Comments (12)
Summon doesn't require conjur in order to function. We use summon without conjur (summon-s3 and summon-file extensions). So IMO it would just be an alternative to conjur, just like the extensions are.
from summon.
Providing an open standard for secrets managers like Vault and Conjur is a primary goal of this project (it evolved from a Conjur specific tool).
The prerequisite is to add a feature where summon can periodically check to see if a secret's value has changed, and if so restart the child process with the new value. This is because vault secrets come with a lease period, after which the secret's value is no longer guaranteed to be valid.
This would be a win for the Conjur provider as well, so it's definitely on the roadmap.
from summon.
I am really glad to hear that. I have chilly feeling you are on the right track 👍
from summon.
tl;dr I think Summon should periodically poll the provider to see if the secrets have changed. The polling frequency could be a CLI invocation option, or an option somehow indicated in secrets.yml
?
Lease times are interesting but there's also a very simple way to detect when a process restart is needed: just poll the secrets provider periodically to see if the secret value has changed or not. If any secrets have changed, restart the process. If not, leave it alone.
I don't think that Vault's lease time actually negates the need for polling (or otherwise checking that a secret has changed). Consider the following scenario: a secret is created with a lease time of 2 days. Then, a few hours later, it's discovered that the secret has possibly been compromised and must be rotated. Therefore, the "2 day" secret is invalidated before the lease time, a new value is available, and the child process must be restarted. Summon must not wait 2 days before checking with Vault, regardless of the lease time.
A lease time of 2 days doesn't mean "you can wait two days before refreshing the secret". It means, "you must not wait longer than 2 days before checking if the secret has changed". However, a rather long service interruption could occur.
from summon.
PS Conjur supports arbitrary annotations (metadata) on secrets (variables); this facility can certainly be used to indicate lease time as well.
from summon.
+1 on this. It would be awesome to use Vault as a provider for this.
from summon.
Vault also supports 'dynamic' backends, such as for AWS IAM roles. In this case, vault returns both the access and secret keys from AWS at the same time. So summon may need a way to get more than one value from a provider.
from summon.
Do people still want this?
from summon.
I still would like this feature. I currently don't use either Conjur or Vault, but the combination sounds sweet.
from summon.
Yeah, makes sense. The tough part is that Conjur and Vault have a few overlapping features so most people seem to use one of the other, not both. Conjur has a vault too; that is a side effect of machine identity, like SSH management or traffic authorization. Conjur is effectively a superset of Vault.
I think this is why the issue has been open for so long, because the integration path is unclear. Very open to suggestions though!
from summon.
I agree with @slimm609. I don't consider summon to be a part of conjur even though cyberark maintains both projects. I consider it to be an interface to a vault in general - be it conjur, s3, hashicorp vault etc. I too would really like to see a summon-vault provider.
from summon.
(disclaimer: I'm a beginner with vault)
It seems the basic KV engine (version 1 or 2) has great value in and of itself and is easy to implement as a summon provider.
If you agree try this custom KV provider.
Perhaps in the near future I can expand on it as need arises.
from summon.
Related Issues (20)
- Go version is updated to 1.15
- Specify (non-variable) tempfile name HOT 7
- Summon pipeline runs using GitHub actions instead of a private Jenkins server
- Summon builds are unstable HOT 2
- Inject summon secrets into docker containers using --env HOT 2
- Summon README is missing a couple flags
- Make list of environment variable names available in child process HOT 1
- Spike: Zero-change Summon deployment HOT 3
- Spike: scaling Summon installs into Kubernetes volume mounts HOT 2
- Spike: ensuring trust of the Summon executable HOT 1
- There are diagrams and flow charts that show how Summon is used in Kubernetes HOT 6
- Review the proposals for zero-change Summon deployment in Kubernetes with the security architect HOT 2
- Summon as an Alpine package HOT 1
- There is a v0.8.4 release of Summon HOT 1
- Default provider path is hard-coded rather than using homebrew directory on OS X
- There is support for the new Apple silicon
- Add templating support for ephemeral cred/config files
- Docker Secrets documentation has broken links
- Default not supported for `gopass`
- Support for ARM64
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from summon.