Secret Management Configuration

07 Jun 2023
6 Minutes to read

Print
Dark
Light
PDF

Secret Management Configuration

Updated on 07 Jun 2023
6 Minutes to read

Print
Dark
Light
PDF

Article Summary

Share feedback

Thanks for sharing your feedback!

Configuring the Secret Management

By default the secret-manager service is not deployed as part of the PAA, in order to use the Secret-Management Service you need to activate/enable it by adding the following section to the values-custom.yaml:

secrets-mgmt:
  enabled: false
  replicaCount: 1
  command: []
  # Allows you to add any config files to /app/config
  plainIDConfig:
    config.yaml:
      server:
        port: 8080
      # Which IP is allowed to make requests to secret-mgmt
        bindIp: 0.0.0.0
      management:
        port: 8081
      log:
        level: jwksinfo" #debug,trace
        format: "json"
        logTo: "console" # rolling, file
      rabbitmq:
        enabled: false
      gin:
        mode: release  # debug, release
      # Secret Store configuration
      secretStore:
        - id: fileSecret
          type: File
          isDefault: true
          decoder: Base64
          details:
            path: /app/config/filename.txt
# Examples below for HashiCorp Vault and Environment Variables based Secret Stores
#       - id: vault
#         type: Vault
#         isDefault: true
#         decoder: None # Base64, None
#         details:
#           PathPrefix: prefix
#           defaultPath: vault_
#           skipVerify: true
#           url: vault
#           timeout: 3s
#           enginePath: custom
#           # Authentication method should use either a Token or Kubernetes authentication method with vault
#         auth:
#           method: Token # Token, Kubernetes
#           tokenValue: token
#           tokenFileName: ${ VAULT_TOKEN }  - instead of token value
#         auth:
#           method: Kubernetes
#           path: /var/path-to-file/file.txt
#           role: secrets-mgmt
#       - id: ENV_VAR_SECRET
#          type: Environment
#          isDefault: false
#          decoder: Base64
#          details:
#            name: ENV_VAR_SECRET

Activating/Enabling the Secret Management Service

In order to enable the Secret Management Service, set the secrets-mgmt.enabled to true

Optional Settings for the Secret Management Service

Section	Parameter	Value	Description
server	port	`8080`	The port number that the server will listen to for incoming requests.
server	bindIp	`0.0.0.0`	The IP address that is allowed to make requests to the secret management service. Use 0.0.0.0 to allow connection from every IP address on the local machine
management	port	`8081`	The port number that the management service will listen to for incoming requests.
log	level	`info`	The logging level for the application.
log	format	`json`	The logging format for the application.
log	logTo	`console`	The logging output destination.
rabbitmq	enabled	`false`	Indicates whether RabbitMQ integration is enabled or not.
gin	mode	`release`	The mode that Gin, the HTTP framework, should run in.

Configure a Secret Store

The Secret Store is used to obtain the relevant secrets (e.g. Private Keys) from.
The Secret Management Service supports the following Secret Store Types:
HashiCorp Vault
Environment Variables
Text File

General Vault Parameters

secretStore:
 - id: vault
   type: Vault
   isDefault: true
   Decoder: None # Base64, None
   details:
     defaultPath: vault_
     skipVerify: true
     url: vault
     timeout: 3s
     enginePath: custom
     pathPrefix: prefix
   auth:
     method: Token # Token, Kubernetes
     tokenValue: token

Section	Parameter	Value	Description
secretStore	id	`vault`	An identifier for the secret store
secretStore	type	`Vault`	The type of secret store, available types: * Vault * Environment * File
secretStore	isDefault	`true`	Indicates whether this is the default secret store. If more than one secret store is defined, the default store is used for operations that do not specify a specific store.If more than one secretStore is defined as default, or none of the secret stores is defined as default - then the first secretStore will be defined as default
secretStore	Decoder	`none`	The decoder to be used for the secrets stored in this store. Possible values are `Base64` and `None`
secretStore	details		Additional details related to the secret store configuration
secretStore	details.defaultPath	`vault\_`	The default path to be used for accessing the secrets in this store

Configure a HashiCorp Vault `secretStore`

The following parameters are required for the configuration of the HashiCorp Vault Secret Store.

