Authorizations
  • 4 minutes to read
  • Dark
    Light
  • PDF

Authorizations

  • Dark
    Light
  • PDF

Article Summary

DevOps Secret Management Authorizations allow administrators to define the access policies to applications and secret data. Those access policies provide configurations such as:

  • Which resources can be accessed;
  • Authorization expiration date;
  • List of allowed devices IPs to perform requests;
  • List of allowed request origin URLs through HTTP Referrers to perform requests;
  • The environment where the authorization will be used;
  • The system where the authorization will be used;
  • Secrets that can be accessed;

Authorizations inside senhasegura DSM are configured by an application, where an application can have multiple authorizations allowing access to different groups of secrets. This way is easy to create segregation between environments, for example, where a development or homologation environment might use different secrets than those used in production.

Also, it is possible to define sensitive information encryption, where data such as Credential Password and Secret Access Keys are obfuscated even if a developer can access secret information once outside the vault, for example.

Register an Authorization

To register an authorization, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

  1. On a selected application, click on the Authorizations button;
  2. In the presented screen, use the plus icon to create an authorization;
  3. In the Settings tab, fill the following fields:
    • Expiration date/time: Date/time on which the authorization will be automatically revoked;
    • Enable*: Whether the authorization is enabled for use or not;
    • Enable encryption of sensitive information*: Whether confidential data should be sent as encrypted;
    • Enable creation of DSM applications*: Prevents the creation of applications through API;
    • Environment*: Environment to which this authorization belongs.
    • System*: The system to which this authorization belongs.
    • Allowed IPs: A list of IPs allowed to use this authorization.
    • Allowed HTTP referrers: A list of applications URLs allowed to use this authorization;
    • Certificate fingerprint: A certificate fingerprint that will be used to verify the request origin;
  4. In the Secrets tab, select which secrets can be accessed through this authorization;
  5. To finish, click on Save;

 

Required Fields

Fields marked with asterisks (*) are required, and it is impossible to proceed if they are not provided.

Request Origin IP

By default, senhasegura DSM will reject every request attempt if no IP address is provided.

HTTP 

If not provided, senhasegura DSM will allow requests from any URL set in a request header.

Systems and Environments

To register systems and environments to use on authorizations, follow the menu Settings ➔ System Parameters ➔ Systems and Settings ➔ System Parameters ➔ Environments, respectively

Access Time
It is possible to increase or decrease the access time of a credential during its approval step.


View Authorization

To view application authorizations, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

  1. In the actions of an application, click on Authorizations.

On this screen, you can view the application authorization along with information such as the application name, environment, system, creation date, and status of that authorization;

Authorizations Report

 


Optionally, you can go to DevOps Secret Manager ➔ Applications ➔ Authorizations by application to see a full list of all authorizations for all applications.

View Authorization Tokens

To retrieve the tokens from DSM to use in the resource, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

  1. Click on Authorizations to list all authorizations of an application;
  2. In the authorization list, click on View authorization for the selected authorization;
  3. Use the eye icon to reveal the values depending on the selected authentication method on the application.
Example of OAuth 2.0 Client

 


Optionally, you can go to DevOps Secret Manager ➔ Applications ➔ Authorizations by application to see a full list of all authorizations for all applications. You can click on View authorizations of a selected authorization to retrieve this information.

Download decryption key

To download a decryption key, follow these steps: 

1. Access the menu DevOps Secret Manager ➔ Application ➔ Authorization by application

2. With an authorization created, choose the button

3. Select Download Private Key option

Permission
To be able to download any decryption key, the administrator must have DSM.Applications.DownloadKey permission

View API clients of the authorization

To register a secret, follow the menu: DevOps Secret Manager ➔ Applications ➔ Authorizations by application.

Select the authorization to view the clients and then click View Authorization.

To view the information, click on the icon View information.



Sensitive Information Encryption

Enabling sensitive information encryption allows senhasegura DSM to protect privileged data, such as passwords and secret access keys, even once the application retrieves it from the secure vault. Once enabled, DSM will generate a public key that can be used to verify and open the data.

To download the key, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

  1. Click on Authorizations to list all authorizations of an application;
  2. In the authorization list, click on More options of a selected authorization, then Download public key.
Download Public Key

 


Optionally, you can go to DevOps Secret Manager ➔ Applications ➔ Authorizations by application to see a full list of all authorizations for all applications. From there, you can click on More options of a selected authorization, then Download public key.

Authentication process APIs

List authorization secrets used in the authentication process

Displays secrets that pertain to the authorization used in the request.

GET /iso/sctm/secret

  • Parameters: none
  • Reply:
    • "response": default response object
    • "Secrets": array of secrets

Display only the requested record

GET /iso/sctm/secret/{identity}

  • Parameters: only the identity in the request URL
  • Reply:
    • "response": default response object
    • "secret": secret mapping object

API Run Provision

  • input: {secret_id}
  • output: {success/error_detail}

The authorization to make the call runs the application template, provisioning new credentials, and lists the informed secret as a parameter.

Auto-renew in the Secrets POST API

POST /iso/sctm/secret

  • renew_cloud_time: int (Time in minutes to renew "access keys." If empty, "auto-renew" will not have its value changed and will be saved as disabled when created). Minimum 10;
  • renew_ephemeral_credential_time: int (Time in minutes to renew "ephemeral credentials." If empty, "auto-renew" will not have its value changed and will be saved as disabled when created). Minimum 10;
  • renew_credential_time: int (Time in minutes to renew "credentials." If empty, "auto-renew" will not have its value changed and will be saved as disabled when created). Minimum 10.

Was this article helpful?