Store SIA certificate creds in AWS parameter store, use custom json … (…

…#2776) * Store SIA certificate creds in AWS parameter store, use custom json format --------- Signed-off-by: rajeshal <[email protected]> Co-authored-by: rajeshal <[email protected]>
AthenZ · Oct 25, 2024 · 04d5ae1 · 04d5ae1
1 parent 2da140b
commit 04d5ae1
Show file tree

Hide file tree

Showing 6 changed files with 373 additions and 6 deletions.
diff --git a/go.mod b/go.mod
@@ -7,9 +7,10 @@ module github.com/AthenZ/athenz
 require (
 	cloud.google.com/go/secretmanager v1.14.1
 	github.com/ardielle/ardielle-go v1.5.2
-	github.com/aws/aws-sdk-go-v2 v1.30.4
+	github.com/aws/aws-sdk-go-v2 v1.32.2
 	github.com/aws/aws-sdk-go-v2/config v1.27.28
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.5
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.55.2
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.4
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/dimfeld/httptreemux v5.0.1+incompatible
@@ -47,14 +48,14 @@ require (
 	github.com/aws/aws-sdk-go v1.55.5 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.28 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 // indirect
-	github.com/aws/smithy-go v1.20.4 // indirect
+	github.com/aws/smithy-go v1.22.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect

diff --git a/go.sum b/go.sum
@@ -19,6 +19,8 @@ github.com/ardielle/ardielle-tools v1.5.4/go.mod h1:oZN+JRMnqGiIhrzkRN9l26Cej9dE
 github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8=
 github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
+github.com/aws/aws-sdk-go-v2 v1.32.2 h1:AkNLZEyYMLnx/Q/mSKkcMqwNFXMAvFto9bNsHqcTduI=
+github.com/aws/aws-sdk-go-v2 v1.32.2/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
 github.com/aws/aws-sdk-go-v2/config v1.27.28 h1:OTxWGW/91C61QlneCtnD62NLb4W616/NM1jA8LhJqbg=
 github.com/aws/aws-sdk-go-v2/config v1.27.28/go.mod h1:uzVRVtJSU5EFv6Fu82AoVFKozJi2ZCY6WRCXj06rbvs=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.28 h1:m8+AHY/ND8CMHJnPoH7PJIRakWGa4gbfbxuY9TGTUXM=
@@ -27,8 +29,12 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJ
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12/go.mod h1:fuR57fAgMk7ot3WcNQfb6rSEn+SUffl7ri+aa8uKysI=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 h1:TNyt/+X43KJ9IJJMjKfa3bNTiZbUP7DeCxfbTROESwY=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16/go.mod h1:2DwJF39FlNAUiX5pAc0UNeiz16lK2t7IaFcm0LFHEgc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 h1:jYfy8UPmd+6kJW5YhY0L1/KftReOGxI/4NtVSTh9O/I=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16/go.mod h1:7ZfEPZxkW42Afq4uQB8H2E2e6ebh6mXTueEpYzjCzcs=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI=
@@ -37,6 +43,10 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 h1:tJ5RnkHC
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18/go.mod h1:++NHzT+nAF7ZPrHPsA+ENvsXkOO8wEu+C6RXltAG4/c=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.5 h1:UDXu9dqpCZYonj7poM4kFISjzTdWI0v3WUusM+w+Gfc=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.5/go.mod h1:5NPkI3RsTOhwz1CuG7VVSgJCm3CINKkoIaUbUZWQ67w=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.42.1 h1:GvOG5thwe/WQFvKUAfKBTtib2QVYfWREtOdZ9FPHC6E=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.42.1/go.mod h1:oB+JGCOl5dl2rQ4T/75fnqoVqWpozQMHZHvBWezeGkA=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.55.2 h1:z6Pq4+jtKlhK4wWJGHRGwMLGjC1HZwAO3KJr/Na0tSU=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.55.2/go.mod h1:DSmu/VZzpQlAubWBbAvNpt+S4k/XweglJi4XaDGyvQk=
 github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 h1:zCsFCKvbj25i7p1u94imVoO447I/sFv8qq+lGJhRN0c=
 github.com/aws/aws-sdk-go-v2/service/sso v1.22.5/go.mod h1:ZeDX1SnKsVlejeuz41GiajjZpRSWR7/42q/EyA/QEiM=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 h1:SKvPgvdvmiTWoi0GAJ7AsJfOz3ngVkD/ERbs5pUnHNI=
@@ -45,6 +55,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.30.4 h1:iAckBT2OeEK/kBDyN/jDtpEExhje
 github.com/aws/aws-sdk-go-v2/service/sts v1.30.4/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0=
 github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4=
 github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
+github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -130,6 +142,7 @@ github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWS
 github.com/jawher/mow.cli v1.0.4/go.mod h1:5hQj2V8g+qYmLUVWqu4Wuja1pI57M83EChYLVZ0sMKk=
 github.com/jawher/mow.cli v1.2.0 h1:e6ViPPy+82A/NFF/cfbq3Lr6q4JHKT9tyHwTCcUQgQw=
 github.com/jawher/mow.cli v1.2.0/go.mod h1:y+pcA3jBAdo/GIZx/0rFjw/K2bVEODP9rfZOfaiq8Ko=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=

