Add certificates from Secret Manager
F5 NGINXaaS for Google Cloud (NGINXaaS) can fetch secrets directly from Secret Manager to use as certificates and keys in your NGINX configuration, ensuring your credentials remain securely within Google Cloud.
If you haven’t already done so, complete the following prerequisites:
- Enable the Secret Manager API.
- Create an NGINXaaS deployment.
- Configure Workload Identity Federation (WIF). See our documentation on setting up WIF for exact steps.
- Grant access to the WIF principal with the Secret Manager Secret Accessor role.
To add an SSL/TLS certificate and key as a secret to Secret Manager,
- Ensure your certificate and key file(s) are in one of our accepted formats.
- Follow Google’s instructions to upload your certificate and key file(s) to Secret Manager.
There are many ways to manage your SSL/TLS certificates and keys. For example, one option is to include the PEM certificate data in the same secret as your private key because NGINX’sssl_certificatedirective supports a single file containing multiple certificates and a key. See NGINX’s Configuring HTTPS servers guide for more details.
To add your Secret Manager certificate and key to an NGINX configuration in the NGINXaaS console,
- Select Configurations in the left menu.
- Select the ellipsis (three dots) next to the configuration you want to edit, and select Edit.
- Select Add File.
- Select Google Secret Manager as the type of file you want to add.
- Provide the required information:
Field Description Note Google Secret ID The resource name of the secret in Secret Manager The resource name must match the format projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSIONwhere$VERSIONcan be a specific version or an alias such aslatest.File Path The secret will be written to this file path so it can be used with NGINX directives such as ssl_certificate or ssl_certificate_key in your NGINX configuration. The path must be unique within the configuration. - Update the NGINX configuration to reference the certificate you just added by the path value.
- Select Add, Next, and then Save to save your changes.
Before updating your NGINXaaS deployment to use your new NGINX configuration, ensure your deployment already has a workload identity pool provider set up with the Secret Manager Secret Accessor role granted, so it can fetch certificates. Then, in the NGINXaaS console:
- Select Deployments.
- Select the deployment you want to edit.
- In the Configuration Info panel, select Edit.
- Select the configuration and configuration version created in the last section.
- Select Update Configuration.