• Stars
    star
    234
  • Rank 171,630 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Secure your apps by making them Secretless

Table of Contents

Secretless Broker™

Secretless Broker is a connection broker which relieves client applications of the need to directly handle secrets to target services such as databases, web services, SSH connections, or any other TCP-based service.

Secretless Broker Architecture

Secretless is designed to solve two problems. The first is loss or theft of credentials from applications and services, which can occur by:

  • Accidental credential leakage (e.g. credential checked into source control, etc)
  • An attack on a privileged user (e.g. phishing, developer machine compromises, etc)
  • A vulnerability in an application (e.g. remote code execution, environment variable dump, etc)

The second is downtime caused when applications or services do not respond to credential rotation and crash or get locked out of target services as a result.

When the client connects to a target service through the Secretless Broker:

  • The client is not part of the threat surface

    The client/app no longer has direct access to the password, and therefore cannot reveal it.

  • The client doesn’t have to know how to properly manage secrets

    Handling secrets safely involves some complexities, and when every application needs to know how to handle secrets, accidents happen. The Secretless Broker centralizes the client-side management of secrets into one code base, making it easier for developers to focus on delivering features.

  • The client doesn’t have to manage secret rotation

    Secretless is responsible for establishing connections to the backend, and can handle secret rotation in a way that’s transparent to the client.

To provide Secretless access to a target service, a Service Connector implements the protocol of the service, replacing the authentication handshake. The client does not need to know or use a real password to the service. Instead, it proxies its connection to the service through a local connection to Secretless. Secretless obtains credentials to the target service from a secrets vault (such as Conjur, a keychain service, text files, or other sources) via a Credential Provider. The credentials are used to establish a connection to the actual service, and Secretless then rapidly shuttles data back and forth between the client and the service.

Secretless Broker is currently licensed under ASL 2.0

Currently supported services

Secretless supports several target services out of the box, and these include:

  • MySQL (Socket and TCP)
  • PostgreSQL (Socket and TCP)
  • SSH / SSH-Agent (Beta)
  • HTTP with Basic auth, Conjur, and AWS authorization strategies (Beta)

Support for these services is provided via internal plugins (also referred to as "Service Connectors") that are part of the Secretless binary distribution.

If you want to use Secretless with a target service that is not currently supported, you can use the Secretless Plugin Interface to create Connector Plugins to extend Secretless to support virtually any target service. These external plugins can be integrated in environments using a standard Secretless Broker implementation.

For more information on building a Secretless Connector Plugin please see our documentation, which will walk you through creating a new Connector Plugin using our templates.

Are we missing an internal service connector that you think is important? Are you curious if anyone else has thought of building the service connector you're interested in? Please open a GitHub issue with more information on the connector you'd like, and start the conversation.

For specific guidelines about using a particular service, please see our documentation.

Quick Start

Running the quick start demo requires Docker.

To see the Secretless Broker in action, pull the quick start image:

docker pull cyberark/secretless-broker-quickstart

The quick start image runs the Secretless Broker binary and a few sample target services. The Secretless Broker is configured to retrieve the credentials required to access the services from the process environment. All services are configured to require authentication to access, but we don't know what those credentials are. We can try to access the services, but since we don't know the password our access attempts will fail. But when we try to connect via the Secretless Broker, we will be granted access.

Let's try this with the PostgreSQL server running in the quick start image. We know that the server has been configured with a quickstart database, so let's try to access it.