diff --git a/libs/go/sia/aws/lambda/lambda.go b/libs/go/sia/aws/lambda/lambda.go
@@ -28,6 +28,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	"github.com/aws/aws-sdk-go-v2/service/ssm/types"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"strings"
 )
@@ -104,9 +106,36 @@ func getInternalAthenzIdentity(athenzDomain, athenzService, athenzProvider, ztsU
 //
 // The secret specified by the name must be pre-created
 func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData) error {
+	return StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName, siaCertData, nil)
+}
+
+// StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the
+// specified secret in custom json format. The secret is stored in the following keys:
+//
+//	"<x509-cert-pem-key>":"<x509-cert-pem>,
+//	"<private-pem-key>":"<pkey-pem>,
+//	"<ca-cert-key>":"<ca-cert-pem>,
+//	"<time-key>": <utc-timestamp>
+//
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The secret specified by the name must be pre-created
+func StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
 
+	var keyCertJson []byte
+	var err error
 	// generate our payload
-	keyCertJson, err := util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	if nil == jsonFieldMapper {
+		keyCertJson, err = util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	} else {
+		keyCertJson, err = util.GenerateCustomSecretJsonData(siaCertData, jsonFieldMapper)
+	}
 	if err != nil {
 		return fmt.Errorf("unable to generate secret json data: %v", err)
 	}
@@ -122,3 +151,71 @@ func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName
 	_, err = svc.PutSecretValue(context.TODO(), input)
 	return err
 }
+
+// StoreAthenzIdentityInParameterStore store the retrieved athenz identity in the
+// specified parameter store as Secure String, without CA certificate. The secret is stored in the following keys:
+//
+//	"<domain>.<service>.cert.pem":"<x509-cert-pem>,
+//	"<domain>.<service>.key.pem":"<pkey-pem>,
+//	"time": <utc-timestamp>
+//
+// The parameter specified by the name must be pre-created
+func StoreAthenzIdentityInParameterStore(athenzDomain, athenzService, parameterName, kmsId string, siaCertData *util.SiaCertData) error {
+	jsonFieldMapper := make(map[string]string)
+	jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey] = fmt.Sprintf("%s.%s.cert.pem", athenzDomain, athenzService)
+	jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey] = fmt.Sprintf("%s.%s.key.pem", athenzDomain, athenzService)
+	//do not set CA cert
+	jsonFieldMapper[util.SiaYieldMapperIssueTimeKey] = "time"
+	return storeAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId, siaCertData, jsonFieldMapper)
+}
+
+// StoreAthenzIdentityInParameterStoreCustomFormat store the retrieved athenz identity in the
+// specified parameter store as Secure String, without CA certificate. The secret is stored in the following keys
+//
+//	"<x509-cert-pem-key>":"<x509-cert-pem>,
+//	"<private-pem-key>":"<pkey-pem>,
+//	"<time-key>": <utc-timestamp>
+//
+// It supports only 3 json fields 'cert_pem', 'key_pem' and 'time', where 'cert_pem' and 'key_pem' are mandatory.
+// The resulted json will contain timestamp only if the corresponding json field name is set. It will ignore 'ca_pem'
+// even if it is set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The parameter specified by the name must be pre-created
+func StoreAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
+	// generate our payload
+	if nil != jsonFieldMapper {
+		_, ok := jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey]
+		if ok {
+			// unset 'ca cert' field name
+			jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey] = ""
