Examples for AAPM integration

  • 2 minute(s) read
Prev Next

This document details the process of integrating AAPM using the Segura® agent. It covers everything from making local requests to the agent's API to integration with automation scripts using the CLI, including the use of secure caching features and a description of the overall API/agent integration workflow.

Local API Request

To interact with the Segura® agent via API, assume the agent is running on localhost:8787.

Request

  • Endpoint: GET http://localhost:8787/secret/db-production
  • Authorization: Bearer <app-local-token> (be sure to replace <app-local-token> with the application's actual authentication token).

Response

The expected response will be a JSON containing the details of the requested secret:

{
  "secret_id": "db-production",
  "username": "user",
  "password": "pass",
  "expires_at": "2025-05-30T18:00:00Z"
}
  • secret_id: unique identifier of the secret.
  • username: username associated with the secret.
  • password: password associated with the secret.
  • expires_at: secret expiration date and time in UTC format.

CLI integration in automation scripts

Linux/MacOS script (bash)

#!/bin/bash
# Make sure you have the segura-agent installed and configured correctly.

# Gets the secret JSON.
SECRET_JSON=$(segura-agent get-secret --id db-production)

# Extracts the password from the JSON.
DB_PASS=$(echo "$SECRET_JSON" | jq -r '.password')

# Connects to the database using the obtained password.
psql -U produser -d production_db -h 10.10.1.10 --password="$DB_PASS"

Windows PowerShell script

# Make sure you have the segura-agent installed and configured correctly.

$secret = segura-agent get-secret --id db-production | ConvertFrom-Json
$sqlUsername = $secret.username
$sqlPassword = $secret.password

# Connects to the database using the obtained password.
Invoke-Sqlcmd -Username $sqlUsername -Password $sqlPassword -Database production_db

Secure cache (TTL - Time To Live)

The Segura® agent can be configured to cache secrets for a strict duration, after which the next request will trigger a new search of the Segura® vaults.

Configuration

cache:
    enabled: true
    ttl: 300 # seconds
  • enabled: Enables or disables the cache feature.
  • ttl: Cache time-to-live in seconds. We have configured it for 5 minutes, which is equivalent to 300 seconds.

Important notes

  • The TTL configuration should be adjusted according to your organization's security policies.
  • Caching improves performance by reducing the number of requests to the vault but should be used cautiously to avoid compromising security.

API/Agent integration workflow

To effectively integrate AAPM with the Segura® platform, follow the workflow below:

  1. Installation of the Segura® platform agent
    • Install the Segura® agent on the target host (Windows, Linux, or container).
    • Ensure the agent is configured to communicate with the Segura® platform.
  2. Agent authentication
    • Use a token, certificate, or mutual authentication to securely pair the agent with the Segura® platform.
    • Verify the integrity of the connection by performing an authentication test.
  3. Credential request by the application
    • Via local HTTP endpoint: send a GET request to http://<host_address>/secret/<credential_id>, replacing <host_address> with the actual agent address and <credential_id> with the identifier of the desired credential.
    • Via CLI: use the command segura-agent get-secret --id <credential_id> in the automation script.
  4. Secret retrieval and delivery
    • The Segura® agent retrieves the latest secret from the Segura® vault and delivers it to the application or script.
    • Implement appropriate error handling to deal with failures in obtaining the secret.
  5. Credential rotation
    • Configure rotation events or schedules for the agent to automatically update credentials.
    • Test the rotation to ensure the process occurs without interruption.
  6. Action auditing
    • All actions, such as fetch, rotate, deliver, and error, are centrally logged.
    • Access audit logs for monitoring and compliance with security policies.

Best practices

  • Dependency verification: ensure that all necessary dependencies for the agent are installed (for example, jq for shell scripts).
  • Testing: perform tests in a controlled environment before deploying to production.
  • Security: regularly review access tokens and follow best practices for credential storage and handling.