Secrets

Overview

Secrets are used to store strongly-encrypted information. All secrets can be injected into containers through the use of environment variables.

In addition to optionally being injected into containers as environment variables, secrets are also used for:

  1. Image registry (Docker, ECR, and GCP) pull secrets, enabling workloads in a GVC to pull images from private repositories.
  2. Enabling Control Plane to manage policies in Azure, using the Azure SDK and Azure Connector secret type.

NOTE: A workload identity MUST be granted the reveal permission on a secret to have its value injected at runtime.

Secret Types

Amazon Web Services (AWS)

The AWS secret type enables a workload to consume services from AWS. It is used in cases where an identity isn't used.

For example, when the organization does not wish to create a cloud account, or to create cloud access policy as part of an identity definition.

The recommended approach to consuming services from AWS is not to use a AWS secret, but rather to:

  1. Create a cloud account.
  2. Create an identity.
  3. Defining cloud access policy for the AWS account as part of the identity.

In cases where the organization wishes to not leverage the identity feature, in order to use an AWS secret, simply read the secret from the environment variable and convey its set of values to AWS using any AWS API you wish.

The AWS secret schema consists of:

  • Secret Key
  • Access Key
  • Role ARN (Optional)

These values are obtained from the AWS IAM Dashboard.

Azure SDK

  • Used to store Azure SDK credentials.

  • When creating a Cloud Account using the Azure SDK, a JSON file is generated containing the credentials. This file is uploaded and automatically stored as an Azure-SDK secret.

  • Sample Azure-SDK secret content:

    copy
    {
    "subscriptionId": "2cd2674e-4f89-4a1f-b420-7a1361b46ef7",
    "tenantId": "292f5674-78b0-488b-9ff8-6d30d77f38d9",
    "clientId": "649746ce-d862-49d5-a5eb-7d5aad90f54e",
    "clientSecret": "CONFIDENTIAL"
    }
  • If the client secret has been compromised or needs to be updated, the content of the secret can be updated using the console or CLI and will be used by the associated Cloud Accounts.

Azure Connector

Docker

The Docker secret type is used when a container pulls an image from a private Docker compatible repository, such as Docker Hub or Azure Container Registry.

An authorized user then assigns a secret of this type to a GVC Pull Secret.

Workloads in the GVC can then pull their image using the secret.

The contents of a Docker secret follows this syntax:

copy
{
"auths": {
"REPOSITORY_URL": {
"username": "USERNAME",
"password": "PASSWORD"
}
}
}

Docker Hub

To create a Docker secret targeting Docker Hub, a Docker username and password (which have permissions to pull the images) are required.

There are two ways to create the secret content:

  1. Username & Password

    Example:

    copy
    {
    "auths": {
    "https://index.docker.io/v1/": {
    "username": "USERNAME",
    "password": "PASSWORD"
    }
    }
    }
  2. auth

    The value of auth is the base64 encoded result of the string USERNAME:PASSWORD

    Example:

    copy
    {
    "auths": {
    "https://index.docker.io/v1/": {
    "auth": "base64{USERNAME:PASSWORD}"
    }
    }
    }
TIP

The PASSWORD can also be a Docker Access Token.

Azure Container Registry

To create a Docker secret targeting the Azure Container Registry, the following properties are required:

  • Repository URL
  • Service Principal ID
  • Password

An Azure Service Principal is recommened as the identity used to pull images.

Refer to this article to create an Azure Service Principal that only has the pull permission.

  • The format of the repository URI is: REGISTRY_NAME.azurecr.io and can be obtained from the Azure Container Registry section of the Azure Portal.
  • The USERNAME is the ID GUID of the Service Principal (e.g., ed0a30b4-5cd0-44af-864a-cf825b0ceeb6).
  • The PASSWORD is generated when creating the Service Principal. By default, the password expires after 1 year.
TIP

To increase the expiration length of the password, use the --years flag when running the az ad sp create-for-rbac command during the creation of a Service Principal.

Example:

copy
{
"auths": {
"REGISTRY_NAME.azurecr.io": {
"username": "APP_ID",
"password": "PASSWORD"
}
}
}

Dictionary

  • Used to securely store key/value pairs that can be used by a workload's environment variables.
  • Multiple key/value pairs can be added to a single dictionary secret.

ECR

The Elastic Container Registry (ECR) secret type is used when a workload pulls a container image from a private AWS ECR repository.

This secret type is used when configuring a GVC's Pull Secret. Workloads that are connected to that GVC will have access to the secret when pulling the image.

The ECR secret consists of:

  • AWS Secret Key
  • AWS Access Key
  • AWS Role ARN (Optional)
  • ECR Repository URIs (e.g., AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPO_NAME)
TIP

Multiple repositories can be added to the same ECR secret.

To obtain the keys required to create an ECR secret, from the AWS IAM Dashboard:

  1. Add a new IAM User with programmatic access.
  2. Create an Access Token for the new user and take note/download the secret and access key.
  3. Create a new IAM Policy for the Elastic Container Registry service with the Read action on the specific repositories.
  4. Attach the new IAM Policy to the new IAM User.
  5. Optionally, impersonate the IAM user with its credentials and try to pull an image locally as described here.
  6. Create the ECR secret using either the UI Console or CLI.

