This issue can arise if the secret in AWS Secrets Manager is not set up correctly.

    Possible causes:

    • The secret name is incorrect.

    • The secret values are not properly formatted or contain incorrect information.


    Solution:

    • Verify the secret name:

      • The secret name should be in the format: axiom-security/<YOUR_SECRET_NAME>

      • Ensure this matches exactly with what you've configured in your Axiom integration settings.

    • Check the secret values:

      • Log into the AWS Console and navigate to Secrets Manager.

      • Find your secret and verify its contents.

      • Ensure all required fields are present and correctly formatted.

    • If you need to update the secret:

      • You can do this directly in the AWS Console, or use the AWS CLI:

        Copyaws secretsmanager update-secret --secret-id axiom-security/<YOUR_SECRET_NAME> --secret-string '{"key1":"value1","key2":"value2"}'

      • Replace <YOUR_SECRET_NAME> with your actual secret name, and include all necessary key-value pairs.

  3. General troubleshooting steps:

    • Check the Axiom Runner logs:

      kubectl logs -f deployment/axiom-runner -n <NAMESPACE>

    • Verify the runner's IAM role:

      kubectl describe pod -l app=axiom-runner -n <NAMESPACE>


      Look for the eks.amazonaws.com/role-arn annotation to ensure it matches the ARN from your CloudFormation stack.

    • Ensure your EKS cluster's OIDC provider is correctly set up:

      aws eks describe-cluster --name <YOUR_CLUSTER_NAME> --query "cluster.identity.oidc.issuer" --output text


      This should match the OIDCProviderURL you provided in the CloudFormation template.

  4. Incase Whitelisting of Axiom platform IP Addresses is required use the following IP's:

    3.120.212.105 18.184.175.29

Creating Axiom Secret in AWS Secrets Manager

Based on the required integration, the Axiom Runner expects specific secret names and values to work properly. Here's a guide for creating secrets for each supported integration:

Kubernetes

  • Secret Name: axiom-security/k8s/<API Server Endpoint>

  • Secret Value (JSON):

    { "k8s_cluster_name": "<Alias>", "k8s_fqdn": "<API Server Endpoint>", "k8s_cert_secret": "<Service Account Token>", "k8s_cert_authority": "<Cluster CA>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/k8s/production-k8s.example.local" --secret-string '{"k8s_cluster_name": "production-k8s","k8s_fqdn": "production-k8s.example.local","k8s_cert_secret": "ey.ABCD1234","k8s_cert_authority": "ABCD1234"}'

PostgreSQL

  • Secret Name: axiom-security/postgresql/<endpoint>

  • Secret Value (JSON):

    { "postgresql_hostname": "<endpoint>", "postgresql_password": "<password>", "postgresql_username": "<username>" }

  • If you are using PostgreSQL with SSL, then also include the following:

    "ssl_mode":"true"

  • Note that "true" must be wrapped in quote marks as in example above.

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/postgresql/production.juio7s3tr44s.eu-central-1.rds.amazonaws.com" --secret-string '{"postgresql_hostname":"production.juio7s3tr44s.eu-central-1.rds.amazonaws.com","postgresql_password":"qwerty","postgresql_username":"admin"}'

MySQL

  • Secret Name: axiom-security/mysql/<endpoint>

  • Secret Value (JSON):

    { "mysql_hostname": "<endpoint>", "mysql_password": "<password>", "mysql_username": "<username>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/mysql/production.juio7s3tr44s.eu-central-1.rds.amazonaws.com" --secret-string '{"mysql_hostname":"production.juio7s3tr44s.eu-central-1.rds.amazonaws.com","mysql_password":"qwerty","mysql_username":"admin"}'

Okta

  • Secret Name: axiom-security/okta/<organization_subdomain>

  • Secret Value (JSON):

    { "okta_domain": "<organization_subdomain>", "token": "<token>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/okta/examplecompany.okta.com" --secret-string '{"okta_domain":"examplecompany.okta.com","token":"gjsdkfgy67823yroiwhgaskufgy8923r"}'

Google Workspace

  • Secret Name: axiom-security/googleworkspace/<customer_id>

  • Secret Value: Use the original Key JSON file created from the Google Cloud Console, and add customer_id and impersonation_email

