Many secret injection services simply store a private key and encrypt data for users. The users then add those encrypted payloads to a job, and the payload is decrypted using the private key associated with their account at run time, I see a few problems with this system:
- Secret usage isn't tracked.
- Secrets exist in an environment even when they aren't being used.
- It encourages secrets to be stored in contexts (environment variables and flat files) which are prone to leakage.
Today we deployed
TaskCluster Secrets, a new service I've been working on for the last two weeks which stores encrypted json payloads on behalf of taskcluster clients. I'm excited about this service because it's going to form the foundation for a new method of secret injection which solves all of the problems listed above.
How does it work?In TaskCluster Secrets, each submitted payload (encrypted at rest) is associated with an OAuth scope. The scope also defines which actions a user may make against the secret. For example, to write a secret named '
someNamespace:foo' you'd need an OAuth scope '
secrets:set:someNamespace:foo,' to read it you'd need 'secrets:get:someNamespace:foo,' and so on.
Tying each secret to a scope, we're able to generate an interesting work flow for access from within tasks. In short, we can generate and inject temporary credentials with read only access. This forces secrets to be accessed via the api and yields the following benefits:
- Secrets are only brought into a task as they are requested.
- Every secret access is logged via the API server.
- Secrets are only revealed when called by name, instead of just
env.
What's more, we can store the temporary OAuth credentials in an http proxy running alongside of a task instead of within it, so that even the credentials are not exposed by default. This way someone could have a snapshot of your task at startup and not gain access to any private data. \o/
Case Study: Setting/Getting a secret for TaskCluster GitHub jobs1.) Submit a write request to the TaskCluster GitHub API :
PUT taskcluster-github.com/v1/write-secret/org/myOrg/repo/myRepo/key/myKey {githubToken: xxxx, secret: {password: xxxx}, expires: '2015-12-31'}2.) GitHub OAuth token is used to verify org/repo ownership. Once verified, we generate a temporary account and write the following secret on behalf of our repo owner :
myOrg/myRepo:myKey {secret: {password: xxxx}, expires: '2015-12-31'}3.) CI jobs are launched alongside HTTP Proxies which will attach an OAuth header to outgoing requests to taskcluster-secrets.com/v1/.... The attached token will have a scope:
secrets:get:myOrg/myRepo:* which allows any secret set by the owner of the
myOrg/myRepo repository to be accessed.
4.) Within a CI task, a secret may be retrieved by simple HTTP calls such as:
curl $SECRETS_PROXY_URL/v1/secret/myOrg/myRepo:myKeyEasy, secure, and 100% logged.
http://linux-poetry.com/blog/section/mozilla/25/
