Types of Integrations

oak9 supports 3 types of integrations: API integration, CLI integration, and CI/CD integration.

API integration is done by providing oak9 with access keys[1] that allow the platform to communicate with a particular Cloud Service Provider (CSP). This allows oak9 to directly access the CSP’s deployed resources and read their configuration.2

Both CLI and CI/CD integrations are done by giving oak9 Infrastructure as Code (IaC) files which allows the platform to read a representation of the deployed resources and their configurations.

oak9 recommends that API integrations be enabled alongside either CLI or CI/CD integrations. This enables the oak9 platform to be the most effective in keeping the application secure.

The types of CSPs supported by oak9 currently are Azure and AWS, with additional CSPs coming soon.

AWS Integration

oak9 will have access to an AWS account by providing it with “access keys.” These consist of an “Access Key ID” and an “Access Secret Value.” Think of these as a username and password.

Within your AWS account you will create a user and give that user permissions. Then you will generate “Access keys” for that user and give those keys to oak9. Those keys allow oak9 to perform only the actions allowed by that user's permissions (on their AWS account).

In addition to providing access keys, an AWS integration also requires specifying the regions that oak9 should access. Although AWS users are not directly tied to a set of regions, oak9 asks for explicit specifications for which regions it needs to access.

To read about how to create an AWS integration with oak9, click here.

Find more external AWS resources here:

· Adding or removing identity permissions. Link.

· Programmatic access. Link.

Azure Integration

oak9 will have access to an Azure account through a service principle’s client secrets. This consists of a Client ID, a Secret, and a Tenant ID. A service principle is created by Registering an App. Access to resources will be given to that App and oak9 will assume its role when attempting to access the Azure account.

Permissions given to that App are not set on the App itself, but instead on the resources the App should access. This allows granularly specifying which resources to allow the App to access.

To read about how to create an Azure integration with oak9, click here.

Find more external Azure resources here:

· Register an application with Azure AD and create a service principal. Link.

· Create a new application secret. Link.

· Assign a role to the application. Link.

Handling Issues

oak9 may face issues while attempting to access resources through a CSP’s APIs. Any error that oak9 encounters will be listed in a warning box to notify the end-user that there were problems. These problems are most likely insufficient permissions.

See figure.

For more help ensuring proper permissions have been assigned check out the Integration How-to guides for either AWS or Azure.

Pairing API Integration with CLI or CI/CD Integration

Because CLI and CI/CD integrations are based on IaC files, they do not give a real-time representation of the deployed architecture. An API integration will allow oak9 to access CSP-specific APIs to gather information that may not be included in the IaC files. This is why pairing an IaC-based integration with an API integration enables oak9 to be more effective in keeping an application secure.

[1] Access keys can mean different things depending on the CSP, but in essence they are the credentials that will be provided to oak9 to communicate with the CSP through their APIs.

2 API Integration access is read-only

Did this answer your question?