You can run the Secretless Broker quick start as a Docker container:

$ docker run \
  --rm \
  -p 5432:5432 \
  -p 5454:5454 \
  secretless-broker-quickstart:latest

In a new window, if we try to connect to PostgreSQL directly via port 5432 (guessing at the postgres username), our attempt will fail:

$ psql "host=localhost port=5432 user=postgres dbname=quickstart sslmode=disable"
Password for user postgres:
psql: FATAL:  password authentication failed for user "postgres"

But the Secretless Broker is listening on port 5454, and will add authentication credentials (both username and password) to our connection request and proxy our connection to the PostgreSQL server:

$ psql "host=localhost port=5454 user=postgres dbname=quickstart sslmode=disable"
psql (10.3, server 9.6.9)
Type "help" for help.

quickstart=> \d
                List of relations
 Schema |      Name       |   Type   |   Owner    
--------+-----------------+----------+------------
 public | counties        | table    | secretless
 public | counties_id_seq | sequence | secretless
(2 rows)

quickstart=> select * from counties limit 1;
 id |   name    
----+-----------
  1 | Middlesex
(1 row)

quickstart=>

Success! Smile and grab a 🍪 because it was too easy!

You have just delegated responsibility for managing credentials to a secure process isolated from your app!

Run more Secretless Broker demos

If the PostgreSQL quick start demo piqued your interest, please check out our additional demos where you can try the Secretless Broker with SSH and HTTP Basic Auth.

For an even more in-depth demo, check out our Deploying to Kubernetes demo, which walks you through deploying a sample app to Kubernetes with the Secretless Broker.

Using Secretless

For complete documentation on using Secretless, please see our documentation. The documentation includes comprehensive guides for how to get up and running with Secretless.

Using secretless-broker with Conjur Open Source

Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.

About our releases

Docker images

The primary source of Secretless Broker releases is our DockerHub.

Every new GitHub tag (x.y.z) added to the project produces a set of Docker images in DockerHub: (x.y.z, x.y, x, latest). The latest image tag therefore always corresponds to the latest GitHub tag, and the x.y and x tags alway correspond to the latest matching x.y.z image.

GitHub releases

Post-1.0, GitHub releases are created for GitHub tagged versions that have undergone additional quality activities to ensure that Secretless continues to meet its stability requirements. When a GitHub release is created (indicating a new stable Secretless version), an additional Docker image is pushed to DockerHub with the stable tag.

At any given time there is only one Docker image with the stable tag - that of the latest stable release. Older stable versions (v1.0+) can be found on the official GitHub releases page.

Note: the GitHub releases page will also show pre-releases, which have not yet been promoted to stable.

GitHub repository

The code on main in the project's GitHub repository represents the development work done since the previous GitHub tag. It is possible to build Secretless from source (see our contributing guidelines for more info), but for regular use we recommend using the stable Docker image from DockerHub or an official GitHub release.

Stable release definition

Stable components (eg service connectors, credential providers, etc.) of Secretless meet the core acceptance criteria:

  • The component should perform its functionality transparently to the underlying application
  • The component must guard against threats from all parts of the STRIDE threat model
  • Documentation exists that clearly explains how to set up and use the component as well as providing troubleshooting information for anticipated common failure cases
  • A suite of automated tests that exercise the component exists and provides excellent code coverage

In addition, the following must be true for any stable release:

  • Secretless has had security review (including static code analysis), and all known high and critical issues have been addressed. Any low or medium issues that have not been addressed have been logged in the GitHub issue backlog with a label of the form security/X
  • Secretless has undergone STRIDE threat modeling
  • For use cases involving stable components of Secretless (eg service connectors, credential providers, etc.):
    • Secretless is stable while running
      • It does not drop connections while running
      • It can run without failure (eg it can consistently open connections, it maintains existing open connections, etc) for an extended period of time (~4 days)
      • When the Secretless process dies in Kubernetes / OpenShift, the pod is destroyed and rescheduled
    • Secretless has minimal impact on connection speeds
      • Request throughput is within 20% of direct-to-DB speed
    • Secretless performs under load in a realistic environment (eg deployed to the same pod as an application in Kubernetes or OpenShift)
    • Secretless handles connections transparently, so that requests from the client are appropriately transmitted to the server and messages from the server are propagated back to the client
  • Secretless is easy to set up, and adding the configured Secretless Broker sidecar to your application takes less than 30 minutes
  • Secretless is clear about known limitations

Community

Our primary channel for support is through our Secretless Broker Discourse. More info here: community support

Performance

Using the Secretless Broker reduces the transaction throughput by about 25% on Postgresql. Once the connection to the backend database is established, the Secretless Broker runs 2 goroutines - one reads from the client and writes to the server, the other reads from the server and writes to the client. It's as simple as this:

    go stream(self.Client, self.Backend)
    go stream(self.Backend, self.Client)

Here is some performance data created by running pgbench with the client, the Secretless Broker and database running on a single machine (2017 MacBook Pro with 2.3 GHz Intel Core i5) where the database is running in Docker.