+		}
+	}
+	return storeAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId, siaCertData, jsonFieldMapper)
+}
+
+func storeAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
+	// generate our payload
+	keyCertJson, err := util.GenerateCustomSecretJsonData(siaCertData, jsonFieldMapper)
+
+	if err != nil {
+		return fmt.Errorf("unable to generate secret json data: %v", err)
+	}
+	cfg, err := config.LoadDefaultConfig(context.TODO())
+	if err != nil {
+		return err
+	}
+	ssmClient := ssm.NewFromConfig(cfg)
+	input := &ssm.PutParameterInput{
+		Type:      types.ParameterTypeSecureString,
+		Name:      aws.String(parameterName),
+		Value:     aws.String(string(keyCertJson)),
+		Overwrite: aws.Bool(true),
+		KeyId:     aws.String(kmsId),
+	}
+	_, err = ssmClient.PutParameter(context.TODO(), input)
+	return err
+}
diff --git a/libs/go/sia/gcp/functions/identity.go b/libs/go/sia/gcp/functions/identity.go
@@ -94,6 +94,13 @@ func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName
 
 	// Create the GCP secret-manager client.
 	ctx := context.Background()
+
+	// generate our payload
+	keyCertJson, err := util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	if err != nil {
+		return fmt.Errorf("unable to generate secret json data: %v", err)
+	}
+
 	secretManagerClient, err := secretmanager.NewClient(ctx)
 	if err != nil {
 		return fmt.Errorf("unable to create secret manager client: %v", err)
@@ -102,12 +109,90 @@ func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName
 		_ = secretManagerClient.Close()
 	})()
 
+	// Get the project id from metadata
+	gcpProjectId, err := gcpm.GetProject(gcpMetaDataServer)
+	if err != nil {
+		return fmt.Errorf("unable to extract project id: %v", err)
+	}
+
+	// Build the request
+	addSecretVersionReq := &secretmanagerpb.AddSecretVersionRequest{
+		Parent: "projects/" + gcpProjectId + "/secrets/" + secretName,
+		Payload: &secretmanagerpb.SecretPayload{
+			Data: keyCertJson,
+		},
+	}
+
+	// Call the API.
+	_, err = secretManagerClient.AddSecretVersion(ctx, addSecretVersionReq)
+	return err
+}
+
+// StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the
+// specified secret in custom json format. The secret is stored in the following keys:
+//
+//	"<x509-cert-pem-key>":"<x509-cert-pem>,
+//	"<private-pem-key>":"<pkey-pem>,
+//	"<ca-cert-key>":"<ca-cert-pem>,
+//	"<time-key>": <utc-timestamp>
+//
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The secret specified by the name must be pre-created
+
+// StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the
+// specified secret. The secret is stored in the following json format:
+//
+//	{
+//	   "<x509-cert-pem-key>":"<x509-cert-pem>,
+//	   "<private-pem-key>":"<pkey-pem>,
+//	   "<ca-cert-key>":"<ca-cert-pem>,
+//	   "<time-key>": <utc-timestamp>
+//	}
+//
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The secret specified by the name must be pre-created and the service account
+// that the function is invoked with must have been authorized to assume the
+// "Secret Manager Secret Version Adder" role
+func StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
+
+	// Create the GCP secret-manager client.
+	ctx := context.Background()
+
+	var keyCertJson []byte
+	var err error
 	// generate our payload
-	keyCertJson, err := util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	if nil == jsonFieldMapper {
+		keyCertJson, err = util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	} else {
+		keyCertJson, err = util.GenerateCustomSecretJsonData(siaCertData, jsonFieldMapper)
+	}
+
 	if err != nil {
 		return fmt.Errorf("unable to generate secret json data: %v", err)
 	}
 
