With the Secretless Broker feature of Conjur, applications can securely connect to databases, services and other protected resources – without fetching or managing secrets.

Secretless Broker is an independent and extensible open source community project maintained by CyberArk.  Today Secretless Broker works within Kubernetes and OpenShift container platforms with Conjur, Application Access Manager’s Dynamic Access Provider, and Kubernetes Secrets vaults.

Secretless Broker Simplifies How Applications Securely Access Resources

Modern Solution Architecture

Developers & Apps Handle Secrets

Developer Responsibilities

  • Make API calls to fetch secrets
  • Securely handle secrets
  • Securely connect to target

Secretless Broker Architecture

Apps & Developers are Secretless

Developer Responsibilities

  • Securely connect to target

Why Secretless Broker?

Simplifies how applications securely access resources

  • Eliminates the need for developers to write code (and learn APIs) for their applications to directly interact with secrets management solutions
  • Simplifies the process for applications to securely connect to databases, web applications, and other supported services in a transparent way with open source code

Makes secrets management easier for developers by removing it as a responsibility

  • It’s easier for developers to write code for their applications using Secretless Broker to securely access resources than to either access resources using insecure mechanisms, such as hardcoding credentials, or to interact directly with the secrets provider and then use those credentials to access the resource.
  • Developers are no longer accountable if a secret is compromised because they never had access to it. This is done in a transparent way with open source code.

Reduces the attack surface by preventing secrets being exposed to applications – applications cannot leak credentials that they don’t have access to

  • Secretless Broker isolates applications from interacting with credentials – eliminating the potential for credentials to be inadvertently logged by applications or for credentials to be hardcoded in application code.

How Does Secretless Broker Work?

When an application needs to securely access a resource, such as a database, instead of providing access credentials, the app simply makes a local connection request to Secretless Broker, which then automatically authenticates the app, fetches the required credentials from a Vault and establishes a connection to the database.

  • From the developer’s perspective instead of needing to include code in their application to fetch the credentials from a Vault and then use the credentials to access the resource, the developer simply configures the application to connect to the required resource via the Secretless Broker, without needing to change the application code.
  • From the security perspective, credentials can no longer be inadvertently logged or exposed by the application because, with Secretless Broker, the application code does not get access to the credential, so it cannot leak secrets.

Get Started with a Simple Hosted KataCoda Tutorial

System Requirements

The Secretless Broker feature of Conjur currently supports these platforms, secret providers and service authenticators.

Full documentation is available here: Secretless Broker Documentation.

Secretless Broker Community Project

Secretless Broker is an independent and extensible open source community project which can be used to support native vaults and other secrets management solutions. It is maintained by developers from CyberArk and offered as an open source component of Conjur and Application Access Manager.

To explore the Secretless Broker Open Source Community Project visit Secretless Broker GitHub.