Directly to the database:

$ PGPASSWORD=mysecretpassword PGSSLMODE=disable pgbench -h localhost -U postgres -p 5432 -T 10 -c 12 -j 12 postgres
starting vacuum...end.
transaction type: <builtin: TPC-B (sort of)>
scaling factor: 1
query mode: simple
number of clients: 12
number of threads: 12
duration: 10 s
number of transactions actually processed: 2733
latency average = 44.167 ms
tps = 271.696057 (including connections establishing)
tps = 272.924176 (excluding connections establishing)

Through the secretless-broker proxy:

$ PGSSLMODE=disable pgbench -h localhost -U postgres -p 4321 -T 10 -c 12 -j 12 postgres
starting vacuum...end.
transaction type: <builtin: TPC-B (sort of)>
scaling factor: 1
query mode: simple
number of clients: 12
number of threads: 12
duration: 10 s
number of transactions actually processed: 2459
latency average = 49.034 ms
tps = 244.727719 (including connections establishing)
tps = 248.327635 (excluding connections establishing)

From the results above, you can see 9% fewer tps (even including establishing connections) via the Secretless Broker.

To run this test yourself, you can start PostgreSQL by running

docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d -p 5432:5432 postgres:9.3

Write a secretless.yml file that includes:

version: "2"
services:
  pg-db:
    connector: pg
    listenOn: tcp://0.0.0.0:4321
    credentials:
      host: localhost
      username: postgres
      password: mysecretpassword
      sslmode: disable

and run Secretless:

$ ./bin/build_darwin # to build the OSX binary
$ ./dist/darwin/amd64/secretless-broker -f secretless.yml

Initialize pgbench by running

PGPASSWORD=mysecretpassword pgbench -i -h localhost -U postgres -p 5432

and run the tests as above.

Development

We welcome contributions of all kinds to Secretless Broker. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide. This document includes guidelines for writing plugins to extend the functionality of Secretless Broker.

License

The Secretless Broker is licensed under Apache License 2.0 - see LICENSE for more details.

More Repositories

1

KubiScan

A tool to scan Kubernetes cluster for risky permissions
Python
1,310
star
2

SkyArk

SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
PowerShell
862
star
3

ACLight

A script for advanced discovery of Privileged Accounts - includes Shadow Admins
PowerShell
783
star
4

conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
Ruby
760
star
5

kubeletctl

A client for kubelet
Go
730
star
6

summon

CLI that provides on-demand secrets access for common DevOps tools
Go
687
star
7

bash-lib

Library for bash utility methods and tools
Shell
656
star
8

PipeViewer

A tool that shows detailed information about named pipes in Windows
C#
551
star
9

DLLSpy

DLL Hijacking Detection Tool
C++
481
star
10

zBang

zBang is a risk assessment tool that detects potential privileged account threats
C#
332
star
11

shimit

A tool that implements the Golden SAML attack
Python
331
star
12

RPCMon

RPC Monitor tool based on Event Tracing for Windows
C#
317
star
13

Evasor

A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
C#
309
star
14

BlobHunter

Find exposed data in Azure with this public blob scanner
Python
306
star
15

RiskySPN

Detect and abuse risky SPNs
PowerShell
258
star
16

White-Phoenix

A tool to recover content from files encrypted with intermittent encryption
Python
218
star
17