Amazon ECR helper links:

Google Cloud Provider (GCP)

  • Similar to a docker and ecr secret, a GCP secret is used when a workload pulls a container image from a private Google Container Registry.
  • This secret type is used when configuring a GVC Pull Secret. Workloads that are connected to that GVC will have access to the secret when pulling the image.
  • Using the UI, the secret JSON text can be in a file that is uploaded or pasted into the textbox.
  • Below is a sample of a GCP secret. The values can be obtained from your GCP account.
copy
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "PRIVATE_KEY_ID",
"private_key": "PRIVATE_KEY_CERTIFICATE",
"client_email": "CLIENT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "X509_CERTIFICATE_URL"
}

Keypair

  • Used to securely store a keypair that can be used by a workload's environment variables.
  • A keypair secret consists of:
    • Secret key
    • Public key
    • Passphrase (required if the secret key is encrypted)
  • Using the UI, the secret and public key text can be in a file that is uploaded or pasted into the textbox.
  • The keys will be validated and the secret will only be created or updated if they are valid PEM-encoded certificates.
Sample Key Pair

Sample secret key:

copy
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9A26BB15304B18E7
ZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6L
dIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBT
gQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP
616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguH
te2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2
IRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbw
uXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+
1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3
qopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1
sLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQ
yvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY
6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR
0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZ
YZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8
aZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswm
iW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBT
C/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0W
D7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOj
Ve0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWr
Wjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN
6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvht
xx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtW
RyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3
hWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA
85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv
-----END RSA PRIVATE KEY-----

Sample public key:

copy
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHiv
baAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCO
BhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22m
XMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0Zr
ryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3
NxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3
XwIDAQAB
-----END PUBLIC KEY-----

Passphrase:

copy
cpln

Opaque

Opaque secrets are used to securely store any text as plain text or base64.

To access the stored text, an environment variables' value is set to one of the following:

  1. cpln://secret/SECRET_NAME.payload

    • If the encoding is set to base64, the decoded value will be returned
  2. cpln://secret/SECRET_NAME (without the .payload)

    Example values returned:

    base64: "{\"payload\":\"VGhpcyBpcyBhbiBvcGFxdWUgaW4gYmFzZTY0\",\"encoding\":\"base64\"}"

    plain text: "{\"payload\":\"The is an opaque secret in plain text\",\"encoding\":\"plain\"}"

TIP

When creating a secret and base64 is selected, the input string will be validated before saving.

TLS

  • Used to securely store a Transport Layer Security (TLS) secret that can be used by a workload's environment variables.
  • A TLS secret consists of a:
    • Key
    • Certificate
    • Chain Certificate (optional if the certificate is self-signed or not part of the installed root certificates)
  • Using the UI, the secret can be in a file that is uploaded or pasted into the textbox.
  • The certificates will be validated and the secret will only be created or updated if they are valid PEM-encoded certificates
Sample TLS

Sample key:

copy
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4
XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvN
rsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWn
pvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88IN
bBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBi
L2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/l
jq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/g
Zhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX
3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYD
YjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1
Z8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6Uw
rFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198am
spmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBf
LzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC
/1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCyt
vig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPr
KY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJ
D/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oD
LyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsT
FGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8
zljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QC
HnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYon
aH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTt
gFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl
/LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RR
S1hFKnRRcrVqA+HjWnZ//BGi
-----END PRIVATE KEY-----

Sample certificate:

copy
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL
BQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH
DAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx
EDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p
bzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV
UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL
BgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv
MR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0
RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9
yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk
PsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr
aetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY
/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud
DgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9
Ly8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr
sDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4
ChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD
wAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M
5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ
YxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD
u2ZCis/EwXsqRJPkIPnL
-----END CERTIFICATE-----

Sample chain certificate:

copy
None. The above key and certificate were self-signed.

Username & Password

  • Used to securely store a username and password secret that can be used by a workload's environment variables.
  • The secret consists of:
    • Username
    • Password
  • The secret will only be created or updated if the username and password are valid strings.

Permissions

The permissions below are used to define policies together with one or more of the four principal types:

PermissionDescriptionImplies
createCreate new secrets
deleteDelete secrets
editModify existing secretsview, reveal
manageFull accesscreate, delete, edit, manage, reveal, use, view
revealReveal the plaintext of the secretview
useRefer to this secret from other entities (GVCs, cloud accounts, etc)view
viewRead-only access excluding plaintext

Reveal Permission

The plaintext of a secret can be viewed only if you or an identity has the reveal permission.

For example, when using a secret as the value of an environment variable for a container, the identity assigned to the workload must have the reveal permission set on the assigned secret using a policy.

When configuring the environment variable, the value of the variable will be in the following format: cpln://secret/SECRET_NAME. The image running within the container will be able to access the plaintext of the secret by referring to the name of the configured environment variable.

Use Permission

A secret is used with a:

To allow a non-administrator user the ability to use a secret with one of the above objects, the user must be granted the use permission.

For example, if the image assigned to a container belongs to a private Docker registry, a pull secret for that registry must be added to the associated GVC. The user that is configuring this application must have the use permission set on the secret (using a policy) to be able to add it as a pull secret.

Updating Secrets

If a secret value is updated, any workload referencing that secret will need to be redeployed.

Permissions

The permissions below are used to define policies together with one or more of the four principal types:

PermissionDescriptionImplies
createCreate new secrets
deleteDelete secrets
editModify existing secretsview, reveal
manageFull accesscreate, delete, edit, manage, reveal, use, view
revealReveal the plaintext of the secretview
useRefer to this secret from other entities (gvcs, cloudaccounts, etc)view
viewRead-only access excluding plaintext

Access Report

Displays the permissions granted to principals for the secret.

CLI

To view the CLI documentation for secrets, click here

Copyright © 2021 Control Plane Corporation. All rights reserved. Revision 30221ec6
Contents