In this scenario, you will get an overview of the Secretless Broker and learn how to deploy it, along with an application that has no knowledge of passwords and a database backend.
What is Secretless Broker?
With the Secretless Broker feature of Conjur, applications can securely connect to databases, services and other protected resources – without fetching or managing secrets.
Secretless Broker is an independent and extensible open source community project maintained by CyberArk. Today Secretless Broker works within Kubernetes and OpenShift container platforms with Conjur, Application Access Manager’s Dynamic Access Provider, and Kubernetes Secrets vaults.
How Does Secretless Broker Work?
When an application needs to securely access a resource, such as a database, instead of providing access credentials, the app simply makes a local connection request to Secretless Broker, which then automatically authenticates the app, fetches the required credentials from a Vault and establishes a connection to the database.
- From the developer’s perspective instead of needing to include code in their application to fetch the credentials from a Vault and then use the credentials to access the resource, the developer simply configures the application to connect to the required resource via the Secretless Broker, without needing to change the application code.
- From the security perspective, credentials can no longer be inadvertently logged or exposed by the application because, with Secretless Broker, the application code does not get access to the credential, so it cannot leak secrets.
CyberArk Secretless Broker on Kubernetes
Step 1: Before We Begin
This is a detailed, step-by-step tutorial.
With this tutorial, you will learn how to use the CyberArk Secretless Broker to deploy an application that connects to a database without knowing its password.
Applications and application developers should be incapable of leaking secrets.
To achieve that goal, you’ll play two roles in this tutorial:
- A Security Admin who handles secrets, and has sole access to those secrets
- An Application Developer with no access to secrets.
The situation looks like this:
Specifically, we will:
As the security admin:
- Create a PostgreSQL database
- Create a DB user for the application
- Add that user’s credentials to Kubernetes Secrets
- Configure Secretless to connect to PostgreSQL using those credentials
As the application developer:
- Configure the application to connect to PostgreSQL via Secretless
- Deploy the application and the Secretless sidecar
Play the role of a Security Admin and learn how to set up PostgreSQL and configure Secretless.