kubernetes-rbac-audit

Tool for auditing RBACs in Kubernetes
Python
215
star
18

MITM_Intercept

A little bit less hackish way to intercept and modify non-HTTP protocols through Burp & others.
Python
201
star
19

epv-api-scripts

These API scripts enable CyberArk users to automate privileged account management task like account creation, user management, and more.
PowerShell
197
star
20

ketshash

A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
PowerShell
168
star
21

rdpfuzz

Tools for fuzzing RDP
C
122
star
22

SkyWrapper

SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
Python
104
star
23

EasyPeasy

Find accounts using common and default passwords in Active Directory.
PowerShell
65
star
24

pas-on-cloud

CyberArk Privileged Access Security on Cloud
Python
60
star
25

ansible-security-automation-collection

CyberArk Ansible Security Automation Collection
Python
60
star
26

CYBRHardeningCheck

A utility to check CyberArk component servers hardening status
PowerShell
53
star
27

summon-aws-secrets

Summon provider for AWS Secrets Manager
Go
52
star
28

cyberark-aws-auto-onboarding

Solutions for automatically detecting, managing and securing privileged accounts in AWS EC2
Python
40
star
29

pas-orchestrator

CyberArk Privileged Access Security automatic deployment using Ansible
Python
38
star
30

summon-conjur

CyberArk Conjur provider for Summon
Go
38
star
31

ansible-modules

Ansible Modules for CyberArk Privileged Account Security Web Service SDK
Python
37
star
32

conjur-quickstart

Start securing your secrets and infrastructure by installing Conjur, using Docker and the official Conjur containers on DockerHub.
Shell
33
star
33

malware-research

C++
33
star
34

Fuzzer-V

C
30
star
35

sidecar-injector

Sidecar Injector for the Conjur Kubernetes Authenticator and Secretless
Go
29
star
36

ChattyCaty

JavaScript
28
star
37

conjur-oss-helm-chart

Helm chart for deploying Conjur OSS to Kubernetes
Shell
27
star
38

secrets-provider-for-k8s

Cyberark secrets provider for k8s
Go
26
star
39

PwnKit-Hunter

PwnKit-Hunter is here to help you check if your systems are vulnerable to CVE-2021-4043, a.k.a. PwnKit
Python
25
star
40

PreCog

Discover "HotSpots" - potential spots for credentials theft
PowerShell
23
star
41

terraform-provider-conjur

Terraform provider for Conjur
Shell
21
star
42

pvwa

Ansible role to deploy Cyberark Password Vault Web Access
Jinja
20
star
43

conjur-api-go

Go client for the CyberArk Conjur API
Go
20
star
44

slosilo

A Ruby interface to standard cryptographic primitives
Ruby
17
star
45

password-lookup-plugin

cyberarkpassword Lookup Plugin
17
star
46

cyberark-conjur-cli

CyberArk Conjur command line interface written in Python
Python
17
star
47

psm

Ansible role to deploy Cyberark Privileged Session Manager
PowerShell
16
star
48

conjur-template

Template repo for Conjur repositories
16
star
49

conjur-api-java

Java client for the CyberArk Conjur API
Java
15
star
50

summon-keyring

Cross-platform provider for Summon that talks to keyrings.
Python
15
star
51

cpm

Ansible role to deploy Cyberark Central Policy Manager
PowerShell
15
star
52

conjur-api-dotnet

.NET client for the CyberArk Conjur API
C#
15
star
53

cyberark-conjur-cli-docker-based

CyberArk Conjur command line interface (Ruby)
Ruby
15
star
54

parse-a-changelog

A validator for changelogs using the Keep a Changelog standard (http://keepachangelog.com)
Ruby
15
star
55

ansible-aim-provider

Ansible Galaxy Role to install and uninstall Cyberark AIM provider
14
star
56

kubernetes-conjur-deploy

Scripts for deploying DAP followers to Kubernetes and OpenShift given an existing DAP master cluster
Shell
14
star
57