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/googleworkspace/J8947jdfh154" --secret-string '{"type":"service_account","project_id":"axiom-integration-project","private_key_id":"lksaufhg834htluidshg84hilwdg8hasgsfhgp98erug","private_key":"-----BEGIN PRIVATE KEY-----<>-----END PRIVATE KEY-----\n","client_email":"axiom-service-account@axiom-integration-project.iam.gserviceaccount.com","client_id":"7842567803465908265908345","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/axiom-service-account%axiom-integration-project.iam.gserviceaccount.com","customer_id":"J8947jdfh154","impersonation_email":"[email protected]"}'

Google Cloud Platform

  • Secret Name: axiom-security/gcp/<organization_id>

  • Secret Value: Use the original Key JSON file created from the Google Cloud Console, and add gcp_organization_id

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/gcp/73845678465809" --secret-string '{"type":"service_account","project_id":"axiom-integration-project","private_key_id":"lksaufhg834htluidshg84hilwdg8hasgsfhgp98erug","private_key":"-----BEGIN PRIVATE KEY-----<>-----END PRIVATE KEY-----\n","client_email":"axiom-service-account@axiom-integration-project.iam.gserviceaccount.com","client_id":"7842567803465908265908345","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/axiom-service-account%axiom-integration-project.iam.gserviceaccount.com","gcp_organization_id":"73845678465809"}'

MongoDB Atlas

  • Secret Name: axiom-security/mongodbatlas/<organization_id>

  • Secret Value (JSON):

    { "mongodbatlas_org_id": "<organization_id>", "mongodbatlas_private_key": "<private_key>", "mongodbatlas_public_key": "<public_key>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/mongodbatlas/278364578236478654" --secret-string '{"mongodbatlas_org_id":"278364578236478654","mongodbatlas_private_key":"sdlkjfhasjkldghu83-jfkgh-341-aasd-sdfjk8488343","mongodbatlas_public_key":"kkejgijgy"}'

Azure Entra ID (Formerly known as Azure AD)

  • Secret Name: axiom-security/azuread/<tenant_id>

  • Secret Value (JSON):

    { "azuread_client_id": "<client_id>", "azuread_client_secret": "<client_secret>", "azuread_tenant_id": "<tenant_id>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/azuread/isrghj8-n2fq7i3gf-gu643-b7afu4" --secret-string '{"azuread_client_id":"odfhg89-kalsjdgfh783-oiasjf83-nfow8","azuread_client_secret":"wk8g374hlf78hil7awg98","azuread_tenant_id":"isrghj8-n2fq7i3gf-gu643-b7afu4"}'

JumpCloud

  • Secret Name: axiom-security/jumpcloud/<account_id>

  • Secret Value (JSON):

    { "api_key": "<api_key>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/jumpcloud/<account_id>" --secret-string '{"api_key":"834tu90egmer80gjae80gahjrv80aehp98aerg"}'

PagerDuty

  • Secret Name: axiom-security/pagerduty/<company_name>

  • Secret Value (JSON):

    { "pagerduty_api_key": "<api_key>", "pagerduty_company_name": "<company_name>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/pagerduty/example-company" --secret-string '{"pagerduty_api_key":"98f349hf81","pagerduty_company_name":"example-company"}'

GitHub

  • Secret Name: axiom-security/github/<application_id>

  • Secret Value (JSON):

    { "github_app_identifier": "<application_id>", "github_installation_id": "<application_installation_id>", "github_org_name": "<organization_name>", "github_private_key": "<private_key>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/github/123456" --secret-string '{"github_app_identifier":"123456","github_installation_id":"12345678","github_org_name":"example-github-org","github_private_key":"-----BEGIN RSA PRIVATE KEY-----<>-----END RSA PRIVATE KEY-----"}'

Amazon Web Services (AWS)

  • Secret Name: axiom-security/aws/<account_id>

  • Secret Value (JSON):

    { "external_id": "<external_id>", "role_arn": "<role_arn>" }

  • Example AWS CLI Command:

    aws secretsmanager create-secret --name "axiom-security/aws/1234567890" --secret-string '{"external_id":"axiom-axiom-axiom","role_arn":"arn:aws:iam::1234567890:role/AxiomIntegrationRole"}'

After creating the appropriate secret for your integration, you can proceed to set up the integration in the Axiom Web Application as described in the previous section.

Related Articles
Setup Kubernetes Integration
Setup PostgreSQL Integration
Axiom Scopes
Understanding permissions in Axiom
Did this answer your question?