AKeyless
source link: https://wilsonmar.github.io/akeyless/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Automation and hands-on steps to set up an enterprise-scale HA multi-cloud SaaS AKeyless vault, then retrieve secrets using various programming languages.
I’ve written hands-on articles about setting up enterprise secrets vaults using HashiCorp Vault, Azure Key Vault, AWS Secrets Manager, etc.
PROTIP: Unlike HashiCorp Vault cloud, administrators don’t have to specify a server size, which needs to be monitored and adjusted over time. AKeyless is a SaaS solution that scales automatically. Vaults in Azure, AWS, GCP are set up for a specific region. This means charges for data egress accrue and administrators need to set up vaults in several regions, with cross-region replication to ensure that data is available in case of a disaster.
Akeyless provides a multi-cloud solution free of cross-region data egress charges.
PROTIP: The differentiation with Akeyless is that it solves the “Secret Zero Problem” by using an inherited identity derived from a parent SaaS system, together with an ephemeral token for “continuous” authentication.
How Akeyless works is illustrated in the diagram below. First, we setup components A, B, C, D, E, then processing steps (1), (2), etc.
from PowerPoint file
UID (Akeyless Universal Identity) tokens:
A. Akeyless Parent SaaS System
A) Create and activate a Global Administrator account on the Akeyless SaaS Parent system website
-
Select an email to use for the Global Administrator, such as:
The first email address used to create the account is the Global Administrator, which has “god-like” power to change and delete anything, an account with too great a “blast radius” to use.
PROTIP: Even if you’re an individual developer, you will be using this for productive use on accounts that can run up a bill quickly. So create an email for use only to setup other accounts and pay bills as the Global Administrator.
PROTIP: Many enterprise environments create a service account email which is not associated with a human being, so that emails would go to multiple people. Emails to an individual would be ignored when that person is on vacation, etc.
PROTIP: Because it’s difficult to change later, mature enterprises plan out (in a spreadsheet) what account emails are used, along with what roles (with associated permissions) they have to specific locations (paths to secrets). For example, a different administrator would be responsible for secrets in the production environment than in pre-production (development, test, demo, training) environments. A different administrator is typically responsible for secrets in each sovereign geographical area (US, India, Germany, etc.).
Each Authentication Method object is associated with an Access Role that grants permission (including Create, Read, Update, Delete, List, and Deny) to this identity on Secrets, Targets, Roles, and Authentication Method objects stored inside the Akeyless SaaS solution.
PROTIP: My company has created examples, automation, and expert consultation to quickly establish all credentials, then train everyone. Contact me for details.
-
Store the Administrator’s email address as an environment variable AKEYLESS_ADMIN_EMAIL (accessible to Bash CLI scripts) by adding to the .bash_profile or .zshrc file in your user $HOME folder the email address accessing Akeyless:
export AKEYLESS_ADMIN_EMAIL="[email protected]"
This variable will be referenced in bash shell scripts below.
-
In a personal password safe such as 1Password, create a Login entry with the Administrator email and a password. The Chrome extension would enable you to login to the Parent SaaS system website without typing the password. Handy especially when you’re doing a demo.
-
Click the “Sign Up” link at the top of the Akeyless Parent SaaS system website: VIDEO:
-
Confirm the email address by clicking the link in the email sent to the Administrator’s email address.
Success is the menu appearing as shown on the right of this page:
Targets act as a connector between credentials and the items that need to utilize them, both saving time for the user and protecting your flows from credential breakage.
“Gateways” are the Akeyless machines (with IP addresses) that access the Targets.
Akeyless doesn’t require a credit card because it is free for the first 2,000 secrets forever, accessed by up to 5 clients. 3 days of log retention is also provided free.
The lock icon next to menu items highlight features requiring a paid Enterprise license, such as “Data Protection”. See the Pricing page at https://www.akeyless.io/pricing
Extended log retention and Log forwarding to a SIEM (Security Information and Event Management) system are also available for an additional fee.
-
Click menu item “Online Support”. Click the Slack log to register for their email: [email protected] or Slack channel.
PROTIP: Most of Akeyless are based in Israel. So they are 7 hours ahead of the US East Coast, 10 hours ahead of the US West Coast, and 2 hours ahead of the UK.
-
Use the Global Admin to create accounts and permissions to limit what yourself and others can do. Apply “Least Privilege” principles to limit the “blast radius” when credentials end up in the hands of someone malicious. this video about Role-Based Access Control (with API Key Authentication).
Each Authentication Method object is associated with an Access Role that grants permission (including Create, Read, Update, Delete, List, and Deny) to the identity on Secrets, Targets, Roles, and Authentication Method objects stored inside the Akeyless SaaS solution.