Section	Parameter	Value	Description
secretStore	details.skipVerify	`true`	Indicates whether the prefix the Secret Store URL with https:// or http://
secretStore	details.url		The URL of the secret storevault.plainid-vault:8201
secretStore	details.timeout	`3s`	The timeout value to be used when connecting to the secret store
secretStore	details.enginePath	`secret`	From which HashiCorp Vault Engine root folder should the Secret Management Service access the secrets
secretStore	details.pathPrefix	`environments/production`	The prefix to be used for all paths when accessing the secrets in this store
secretStore	auth		Authentication details for accessing the secret storeAdd the relevant attributes, according to the auth.method (Kubernetes or Token - See items below)
secretStore	auth.method	`Kubernetes`	The authentication method to be used for accessing the secret store. Possible values are "Token" and "Kubernetes"
secretStore	auth.path	`Kubernetes`	File path of the k8s authorization value
secretStore	auth.role	`Kubernetes`	Vault authorization role name
secretStore	auth.tokenValue	`token`	The token value to be used for authentication when accessing the secret store
secretStore	auth.tokenFilePath	`token`	file path which holds the token

When configuring the vault information in the Scope (Environment Settings > Scopes > Scope > Details) make sure you do not include the enginePath in the Path to Key parameter.

Configure an Environment Variable secretStore

The Secret Management Service can also obtain private keys from environment variables, to configure a Secret Store that reads the private keys from environment variables, use the following configuration:

Section	Variable	Default value	Description
secretStore	type	`Environment`	Set the type of the secret store to Environment variables
secretStore	details.name	`ENV\_VAR\_SECRET`	The name of the environment variable to obtain the private key from

Please note, the table above describes just the fields that are specific to the environment variable secret store configuration, additional, general settings are described above.

Sample configuration

secrets-mgmt:
  enabled: false
  replicaCount: 1
  command: []
  # Allows you to add any config files to /app/config
  plainIDConfig:
    config.yaml:
      server:
        port: 8080
      # Which IP is allowed to make requests to secret-mgmt
        bindIp: 0.0.0.0
      management:
        port: 8081
      log:
        level: "info" #debug,trace
        format: "json"
        logTo: "console" # rolling, file
      rabbitmq:
        enabled: false
      gin:
        mode: release  # debug, release
      # Secret Store configuration
      secretStore:
       - id: ENV_VAR_SECRET
          type: Environment
          isDefault: true
          decoder: Base64
          details:
            name: ENV_VAR_SECRET

Configure a Text File secretStore

The Secret Management Service can also obtain private keys from text files, to configure a secretStore that reads the private keys from text files, use the following configuration:

Section	Variable	Default value	Description
secretStore	type	`File`	Set the type of the secret store to text file
secretStore	details.path	`/app/conf/filename.txt`	The full path to the file containing the private key

Please note, the table above describes just the fields that are specific to the environment variable secret store configuration, additional, general settings are described above.

Sample Configuration

server:
 port: ${APP_PORT:8072}
 bindIp: ${IP_BIND:127.0.0.1}
management:
 port: ${MANAGEMENT_PORT:8077}
log:
 level: "debug"
 format: "json"
 logTo: "console"
rabbitmq:
 enabled: false
gin:
 mode: ${GIN_MODE:release}  # debug, release

secretStore:
 - id: fileSecret
   type: File
   isDefault: true
   Decoder: Base64
   details:
     path: /app/conf/filename.txt

Scope Level Configuration

In addition to the configuration of the Secret Management Service and the Secret Store in the Policy Authorization Agent, additional settings can be configured in the PlainID Policy Administration Point (PAP).

JWT Signing Settings

JWT Sign In Setting.png

This section includes the relevant configuration attributes for obtaining the private key that will be used to sign the PlainID Policy Decision Point JWT

Attribute	Description	Behavior
Secret Store	Which Secret Store to use.A PAA can use multiple Secret Stores	If no Secret Store is defined, the Secret Store that is defined as default=true in the PAA will be usedIf a value is specified, the specified secret store will be used
Path to Key	Define the path to the location of the key in the vaultRelevant only for Secret Stores of type vault and not applicable for File nor Environment Secret Stores	If not specified, the details.defaultPath from the secretStore configuration will be used
Key Name	Define the name of the key in the vault.Relevant only for Secret Stores of type vault and not applicable for File nor Environment Secret Stores	If not defined, the PlainID Scope ClientID will be used as the Key Name

JWT Response Settings

JWT Response Setting image.png

Attribute	Description
Audience	The value to include in the aud claim
X509 Certificate	The public x509 certificate that will be published in the PDP JWKS URL - to allow the consumer of the PDP decisions to validate the PDP Signed JWT, the child of the x509 Certificate in the JWKS will be the ClientID of the PlainID ScopeSample JWKS URL
Token Lifetime - EXP (Seconds)	The token lifetime expiration in seconds

Was this article helpful?

What's Next

Sample values.yaml File

Table of contents

Secret Management Configuration

Configuring the Secret Management

Activating/Enabling the Secret Management Service

Optional Settings for the Secret Management Service

Configure a Secret Store

General Vault Parameters

Configure a HashiCorp Vault secretStore

Configure an Environment Variable secretStore

Sample configuration

Configure a Text File secretStore

Sample Configuration

Scope Level Configuration

JWT Signing Settings

JWT Response Settings

What's Next

Configure a HashiCorp Vault `secretStore`