Symda

Python
13
star
58

summon-s3

AWS S3 provider for Summon
Shell
13
star
59

KDSnap

C++
12
star
60

ansible-role-conjur

Grants Conjur machine identity to hosts
Python
12
star
61

conjur-credentials-plugin

Conjur plugin for securely providing credentials to Jenkins jobs
Java
12
star
62

conjur-openapi-spec

OpenAPI v3 specification for Conjur / DAP v10+
Mustache
11
star
63

conjur-authn-k8s-client

Authentication sidecar for Conjur Kubernetes integration.
Shell
11
star
64

dev-flow

Opinionated CLI that standardizes and automates common development tasks
Go
11
star
65

ark-sdk-python

CyberArk's Official SDK and CLI - https://cyberark.github.io/ark-sdk-python/
Python
10
star
66

ansible-conjur-host-identity

This project encapsulates the functionality of our `cyberark.conjur-host-identity role for Ansible
Shell
8
star
67

conjur-api-python

Python client for the CyberArk Conjur API
Python
8
star
68

conjur-oss-suite-release

Under development - Latest stable releases of the Conjur OSS suite
Go
7
star
69

community

Information for the CyberArk contributor community
7
star
70

cyberark-aim-chef

Chef custom resource for CyberArk AIM
Ruby
7
star
71

homebrew-tools

Homebrew formulas for different CyberArk tooling.
Shell
7
star
72

cacookiecleaner

C#
7
star
73

conjur-policy-generator

Tools to create sample Conjur policies for testing, etc.
Ruby
7
star
74

atyourservice

The atyourservice project is intended to provide highly-customizable utilities for troubleshooting issues.
Python
7
star
75

identity-aws-verified-permissions-demo

Python
7
star
76

summon-chefapi

Summon provider for Chef encrypted data bags
Go
6
star
77

conjur-puppet

Official Puppet module for CyberArk Conjur
Ruby
6
star
78

sample-siem-dashboards

6
star
79

escape-the-cloud

Web Application for CyberArk Cloud Escape Room CTF challenge
JavaScript
5
star
80

helm-charts

CyberArk Helm charts repository.
Shell
5
star
81

psmp-deploy-ansible-role

Ansible role to deploy Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
5
star
82

ansible-conjur-collection

Ansible Collection for Conjur
Python
5
star
83

conjur-spring-boot-sdk

Java
5
star
84

SafeNet

5
star
85

conjur-azure-devops-extension

Azure DevOps Extension for retrieving secrets from CyberArk Conjur
JavaScript
5
star
86

conjur-api-ruby

Ruby client for the CyberArk Conjur API
Ruby
4
star
87

conjur-base-image

Base Docker images for CyberArk Conjur
Shell
4
star
88

conjur-cli-go

CyberArk Conjur command line interface (Go)
Go
4
star
89

conjur-aws

[DEPRECATED] - AWS CloudFormation templates for Conjur
Shell
4
star
90

conjur-google-cloud-marketplace

[DEPRECATED] Conjur application for Google Cloud Marketplace
Shell
4
star
91

conjur-service-broker

Implementation of the Open Service Broker API for Conjur
Ruby
4
star
92

identity-demo-android

This is to demonstrate CyberArk Identity capabilities of Android SDK in a sample app.
Kotlin
3
star
93

pas-reporter-dataprocessing

C#
3
star
94

conjur-inspect

Go
3
star
95

dap-web-utility

DAP web utility to simplify DAP/Conjur deployment & operations
JavaScript
3
star
96

urbancode-conjur-aim

A plugin which allows UrbanCode Deploy to get credentials from EPV via AIM, and to get secrets from Conjur for setting up a CI/CD workflow
Groovy
3
star
97

psmp-activate-ansible-role

Ansible role to activate Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
3
star
98

conjur-tutorials

A repository for tutorials related to Conjur
Shell
2
star
99

conjur-authn-iam-client-python

Python client for using Conjur with authn-iam
Python
2
star
100

aim-puppet

Ruby
2
star