B. Akeyless Admin CLI
To install the Akeyless CLI for use by the Administrator on a Mac:
NOTE: I prefer to avoid the hassle of adding another folder in my .bash_profile or .zshrc file, from any folder (because Homebrew automatically figures out which folder to install the program into). That’s the approach by following the commands documented at:
https://docs.akeyless.io/docs/cli-reference
So, instead, install and use Homebrew to do the following:
-
In a Terminal session, on any folder, get information about the akeyless brew package:
brew info akeylesslabs/tap/akeyless
==> akeylesslabs/tap/akeyless: stable 1.90.0 Akeyless CLI https://www.akeyless.io Conflicts with: akeyless Not installed From: https://github.com/akeylesslabs/homebrew-tap/blob/HEAD/Formula/akeyless.rb
Note that the akeyless program is installed from github.
-
Switch to a browser to view Akeyless public GitHub repos at:
https://github.com/akeylesslabs/
NOTE: Code for the Akeyless server is NOT open source and not public on GitHub.com.
https://docs.akeyless.io/docs/github-actions-community-plugin describes how to retrieve static and dynamic secrets from Akeyless using GitHub Actions workflows at https://github.com/LanceMcCarthy/akeyless-action
Kubernetes
Apps within Kubernetes use a Gateway to reach AKeyless SaaS. See https://docs.akeyless.io/docs/kubernetes-auth and https://docs.akeyless.io/docs/ldap
In Kubernetes environments, for client management and billing, Akeyless counts client entities conducted per namespace based on the secret profiles retrieved.
Akeyless Bastions
The best credentials are no credentials at all. So credentials (dynamic secrets, rotated secrets, and SSH certificates) are provided to customer apps Just In Time through a “bastion” server, a gateway to access encrypted resources from the Akeyless Secrets Store and decrypts it. There are several types of bastions.
- Akeyless Secure Remote Access (SRA) Bastion uses SSH with certificates.
- Web Access Bastion provides Secure Remote Access to any web application with session recording, including proxy service acting as an entry point to your internal web applications, where only after successful authentication users will get access, either via an isolated remote browser or directly to your target server based on your secret configuration.
VIDEO: Bastion configuration.
The SRA runs as a Kubernetes cluster setup using a Helm chart at:
https://akeylesslabs.github.io/helm-charts
BTW: On the right pane on GitHub, notice that there are many Contributors.
The repo uses the mustache languages to replace variables in YAML files.
PROTIP: GitHub incorrectly recognizes .tpl (template) file extensions as use of “Smarty” (an unrelated PHP package) rather than yaml. This PR has no functional impact because the error is in GitHub.
Uses kubernetes-auth.
CLI Install
-
Install the Akeyless CLI program from the internet:
brew install akeylesslabs/tap/akeyless
Brew automatically recognizes whether you have an Intel or Apple Silicon chip on your Mac and installs to the appropriate folder.
On an Intel (x86 AMD) chip:
cd /usr/local/bin
On an Apple Silicon (arm64 M1/M2/M3) chip:
cd /opt/homebrew/bin
-
Confirm where the program is installed:
ls `where akeyless`
lrwxr-xr-x@ 1 johndoe admin 38 Dec 29 21:06 /usr/local/bin/akeyless -> ../Cellar/akeyless/1.90.0/bin/akeyless
0B /usr/local/bin/akeyless
What is downloaded is not a folder but a binary executable program.
Connect to Akeyless SaaS
There are several ways to connect to the Akeyless SaaS server.
-
To connect to the Akeyless SaaS host (in place of instructions to run ./akeyless in the docs) to :
akeyless configure --admin-email "${AKEYLESS_ADMIN_EMAIL}"akeyless configure --admin-email "${AKEYLESS_ADMIN_EMAIL}"Profile default successfully configured
WARNING: This command creates a $HOME/.akeyless folder with a profiles subfolder containing a default.toml file with the Administrator’s email address and static password, which is not secure.
-
View the $HOME/.akeyless folder created by the above command:
ls -al ~/.akeyless
According to Linux conventions, the . in front of any folder name means that it is meant to be “hidden”.
drwx------@ 2 johndoe staff 64 Dec 31 02:00 .tmp_creds -rw-r--r--@ 1 johndoe staff 7 Dec 31 01:40 cli-latest drwx------@ 3 johndoe staff 96 Dec 31 02:00 profiles -rw-r--r--@ 1 johndoe staff 40 Dec 29 21:07 settings
-
View the contents of cli-latest:
cat ~/.akeyless/cli-latest
shows the version of the CLI program:
1.90.0
-
Verify CLI install success by getting the version:
akeyless -v
Version: 1.90.0.dca3303
TODO: History of releases listed at ???
-
View the contents of settings:
cat ~/.akeyless/settings
contains:
dns="vault.akeyless.io" protocol="https"
TODO: What is the .tmp_creds folder for?
