User guides
Secret management service is implemented on the base of Hashicorp’s Vault which has web-based GUI and is supported by many client tools and libraries. However, using Secret management service via FedCloud client is strongly recommended as the client is tightly integrated with the service, it works out of the box without additional configuration, has simple syntax and also advanced features like encrypted secrets.
Concepts of Secret objects
Secret objects in Secret management service are identified by their paths, like files on disk. Each user has a private secret space for storing his secret objects and cannot see secret objects from other users. Each secret object may contain several secret values, each value is identified by its key. For example, a secret object for a service in Cloud may contain several different passwords for different components: database, webservice and so on. Secret objects in Secret management service are created, retrieved, deleted as the whole, users cannot edit individual secret values of an existing secret.
Prerequisite
The latest version of FedCloud client (1.2.19 and higher) is installed. If not, install or upgrade the client:
$ pip3 install -U fedcloudclient
Valid access token from EGI Check-in for authentication, either from EGI Check-in Token Portal or oidc-agent, is set to environment variable:
$ export OIDC_ACCESS_TOKEN=<ACCESS_TOKEN>
Basic usage
As FedCloud client is tightly integrated with Secret management service, no additional setting is required. Users can access the service immediately with simple commands without understanding details described in the Section Service design and implementation. There is a quickstart:
Create a secret object
my_app_secretsin Secret management service, store MySQL and admin passwords in the secret object:
$ fedcloud secret put my_app_secrets mysql_password=123456 admin_password=abcdef
List secret objects stored in Secret management service:
$ fedcloud secret list
my_app_secrets
Read a secret object from Secret management service. If a key is given as parameter, the client will print only the secret value corresponding to the key (what is useful for scripting), otherwise it will print the table of all
key:valuepairs.
$ fedcloud secret get my_app_secrets
key value
-------------- -------
admin_password abcdef
mysql_password 123456
$ fedcloud secret get my_app_secrets mysql_password
123456
$ ADMIN_PASSWORD=$(fedcloud secret get my_app_secrets admin_password)
$ echo $ADMIN_PASSWORD
abcdef
Delete a secret object from Secret management service.
$ fedcloud secret delete my_app_secrets
Secret values from small text files
If the value string is started with @, the FedCloud client will read the content of the file with the name for the
value of the key. The following command creates a secret object certificate in Secret management service for storing
host certificate and host key:
$ fedcloud secret put certificate cert=@hostcert.pem key=@hostkey.pem
Users can get the certificate latter on the target VM as follows:
$ fedcloud secret get certificate cert > hostcert.pem
$ fedcloud secret get certificate key > hostkey.pem
The limit size of the secret object is 512kB, it is sufficient for storing tokens, certificates, configuration files and so on. For larger datasets, please use permanent cloud storages.
Secret values from small binary files
It is recommended to store secret values as texts for compatibility and easy manipulation. FedCloud client provides
support for storing small binary files as secret values by encoding/decoding the binary data to ASCII via
base64. Users need to add option --binary-file or -b when
reading/writing binary secret values from/to files:
$ fedcloud secret put secret-image image=@secret-image.png --binary-file
$ fedcloud secret get secret-image image -b > received-image.png
Encrypted secrets
For highly-sensitive secrets, users can choose to encrypt the secret values before putting them to the service. The
encryption is done automatically on the fly if an encryption key (passphrase) is provided via option
--encrypt-key or -e:
$ fedcloud secret put certificate cert=@hostcert.pem key=@hostkey.pem --encrypt-key my-pass-phrase
Decryption is done in a similar way, just by providing decryption key via option
--decrypt-key or -d when reading, the secret values will be decrypted
automatically if the key is correct:
$ fedcloud secret get certificate cert --decrypt-key my-pass-phrase
Only secret values are encrypted, not their keys. Users can verify what is actually stored in the Secret management service by reading the secret object without providing decryption key:
$ fedcloud secret get certificate cert
gAAAAAB...............................
The encryption/decryption is done by standard Python crytography library. Security experts are invited to review the code (available at GitHub) and give feedback and suggestions for improvements if possible.
Export and import secrets
Users can print outputs in
YAML/JSON format for further processing by option --output-format or simply -f:
$ fedcloud secret get my_app_secrets -f json
$ fedcloud secret get my_app_secrets -f yaml > my_app_secrets.yaml
The secret objects in YAML/JSON files can be imported back to the service by adding @ before filenames as parameters,
telling client to read secret objects from files:
$ fedcloud secret put my_second_app_secrets @my_app_secrets.yaml
Note the difference in examples: cert=@hostcert.pem for reading the content of the file horstcert.pem as the
value for the key cert, and @my_app_secrets.yaml for reading whole secret object with all key:value pairs
from the YAML file.
As YAML format is a superset of JSON, it is expected by default unless the filename has .json extension. Try to
export your secrets to both formats to see the differences between formats.
Importing secret objects from files in free text format key=value is not supported as the format is error-prone,
especially for multi-line secret values or values with special characters. Users can replace = to : for
converting simple free text files to YAML format. Note that a blank space after : is required by YAML syntax.
Modifying existing secrets
As mentioned in the Concepts above, secret values in secret objects cannot be edited individually in the service. However, users can get the contents of existing secret objects, change them locally, then put the new contents back to the service. For examples:
Adding new secret values to an existing secret object:
$ fedcloud secret get certificate -f json > certificate.json
$ fedcloud secret put certificate @certificate.json another_cert=@usercert.pem another_key=@userkey.pem
Deleting secret values in an existing secret object:
$ fedcloud secret get certificate -f json | jq 'del (.another_cert, .another_key)' > certificate.json
$ fedcloud secret put certificate @certificate.json
Updating secret values in an existing secret object:
$ fedcloud secret get certificate -f json > certificate.json
$ fedcloud secret put certificate @certificate.json cert=@new_hostcert.pem key=@new_hostkey.pem
Reading data from standard inputs
Reading data from stdin may help users to make shorter scripts and to avoid storing secrets in intermediate files on
disks for security reasons. The symbol - in input parameters means the data will be read from standard input in
the same way as @ for reading from files. For examples:
Reading
key:valuepairs from standard input. The data need to be in JSON or YAML format:
$ echo '{"mysql_password":"123456"}' | fedcloud secret put my_app_secrets -
Reading only secret value from standard input:
$ echo "abcdef" | fedcloud secret put my_app_secrets admin_password=-
Copying a secret object. The command export the existing secret object to JSON and import it as a new copy:
$ fedcloud secret get my_app_secrets -f json | fedcloud secret put new-secret-copy -
Adding new secret values to an existing secret object (in example above) without storing secrets in intermediate files:
$ fedcloud secret get certificate -f json | fedcloud secret put certificate - another_cert=@usercert.pem another_key=@userkey.pem