Dynamic provisioning
  • 4 minutes to read
  • Dark
    Light
  • PDF

Dynamic provisioning

  • Dark
    Light
  • PDF

Article Summary

To grant a high security level into elastic environments, senhasegura DSM allows secret automatic provisioning and deprovisioning on cloud providers, environments and systems such as databases, Windows and Linux servers, etc. This allows administrators to create a more secure secret management approach, where every application can have its secrets provisioned through Just-in-Time policies.

This configuration is specially useful in environments such as Kubernetes and OpenShift, where normally a secret would be shared between a certain amount of Pods. Using senhasegura DSM Dynamic Provisioning approach, it is easy to enable every Pod to have its own access credentials to databases and cloud services, preventing privileged information leakage since once a Pod is deleted, DSM can deprovision secrets related to it automatically.

Configure Dynamic Provisioning of Access Keys

Access Keys are credentials used by applications and scripts to access services from cloud providers. DevOps Secret Management module allows dynamic provisioning of access keys at major providers like AWS, Azure and Google Cloud Platform through provisioning profiles. For more information on how to integrate with one of these cloud providers, please check the Cloud IAM guide.

To create a dynamic provisioning profile for cloud credentials, follow the menu Cloud IAM ➔ Cloud IAM ➔ Dynamic provisioning ➔ Profile.

  1. In the report's action button, click on Add profile;
  2. Select a configured account so senhasegura can use that to create and delete Cloud Credentials on a provider;
  3. Provide the following information:
    • Identifier: A profile identification name. Credential usernames will be composed using this identifier plus a time-based string;
    • Account: A provider account which will be used to create and delete credentials and access keys;
    • Enabled: Whether this profile is enabled for use or not;
  4. In the Settings tab, provide the following information:
    • Provider: A provider which senhasegura will connect to and create credentials;
    • Description: A detailed description of this profile;
  5. To finish, click on Confirm.

 

Info

To dynamically create and delete credentials on cloud providers, senhasegura need an already pre-configured account with the correct permissions.

Configure Dynamic Provisioning of Credentials

Besides cloud credentials, senhasegura DSM also offers this same automated feature to create Just-in-Time access to systems and environments such as databases, Linux and Windows devices, providing secure access to applications using ephemeral credentials. For more information on how to manage credentials for those environments, please check the PAM guide.

To create a dynamic provisioning profile for systems and environments, follow the menu PAM Core ➔ Dynamic provisioning ➔ Profile.

  1. In the report's action button, click on Add profile;
  2. Provide the following information:
    • Identifier: A profile identification name. Credential usernames will be composed using this identifier plus a time-based string;
    • Enabled: Whether this profile is enabled for use or not;
    • Type: Type of profile identifying the target devices.
    • Credential for execution: A credential which will be used to create and delete credentials;
    • Templates: The templates for the selected Type containing the instructions to create and remove credentials;
    • Default TTL: A credential lifetime in seconds. When the time runs out, the credential will be automatically deleted from the target device;
  3. To finish, click on Confirm.
Dynamic Provisioning Credential Profile Screen

 

Info

DevOps Secret Management uses templates registered on the Executions module. For more information on how to create templates, please check here.

Info

To dynamically create and delete credentials on target devices, senhasegura need an already pre-configured credential with the correct permissions.

This credential can be selected manually through the dropdown option or a username can be provided, this way senhasegura will look for a credential with that username for each device configured to run the template.

Enable Dynamic Provisioning on Applications

Once configured, it is possible that each application have its own related profiles.

To set an application dynamic provisioning profile, follow the menu DevOps Secret Manager ➔ Applications ➔ Applications.

  1. Edit or create an application and go to the Automatic provisioning tab;
  2. Enable Automatic provisioning of secrets option;
  3. On the Cloud dynamic provisioning profile option, add an already created profile;
  4. On the Credential dynamic provisioning profile option, add a device and select and already created profile;
  5. To finish, click on Save.
Enable Dynamic Provisioning Screen

 

Enabling Secret Auto-renew

After configuring an application to have one or more dynamic provisioning profiles attached to it, secrets can automatically rotate their data on a pre-determined time interval, creating a new credential on target devices or cloud providers and registering them as part of that secret.

This configuration enables credential rotation without the risks of creating an unavailability scenario since the old credential will not be rotated or deleted automatically, allowing applications to still use that data until they receive an update through a rollout process.

To enable secret auto-renew, follow the menu DevOps Secret Manager ➔ Secret Management ➔ Secrets.

  1. Edit or create a secret and go to the Auto-renew tab;
  2. Enable auto-renew for Cloud credentials, Ephemeral credentials and/or Credentials;
  3. For each option, provide an interval period in minutes. The minimum allowed is 10 minutes;
  4. To finish, click on Save.
Enable Secret Auto-renew Screen

 

Caution

Enabling Credentials auto-renew will trigger an actual password rotation on the credentials from a secret, which may cause systems to stop depending on how they are using the credentials.

Make sure that the application will receive this update without any downtime as well.


Was this article helpful?

What's Next