-
View the contents of default.toml:
cat ~/.akeyless/profiles/default.toml
shows the initial profile formatted in TOML (Tom’s Obvious Minimal Language):
["default"] access_type = 'password' admin_password = '12345678901234567890123=' admin_email = '[email protected]' account_id = ''
PROTIP: If you want to avoid having static passwords on your laptop (which is the whole point of using Akeyless), use another type of authentication.
CLI Deep Dive
-
To list all akeyless commands:
akeyless -h
Read about each command at:
https://docs.akeyless.io/docs/cli-reference -
Display details of all items in JSON format (with color provided by jp):
akeyless list-items | jq .
Item “/MyFirstSecret” was created automatically when the account was created.
{ "items": [ { "item_name": "/MyFirstSecret", "item_id": 238833834, "display_id": "ytb1s0f989Tm-rvmpx5tfgafh", "item_type": "STATIC_SECRET", "item_sub_type": "generic", "item_metadata": "", "item_tags": null, "item_size": 0, "last_version": 1, "with_customer_fragment": false, "is_enabled": true, "public_value": "", "certificates": "", "protection_key_name": "", "cert_issuer_signer_key_name": "", "client_permissions": [ "read", "list", "update", "delete", "create", "sra_transparently_connect", "sra_request_for_access", "sra_require_justification", "sra_approval_authority" ], "certificate_issue_details": {}, "item_general_info": { "cert_issue_details": {}, "dynamic_secret_producer_details": {}, "rotated_secret_details": {}, "classic_key_details": {}, "secure_remote_access_details": { "use_internal_bastion": false }, "static_secret_info": {} }, "is_access_request_enabled": false, "access_request_status": "", "delete_protection": false, "creation_date": "2023-12-29T15:38:37Z", "modification_date": "2023-12-29T15:38:37Z", "gateway_details": null } ], "next_page": "eyJpIjoiL015Rmlyc3RTZWNyZXQifQ==" }The “next_page” value, a Base64-encoded string, provides a “blockchain” of items that can be used to ensure and verify the integrity of the list.
TODO: To list just the Item Names using jp?
(1) Create initial token
-
Create a starter token using the Auth ID method in the Akeyless server – by using the Akeyless Vault GUI at https://console.akeyless.io/items “Users & Auth Methods” menu item:
Alternately, use this Akeyless CLI program command:
akeyless create-auth-method-universal-identity --name uidAuth --ttl 60 --profile adminProfile
Akeyless’s Universal Identity (UID) authentication method is used by on-prem. machines.
NOTE: The starter token is only used once to authenticate to the Akeyless plugin.
-
The Akeyless server sends back a SaaS ACK.
C. Client app setup
akeyless create-secret -n /folder/sec1 -v val
A new secret named /folder/sec1 was successfully created
akeyless create-dfc-key -n /folder/sub-aes-key --alg AES256GCM
Encryption Key Fragement #1 created succsessfully in 17 milliseconds Encryption Key Fragement #2 created succsessfully in 18 milliseconds ===================== A new AES256GCM key named /folder/sub-aes-key was successfully created
(3) Admin generates initial u-token
-
The Administrator generates a new UID token and
loads it into the client app.(4) Client runs auth command using UID init token
-
The client runs Akeyless using the initial UID token.
https://docs.akeyless.io/docs/cli-reference
(5) Client runs using t-token
-
The Akeyless server responds with a new JWT UID token.
(6) Use JWT token
-
The client runs app commands using the new JWT UID token.
(7) Client rotates UID using u-token
-
After the processing window passes, the client requests a rotation using the token.
REMEMBER: Rotation of secrets requires an enterprise license.
The client can request a new token at any time within the processing window. VIDEO:
akeyless create-secret --name MySecret1 --value MySecretPassword
The default processing window is 60 seconds.
(8) Returns ACK+new u-token
-
The Akeyless server returns a new key with u-token.
(9) Run auth with updated u-token
-
The client runs app commands using the updated JWT UID token.
Programming languages
Machines installed with Akeyless identify other machines in the network to ensure the data received is authentic. Akeyless uses its own plugin to allow the Vault and environment to interact in a secure fashion. Akeyless offers their “Universal Secrets Connector”. Akeyless removes the need for secret zero entirely through their packaged within their “Vaultless Platform”.
The process begins with a starter token created by a human employee that’s used once to authenticate the plugin. From there, Akeyless issues its own tokens and begins authenticating applications. That token is replaced by a new one in the next use for a specified amount of time.
Whenever a new entity is registered under this system, it inherits the identity and token of the original entity. This constant cycle of temporary, rotating identity tokens is a secure alternative to using a single secret zero.
Audit Logs, Analytics, and Usage Reports
https://docs.akeyless.io/docs/audit-logs
References
Others must know: please click to share:
AKeyless was published on January 06, 2024.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK