Secret Management Configuration
    • 07 Jun 2023
    • 6 Minutes to read
    • Dark
      Light
    • PDF

    Secret Management Configuration

    • Dark
      Light
    • PDF

    Article summary

    Configuring the Secret Management

    By default the secret-manager service is not deployed as part of the PAA, in order to use the Secret-Management Service you need to activate/enable it by adding the following section to the values-custom.yaml:

    secrets-mgmt:
      enabled: false
      replicaCount: 1
      command: []
      # Allows you to add any config files to /app/config
      plainIDConfig:
        config.yaml:
          server:
            port: 8080
          # Which IP is allowed to make requests to secret-mgmt
            bindIp: 0.0.0.0
          management:
            port: 8081
          log:
            level: jwksinfo" #debug,trace
            format: "json"
            logTo: "console" # rolling, file
          rabbitmq:
            enabled: false
          gin:
            mode: release  # debug, release
          # Secret Store configuration
          secretStore:
            - id: fileSecret
              type: File
              isDefault: true
              decoder: Base64
              details:
                path: /app/config/filename.txt
    # Examples below for HashiCorp Vault and Environment Variables based Secret Stores
    #       - id: vault
    #         type: Vault
    #         isDefault: true
    #         decoder: None # Base64, None
    #         details:
    #           PathPrefix: prefix
    #           defaultPath: vault_
    #           skipVerify: true
    #           url: vault
    #           timeout: 3s
    #           enginePath: custom
    #           # Authentication method should use either a Token or Kubernetes authentication method with vault
    #         auth:
    #           method: Token # Token, Kubernetes
    #           tokenValue: token
    #           tokenFileName: ${ VAULT_TOKEN }  - instead of token value
    #         auth:
    #           method: Kubernetes
    #           path: /var/path-to-file/file.txt
    #           role: secrets-mgmt
    #       - id: ENV_VAR_SECRET
    #          type: Environment
    #          isDefault: false
    #          decoder: Base64
    #          details:
    #            name: ENV_VAR_SECRET
    

    Activating/Enabling the Secret Management Service

    In order to enable the Secret Management Service, set the secrets-mgmt.enabled to true

    Optional Settings for the Secret Management Service

    SectionParameterValueDescription
    serverport8080The port number that the server will listen to for incoming requests.
    serverbindIp0.0.0.0The IP address that is allowed to make requests to the secret management service.
    Use 0.0.0.0 to allow connection from every IP address on the local machine
    managementport8081The port number that the management service will listen to for incoming requests.
    loglevelinfoThe logging level for the application.
    logformatjsonThe logging format for the application.
    loglogToconsoleThe logging output destination.
    rabbitmqenabledfalseIndicates whether RabbitMQ integration is enabled or not.
    ginmodereleaseThe mode that Gin, the HTTP framework, should run in.

    Configure a Secret Store

    The Secret Store is used to obtain the relevant secrets (e.g. Private Keys) from.
    The Secret Management Service supports the following Secret Store Types:
    HashiCorp Vault
    Environment Variables
    Text File

    General Vault Parameters

    secretStore:
     - id: vault
       type: Vault
       isDefault: true
       Decoder: None # Base64, None
       details:
         defaultPath: vault_
         skipVerify: true
         url: vault
         timeout: 3s
         enginePath: custom
         pathPrefix: prefix
       auth:
         method: Token # Token, Kubernetes
         tokenValue: token
    
    SectionParameterValueDescription
    secretStoreidvaultAn identifier for the secret store
    secretStoretypeVaultThe type of secret store, available types:

    * Vault
    * Environment
    * File
    secretStoreisDefaulttrueIndicates whether this is the default secret store. If more than one secret store is defined, the default store is used for operations that do not specify a specific store.If more than one secretStore is defined as default, or none of the secret stores is defined as default - then the first secretStore will be defined as default
    secretStoreDecodernoneThe decoder to be used for the secrets stored in this store. Possible values are Base64 and None
    secretStoredetailsAdditional details related to the secret store configuration
    secretStoredetails.defaultPathvault\_The default path to be used for accessing the secrets in this store

    Configure a HashiCorp Vault secretStore

    The following parameters are required for the configuration of the HashiCorp Vault Secret Store.

