Examples for AAPM integration

  • 2 minute(s) read
Prev Next

This document details the process of integrating AAPM using the Segura agent. It covers everything from making local requests to the agent's API to integration with automation scripts using the CLI, including the use of secure caching features and a description of the overall API/agent integration workflow.

Local API Request

To interact with the Segura agent via API, assume the agent is running on localhost:8787.

Request

  • Endpoint: GET http://localhost:8787/secret/db-production
  • Authorization: Bearer <app-local-token> (be sure to replace <app-local-token> with the application's actual authentication token).

Response

The expected response will be a JSON containing the details of the requested secret:

{
  "secret_id": "db-production",
  "username": "user",
  "password": "pass",
  "expires_at": "2025-05-30T18:00:00Z"
}
  • secret_id: unique identifier of the secret.
  • username: username associated with the secret.
  • password: password associated with the secret.
  • expires_at: secret expiration date and time in UTC format.

CLI integration in automation scripts

Linux/MacOS script (bash)

#!/bin/bash
# Make sure you have the segura-agent installed and configured correctly.

# Gets the secret JSON.
SECRET_JSON=$(segura-agent get-secret --id db-production)

# Extracts the password from the JSON.
DB_PASS=$(echo "$SECRET_JSON" | jq -r '.password')

# Connects to the database using the obtained password.
psql -U produser -d production_db -h 10.10.1.10 --password="$DB_PASS"

Windows PowerShell script

# Make sure you have the segura-agent installed and configured correctly.

$secret = segura-agent get-secret --id db-production | ConvertFrom-Json
$sqlUsername = $secret.username
$sqlPassword = $secret.password

# Connects to the database using the obtained password.
Invoke-Sqlcmd -Username $sqlUsername -Password $sqlPassword -Database production_db

Secure cache (TTL - Time To Live)

The Segura agent can be configured to cache secrets for a strict duration, after which the next request will trigger a new search of the Segura vaults.

Configuration

cache:
    enabled: true
    ttl: 300 # seconds
  • enabled: Enables or disables the cache feature.
  • ttl: Cache time-to-live in seconds. We have configured it for 5 minutes, which is equivalent to 300 seconds.

Important notes

  • The TTL configuration should be adjusted according to your organization's security policies.
  • Caching improves performance by reducing the number of requests to the vault but should be used cautiously to avoid compromising security.

API/Agent integration workflow

To effectively integrate AAPM with the Segura platform, follow the workflow below:

  1. Installation of the Segura platform agent
    • Install the Segura agent on the target host (Windows, Linux, or container).
    • Ensure the agent is configured to communicate with the Segura platform.
  2. Agent authentication
    • Use a token, certificate, or mutual authentication to securely pair the agent with the Segura platform.
    • Verify the integrity of the connection by performing an authentication test.
  3. Credential request by the application
    • Via local HTTP endpoint: send a GET request to http://<host_address>/secret/<credential_id>, replacing <host_address> with the actual agent address and <credential_id> with the identifier of the desired credential.
    • Via CLI: use the command segura-agent get-secret --id <credential_id> in the automation script.
  4. Secret retrieval and delivery
    • The Segura agent retrieves the latest secret from the Segura vault and delivers it to the application or script.
    • Implement appropriate error handling to deal with failures in obtaining the secret.
  5. Credential rotation
    • Configure rotation events or schedules for the agent to automatically update credentials.
    • Test the rotation to ensure the process occurs without interruption.
  6. Action auditing
    • All actions, such as fetch, rotate, deliver, and error, are centrally logged.
    • Access audit logs for monitoring and compliance with security policies.

Best practices

  • Dependency verification: ensure that all necessary dependencies for the agent are installed (for example, jq for shell scripts).
  • Testing: perform tests in a controlled environment before deploying to production.
  • Security: regularly review access tokens and follow best practices for credential storage and handling.