SECRETLESS BROKER

With the Secretless Broker feature of Conjur, applications can securely connect to databases, services and other protected resources – without fetching or managing secrets.

Secretless Broker is an independent and extensible open source community project maintained by CyberArk.  Today Secretless Broker works within Kubernetes and OpenShift container platforms with Conjur, Application Access Manager’s Dynamic Access Provider, and Kubernetes Secrets vaults.

Secretless Broker Simplifies How Applications Securely Access Resources

Modern Solution Architecture

Developers & Apps Handle Secrets

Developer Responsibilities

  • Make API calls to fetch secrets
  • Securely handle secrets
  • Securely connect to target

Secretless Broker Architecture

Apps & Developers are Secretless

Developer Responsibilities

  • Securely connect to target

Why Secretless Broker?

Simplifies how applications securely access resources

  • Eliminates the need for developers to write code (and learn APIs) for their applications to directly interact with secrets management solutions
  • Simplifies the process for applications to securely connect to databases, web applications, and other supported services in a transparent way with open source code

Makes secrets management easier for developers by removing it as a responsibility

  • It’s easier for developers to write code for their applications using Secretless Broker to securely access resources than to either access resources using insecure mechanisms, such as hardcoding credentials, or to interact directly with the secrets provider and then use those credentials to access the resource.
  • Developers are no longer accountable if a secret is compromised because they never had access to it. This is done in a transparent way with open source code.

Reduces the attack surface by preventing secrets being exposed to applications – applications cannot leak credentials that they don’t have access to

  • Secretless Broker isolates applications from interacting with credentials – eliminating the potential for credentials to be inadvertently logged by applications or for credentials to be hardcoded in application code.

How Does Secretless Broker Work?

When an application needs to securely access a resource, such as a database, instead of providing access credentials, the app simply makes a local connection request to Secretless Broker, which then automatically authenticates the app, fetches the required credentials from a Vault and establishes a connection to the database.

  • From the developer’s perspective instead of needing to include code in their application to fetch the credentials from a Vault and then use the credentials to access the resource, the developer simply configures the application to connect to the required resource via the Secretless Broker, without needing to change the application code.
  • From the security perspective, credentials can no longer be inadvertently logged or exposed by the application because, with Secretless Broker, the application code does not get access to the credential, so it cannot leak secrets.

Get Started with a Simple Example

Step1:

Download and run the Secretless Broker quick-start as a Docker container

$ docker container run \
--rm \
-p 5432:5432 \
-p 5454:5454 \
cyberark/secretless-broker-quickstart

Step2:

Direct access to the PostgreSQL database is available over port 5432. You can try querying some data, but you don’t have the credentials required to connect (even if you know the username):

$ psql \
"host=localhost port=5432 user=secretless dbname=quickstart sslmode=disable" \
-c 'select * from counties;'

Password for user secretless:
psql: FATAL:  password authentication failed for user "secretless"

Step3:

The good news is that you don’t need any credentials! Instead, you can connect to the password-protected PostgreSQL database via the Secretless Broker on port 5454without knowing the password. Give it a try

$ psql \
"host=localhost port=5454 user=secretless dbname=quickstart sslmode=disable" \
-c 'select * from counties;'

id |    name
----+------------
 1 | Middlesex
 2 | Worcester
 3 | Essex
 4 | Suffolk
 5 | Norfolk
 6 | Bristol
 7 | Plymouth
 8 | Hampden
 9 | Barnstable
10 | Hampshire
11 | Berkshire
12 | Franklin
13 | Dukes
14 | Nantucket
(14 rows)

Step1:

Download and run the Secretless Broker quick-start as a Docker container

$ docker container run \
--rm \
-p 2221:22 \
-p 2222:2222 \
cyberark/secretless-broker-quickstart

Step2:

The default SSH service is exposed over port 2221. You can try opening an SSH connection to the server, but you don’t have the credentials to log in

$ ssh -p 2221 [email protected]

The authenticity of host '[localhost]:2221 ([127.0.0.1]:2221)' can't be established.
ECDSA key fingerprint is SHA256:FLnEsQ6aa1qEQopwywlWXI0LeNb04An72BThZZ8GNy8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2221' (ECDSA) to the list of known hosts.
Permission denied (publickey,keyboard-interactive).

Step3:

The good news is that you don’t need credentials! You can establish an SSH connection through the Secretless Broker on port 2222 without any credentials. Give it a try

$ ssh -p 2222 [email protected]

The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:fSn95WSqzC9JpAdZNs3iAEuRQckQSts26dJM9Hqwwh8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.

You've established an SSH connection via Secretless!

Check out https://secretless.io for more information.

bdfe24ac8aaf:~$

Step1:

Download and run the Secretless Broker quick-start as a Docker container

$ docker container run \
--rm \
-p 8080:80 \
-p 8081:8081 \
cyberark/secretless-broker-quickstart

Step2:

The service we’re trying to connect to is listening on port 8080. If you try to access it, the service will inform you that you’re unauthorized

$ curl -i localhost:8080

HTTP/1.1 401 Unauthorized
Server: nginx/1.14.0
Date: Thu, 20 Sep 2018 16:11:44 GMT
Content-Type: text/plain
Content-Length: 26
Connection: keep-alive
WWW-Authenticate: Basic realm="Authentication required"

You are not authenticated.

Step3:

Instead, you can make an authenticated HTTP request by proxying through the Secretless Broker on port 8081. The Secretless Broker will inject the proper credentials into the request without you needing to know what they are. Give it a try

$ http_proxy=localhost:8081 curl -i localhost:8080

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 35
Content-Type: text/plain
Date: Thu, 20 Sep 2018 16:12:25 GMT
Server: nginx/1.14.0

You are successfully authenticated.

System Requirements

The Secretless Broker feature of Conjur currently supports the following platforms, secret providers and service authenticators.

Platform

Supported versions

Kubernetes

1.9, 1.11

Openshift

3.9, 3.11

Secret providers

Supported versions

Dynamic Access Provider

10.8, 10.9

Kubernetes Secrets

1.9,1.11

Service

Supported versions

MySQL

5.7

PostgreSQL

9.3, 9.4, 9.5, 9.6, 10.7, 11.2

Full documentation is available here: Secretless Broker Documentation.

Secretless Broker Community Project

Secretless Broker is an independent and extensible open source community project which can be used to support native vaults and other secrets management solutions. It is maintained by developers from CyberArk and offered as an open source component of Conjur and Application Access Manager.

To explore the Secretless Broker Open Source Community Project visit Secretless Broker GitHub.