I had a talk with a friend today about a project his startup is doing. It is a nodejs application with a mongodb backend hosted on Google Cloud App Engine. To my horror I saw that he has stored secrets such as API keys and database keys in his git repo.
I come from an Azure and .NET background so I am used to using Azure Key Vault, and don't know what is the preferred way of doing it in GAE. I have tried to read the docs but there are a lot of options and none seems to quite mirror what I am used to in Azure.
I would like to help my friend out.
So could anyone please point me towards what product I should read up on. Is it Hashicorp Vault, Google Cloud HMS or Berglas? My needs are that the vault needs to be able to store secrets encrypted and the nodejs app should not need to worry about authenticating with the vault. The vault should just allow the service account to read secrets.
If the vault can also fit into a Terraform setup where we can provision all resources and at provisioning also generate the secrets needed and then put them into the vault without any human ever laying eyes on that secret, then that would be really awesome! That way we could also create a setup where he would be able to provision a full disposable environment based on a feature branch. But that is just a nice to have.
Based on the fact that you want to use Terraform as well, I would suggest using HashiCorp. There is a blog post about the combination of those 2 from Google. In general, all those solutions that you mentioned in your question are viable and you can find more here.
Related
I am working on an app developed using Xamarin Forms. The app connects to a container on Azure to read a couple of text files. The text files don't contain any confidential or secret information, just some publicly available information that the app uses.
I am able to connect to the storage container and read the blob without issue however I am readying the app for release to the App store and Google Play store so was following this guide around using Shared Access Keys to connect to Azure.
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
To be honest, I am a bit confused as to which approach I should use. The app itself will be connecting to the container and reading the blob, so it won't be an actual "user" as such like joeB, or JaneB. That makes me think a user delegated SAS is not the way to go, although the documentation seems to suggest this is the most secure option.
I also noticed the user delegated sas token itself expires after a period of time and the app started crashing when trying to autheticate/connect. I am not sure if that is also the case with a service SAS and account SAS.
Basically, for my use case (an app reading a text file in a container in Azure), which is the best option for me to use based on those listed in the link above? Has anyone else done something similar? If so, how did you secure your connection string?
Thanks!
I've done everything from giving both vault and app god powers and what not, created a multitude of endpoints and VPN's, and god knows what. Still, when passing a keyvault reference to the Web App config, it is unable to resolve saying I have insignificant privalages. Basically, I'm trying to make it so I can retrieve secrets from my vault so I don't have to embed them in my code. I am using the free trial. I feel like I'm missing something obvious but at the same time, given the ungodly amount of power my Web App and Vault have now I'm not so sure.... :/ I am trying to do this without using the CLI, as it appears kaput (it doesn't recognize my UPN and when I use object ID I get that AK10032 warning).
I have found that the reason I cannot access the key vault using an endpoint is because using a vnet resource to access resources is for paid accounts. I have to set network to allow all connections for the Web App to be able to connect to a vault.
As for the latter part of my issue, I figured out that for some reason vs code was not processing the environment variable, so I had to implicitly pass the needed param, so problem solved there.
I am using TypeScript for Azure Functions development. On production I use #Microsoft.KeyVault to read the secrets from a KeyVault. Is there a way I can make it work in local development as well?
I am thinking there might be a way to register the VS Code instance/certificate in Azure AD and KeyVault and somehow work it out.
This issue seems to have been discussed a long time ago. From various perspectives, the official seems not to provide a way to use key vault directly locally.
But you can still refer to some discussions on this issue:
I have an app that I want to run in Cloud Foundry (specifically, in IBM Bluemix). This app will call out to a number of third-party services/APIs, most of which are not managed via CF services. One of these APIs requires my app to use an SSL key to authenticate, so my app needs access to a private SSL key.
My app is deployed from an automated pipeline (specifically, IBM Bluemix DevOps Pipelines) based off of source from a GitHub repo and some small scripts saved in the pipeline config.
It seems like a bad idea to keep the private key file in the source control, and I don't believe there's anywhere to keep it in the pipeline config, so what are my options for making it available to the app while keeping it secure?
I've read this article: Keeping secrets – how your cloud application should access credentials and other private data which says that secrets, passwords, etc, can be made available via environment variables or Cloud Foundry user-provided services.
Googling to find out if this is a suitable option for SSL keys, I find this Cloud Foundry Page: Understanding Cloud Foundry Security which says "Store SSL keys securely to prevent disclosure, and promptly replace lost or compromised keys.", but doesn't say anything about how to store them securely and make them available to your apps.
So what options are available to me for storing the private key and making it available to my CF app while not storing it in my source control?
Note: I believe I do not want the cf ssh functionality, as that is for connecting in to an app (if I understand it correctly), not for an app connecting out.
Agreed - keeping your key in source control is bad practice.
Bluemix has a service called Key Protect that should provide exactly what you're looking for.
Docs here
Alternatively there are a number of other 3rd party providers you could use to do this.
According to the releases a few day ago by Scottgu, its now possible to use the windows azure management api without client certificates.
Are there any examples of doing this?
I have a Azure Cloud Service Package that I would like to let people deploy from my website. Therefore I would like to, from javascript, to authenticate the user to their Azure subscription ( some oauth against the WAAD ) and then by rest api deploy my package for them.
I dont need a concrete examples, but just some pointers on how I could do this.
I dont want users to give me their passwords offcause, therefore i need some guidance on how I can do SSO of the user against WAAD/Windows Azure management api and from there use the access token to deploy the package.
As of today, the Service Management API documentation regarding this new authentication mechanism (http://msdn.microsoft.com/en-us/library/windowsazure/ee460782.aspx) is not updated. Since the new login mechanism is supported in PowerShell which is essentially a REST Wrapper over this API and is open source, one thing you could do is take a look at the source code of the Cmdlets on Github (https://github.com/WindowsAzure/azure-sdk-tools) to see how it is accomplished there and write something of your own (and share it here:)).