+	secretManagerClient, err := secretmanager.NewClient(ctx)
+	if err != nil {
+		return fmt.Errorf("unable to create secret manager client: %v", err)
+	}
+	defer (func() {
+		_ = secretManagerClient.Close()
+	})()
+
 	// Get the project id from metadata
 	gcpProjectId, err := gcpm.GetProject(gcpMetaDataServer)
 	if err != nil {

diff --git a/libs/go/sia/util/identity.go b/libs/go/sia/util/identity.go
@@ -26,9 +26,17 @@ import (
 	"log"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 )
 
+const (
+	SiaYieldMapperX509CertPemKey   = "cert_pem"
+	SiaYieldMapperPvtPemKey        = "key_pem"
+	SiaYieldMapperCertSignerPemKey = "ca_pem"
+	SiaYieldMapperIssueTimeKey     = "time"
+)
+
 // SiaCertData response of GetAthenzIdentity()
 type SiaCertData struct {
 	PrivateKey               *rsa.PrivateKey
@@ -61,6 +69,39 @@ func GenerateSecretJsonData(athenzDomain, athenzService string, siaCertData *Sia
 	return json.MarshalIndent(siaYield, "", "  ")
 }
 
+// GenerateCustomSecretJsonData get SiaCertData data as string in json format with custom field names.
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time', similar to `GenerateSecretJsonData`.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}]
+func GenerateCustomSecretJsonData(siaCertData *SiaCertData, jsonFieldMapper map[string]string) ([]byte, error) {
+	if nil == jsonFieldMapper {
+		return nil, fmt.Errorf("json keys mapper is misssing, required atleast certificate and private key fields")
+	}
+	x509CertPemKey, okx509 := jsonFieldMapper[SiaYieldMapperX509CertPemKey]
+	pvtPemKey, okPem := jsonFieldMapper[SiaYieldMapperPvtPemKey]
+
+	if !okx509 || !okPem || "" == strings.TrimSpace(x509CertPemKey) || "" == strings.TrimSpace(pvtPemKey) {
+		return nil, fmt.Errorf("x509 certificate pem and private pem keys are mandatory")
+	}
+
+	certSignerPemKey, okCA := jsonFieldMapper[SiaYieldMapperCertSignerPemKey]
+	issueTimeKey, okTime := jsonFieldMapper[SiaYieldMapperIssueTimeKey]
+	siaYield := make(map[string]string)
+	siaYield[strings.TrimSpace(x509CertPemKey)] = siaCertData.X509CertificatePem
+	siaYield[strings.TrimSpace(pvtPemKey)] = siaCertData.PrivateKeyPem
+
+	if okCA {
+		siaYield[strings.TrimSpace(certSignerPemKey)] = siaCertData.X509CertificateSignerPem
+	}
+	if okTime {
+		// Add the current time to the JSON.
+		siaYield[strings.TrimSpace(issueTimeKey)] = strconv.FormatInt(time.Now().Unix(), 10)
+	}
+
+	return json.MarshalIndent(siaYield, "", "  ")
+}
+
 func RegisterIdentity(athenzDomain, athenzService, athenzProvider, ztsUrl, instanceId, attestationData, spiffeTrustDomain string, sanDNSDomains []string, csrSubjectFields CsrSubjectFields, instanceIdSanDNS bool, privateKey *rsa.PrivateKey) (*SiaCertData, error) {
 
 	var csrDetails CertReqDetails