Authorizations

DevOps Secret Management Authorizations allow administrators to define the access policies to applications and secret data. Those access policies provide configurations such as:

• Which resources can be accessed;
• Authorization expiration date;
• List of allowed devices IPs to perform requests;
• List of allowed request origin URLs through HTTP Referrers to perform requests;
• The environment where the authorization will be used;
• The system where the authorization will be used;
• Secrets that can be accessed;

Authorizations inside senhasegura DSM are configured by an application, where an application can have multiple authorizations allowing access to different groups of secrets. This way is easy to create segregation between environments, for example, where a development or homologation environment might use different secrets than those used in production.

Also, it is possible to define sensitive information encryption, where data such as Credential Password and Secret Access Keys are obfuscated even if a developer can access secret information once outside the vault, for example.

Register an Authorization

To register an authorization, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

1. On a selected application, click on the Authorizations button;
2. In the presented screen, use the plus icon to create an authorization;
3. In the Settings tab, fill the following fields:
   • Expiration date/time: Date/time on which the authorization will be automatically revoked;
   • Enable*: Whether the authorization is enabled for use or not;
   • Enable encryption of sensitive information*: Whether confidential data should be sent as encrypted;
   • Enable creation of DSM applications*: Prevents the creation of applications through API;
   • Environment*: Environment to which this authorization belongs.
   • System*: The system to which this authorization belongs.
   • Allowed IPs: A list of IPs allowed to use this authorization.
   • Allowed HTTP referrers: A list of applications URLs allowed to use this authorization;
   • Certificate fingerprint: A certificate fingerprint that will be used to verify the request origin;
4. In the Secrets tab, select which secrets can be accessed through this authorization;
5. To finish, click on Save;

 

View Authorization

To view application authorizations, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

1. In the actions of an application, click on Authorizations.

On this screen, you can view the application authorization along with information such as the application name, environment, system, creation date, and status of that authorization;

View Authorization Tokens

To retrieve the tokens from DSM to use in the resource, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

1. Click on Authorizations to list all authorizations of an application;
2. In the authorization list, click on View authorization for the selected authorization;
3. Use the eye icon to reveal the values depending on the selected authentication method on the application.

Download decryption key

To download a decryption key, follow these steps: 

1. Access the menu DevOps Secret Manager ➔ Application ➔ Authorization by application

2. With an authorization created, choose the button ⋮

3. Select Download Private Key option

View API clients of the authorization

To register a secret, follow the menu: DevOps Secret Manager ➔ Applications ➔ Authorizations by application.

Select the authorization to view the clients and then click View Authorization.

To view the information, click on the icon View information.

Sensitive Information Encryption

Enabling sensitive information encryption allows senhasegura DSM to protect privileged data, such as passwords and secret access keys, even once the application retrieves it from the secure vault. Once enabled, DSM will generate a public key that can be used to verify and open the data.

To download the key, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

1. Click on Authorizations to list all authorizations of an application;
2. In the authorization list, click on More options of a selected authorization, then Download public key.

Authentication process APIs

List authorization secrets used in the authentication process

Displays secrets that pertain to the authorization used in the request.

GET /iso/sctm/secrets

• Parameters: none
• Reply:
  • "response": default response object
  • "Secrets": array of secrets

Display only the requested record

GET /iso/sctm/secret/{identity}

• Parameters: only the identity in the request URL
• Reply:
  • "response": default response object
  • "secret": secret mapping object

API Run Provision

• input: {secret_id}
• output: {success/error_detail}

The authorization to make the call runs the application template, provisioning new credentials, and lists the informed secret as a parameter.

Auto-renew in the Secrets POST API

POST /iso/sctm/secret

• renew_cloud_time: int (Time in minutes to renew "access keys." If empty, "auto-renew" will not have its value changed and will be saved as disabled when created). Minimum 10;
• renew_ephemeral_credential_time: int (Time in minutes to renew "ephemeral credentials." If empty, "auto-renew" will not have its value changed and will be saved as disabled when created). Minimum 10;
• renew_credential_time: int (Time in minutes to renew "credentials." If empty, "auto-renew" will not have its value changed and will be saved as disabled when created). Minimum 10.