Add certificates from Secret Manager
F5 NGINXaaS for Google Cloud (NGINXaaS) can fetch secrets directly from Secret Manager to use as certificates in your NGINX configuration.
If you haven’t already done so, complete the following prerequisites:
- Enable the Secret Manager API.
- Configure Workload Identity Federation (WIF). See our documentation on setting up WIF for exact steps.
If you do not have a certificate in one of our accepted formats in Secret Manager, follow Google’s instructions on adding a secret to Secret Manager
To add your Secret Manager certificate to an NGINX configuration in the NGINXaaS console,
- Select Configurations in the left menu.
- Select the ellipsis (three dots) next to the configuration you want to edit, and select Edit.
- Select Continue to open the configuration editor.
- In your configuration, select Add File and either choose Google Secret Manager as the type.
- Provide the required path information:
Field Description Note Google Secret ID This resource name of the secret in Secret Manager The resource name must match the format projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSIONwhere$VERSIONcan be a specific version or an alias such aslatest.File Path This path can match one or more ssl_certificate or ssl_certificate_key directive file arguments in your NGINX configuration. The path must be unique within the same deployment. - Update the NGINX configuration to reference the certificate you just added by the path value.
- Select Continue and then Save to save your changes.