    SectionParameterValueDescription
    secretStoredetails.skipVerifytrueIndicates whether the prefix the Secret Store URL with https:// or http://
    secretStoredetails.urlThe URL of the secret storevault.plainid-vault:8201
    secretStoredetails.timeout3sThe timeout value to be used when connecting to the secret store
    secretStoredetails.enginePathsecretFrom which HashiCorp Vault Engine root folder should the Secret Management Service access the secrets
    secretStoredetails.pathPrefixenvironments/productionThe prefix to be used for all paths when accessing the secrets in this store
    secretStoreauthAuthentication details for accessing the secret storeAdd the relevant attributes, according to the auth.method (Kubernetes or Token - See items below)
    secretStoreauth.methodKubernetesThe authentication method to be used for accessing the secret store. Possible values are "Token" and "Kubernetes"
    secretStoreauth.pathKubernetesFile path of the k8s authorization value
    secretStoreauth.roleKubernetesVault authorization role name
    secretStoreauth.tokenValuetokenThe token value to be used for authentication when accessing the secret store
    secretStoreauth.tokenFilePathtokenfile path which holds the token

    When configuring the vault information in the Scope (Environment Settings > Scopes > Scope > Details) make sure you do not include the enginePath in the Path to Key parameter.

    Configure an Environment Variable secretStore

    The Secret Management Service can also obtain private keys from environment variables, to configure a Secret Store that reads the private keys from environment variables, use the following configuration:

    SectionVariableDefault valueDescription
    secretStoretypeEnvironmentSet the type of the secret store to Environment variables
    secretStoredetails.nameENV\_VAR\_SECRETThe name of the environment variable to obtain the private key from

    Please note, the table above describes just the fields that are specific to the environment variable secret store configuration, additional, general settings are described above.

    Sample configuration

    secrets-mgmt:
      enabled: false
      replicaCount: 1
      command: []
      # Allows you to add any config files to /app/config
      plainIDConfig:
        config.yaml:
          server:
            port: 8080
          # Which IP is allowed to make requests to secret-mgmt
            bindIp: 0.0.0.0
          management:
            port: 8081
          log:
            level: "info" #debug,trace
            format: "json"
            logTo: "console" # rolling, file
          rabbitmq:
            enabled: false
          gin:
            mode: release  # debug, release
          # Secret Store configuration
          secretStore:
           - id: ENV_VAR_SECRET
              type: Environment
              isDefault: true
              decoder: Base64
              details:
                name: ENV_VAR_SECRET
    

    Configure a Text File secretStore

    The Secret Management Service can also obtain private keys from text files, to configure a secretStore that reads the private keys from text files, use the following configuration:

    SectionVariableDefault valueDescription
    secretStoretypeFileSet the type of the secret store to text file
    secretStoredetails.path/app/conf/filename.txtThe full path to the file containing the private key

    Please note, the table above describes just the fields that are specific to the environment variable secret store configuration, additional, general settings are described above.

    Sample Configuration

    server:
     port: ${APP_PORT:8072}
     bindIp: ${IP_BIND:127.0.0.1}
    management:
     port: ${MANAGEMENT_PORT:8077}
    log:
     level: "debug"
     format: "json"
     logTo: "console"
    rabbitmq:
     enabled: false
    gin:
     mode: ${GIN_MODE:release}  # debug, release
    ​
    secretStore:
     - id: fileSecret
       type: File
       isDefault: true
       Decoder: Base64
       details:
         path: /app/conf/filename.txt
    

    Scope Level Configuration

    In addition to the configuration of the Secret Management Service and the Secret Store in the Policy Authorization Agent, additional settings can be configured in the PlainID Policy Administration Point (PAP).

    JWT Signing Settings

    JWT Sign In Setting.png

    This section includes the relevant configuration attributes for obtaining the private key that will be used to sign the PlainID Policy Decision Point JWT

    AttributeDescriptionBehavior
    Secret StoreWhich Secret Store to use.A PAA can use multiple Secret StoresIf no Secret Store is defined, the Secret Store that is defined as default=true in the PAA will be usedIf a value is specified, the specified secret store will be used
    Path to KeyDefine the path to the location of the key in the vaultRelevant only for Secret Stores of type vault and not applicable for File nor Environment Secret StoresIf not specified, the details.defaultPath from the secretStore configuration will be used
    Key NameDefine the name of the key in the vault.Relevant only for Secret Stores of type vault and not applicable for File nor Environment Secret StoresIf not defined, the PlainID Scope ClientID will be used as the Key Name

    JWT Response Settings

    JWT Response Setting image.png

    AttributeDescription
    AudienceThe value to include in the aud claim
    X509 CertificateThe public x509 certificate that will be published in the PDP JWKS URL - to allow the consumer of the PDP decisions to validate the PDP Signed JWT, the child of the x509 Certificate in the JWKS will be the ClientID of the PlainID ScopeSample JWKS URL
    Token Lifetime - EXP (Seconds)The token lifetime expiration in seconds

    Was this article helpful?