How to perform Just-In-Time (JIT) dynamic secrets provisioning

Prev Next

To ensure a high level of security in elastic cloud environments, the DevOps Secret Manager (DSM) enables automatic provisioning and deprovisioning of JIT secrets across cloud providers, environments, and systems. This scenario is commonly used in ephemeral and dynamic environments where JIT secrets are created.

More information in About dynamic provisioning and About dynamic provisioning profiles.

Requirements

  • Access to DevOps Secret Manager.
  • For dynamic credential provisioning: PAM Core.
  • For cloud environment provisioning: Cloud IAM.

Step 1: Configure the dynamic provisioning profile

The first step is to configure the dynamic provisioning profile. Dynamic provisioning profiles are pre-configured definitions that allow DSM to automate the creation and management of access credentials.

Configure a dynamic access key provisioning profile for cloud providers

To configure the dynamic JIT secrets provisioning profile for cloud providers, see the following steps:

  1. On Segura® Platform, hover over the Products menu in the navigation bar and select Cloud IAM.
  2. In the side menu, select Identity management > Dynamic provisioning, then click Profiles.
  3. In the Profiles report, click Add.
  4. Select the cloud account where you want to configure dynamic provisioning.
  5. In the Settings tab, fill in the following fields:
  6. In the Identifier * field, enter a name for the profile.
  7. In the Enabled * field, choose whether to activate or deactivate the profile.
  8. Optional: In the Description field, provide a description of the profile.
  9. Click Continue.
  10. In the Review tab, verify the information entered in the previous tab and click Save.

After configuring and creating the dynamic access key provisioning profile, proceed to Step 2: Create the application.

Configure a dynamic credential provisioning profile

DSM supports dynamic provisioning credentials in various systems and devices, such as databases (MySQL, Oracle, and SQL Server), Linux and Windows servers, and other technologies.

To configure a dynamic credential provisioning profile, see the following steps:

  1. On Segura® Platform, hover over the Products menu in the navigation bar and select PAM Core.
  2. In the side menu, select Management > Dynamic credentials, then click Profiles.
  3. In the Profiles report, click Add.
  4. In the Identifier * field, enter a name for the profile.
  5. In the Status * field, choose whether to activate or deactivate the profile.
  6. In the Type * field, select the type of device.
  7. Optional: In the Use a registered credential to access all devices field, select to use a specific credential to access all devices..
  8. Optional: In the Access credential registered in the system field, choose which credential to use. This field will only be available if the Use a registered credential to access all devices checkbox is enabled.
  9. Optional: In the Credential username field, enter the credential username.
  10. In the Credential creation template * field, select the template for creating credentials. More information in Executions templates.
  11. In the Credential removal template * field, select the template for removing credentials. More information in Executions templates.
  12. Optional: In the Roles field, add roles or groups to be assigned to the user.
  13. Optional: In the Seconds field, define how long the credential should be valid. After this period, the Segura® Platform will automatically delete the credential from the target device.

After configuring and creating the dynamic credential profile, proceed to Step 2: Create the application.

Step 2: Create the application

Once you’ve created the necessary dynamic provisioning profiles, an application must be created and assigned those profiles.

To create an application, see the following steps:

  1. On the Segura® Platform, hover over the Products menu in the navigation bar and select DevOps Secret Manager.
  2. In the side menu, select Application management > Applications.
  3. In the Applications report, click Add.
  4. In the Settings tab, enter the following information:
    1. In the Application name * field, enter a name for the application.
    2. In the Authentication method * field, select the desired authentication method.
    3. In the Line of business field, select the relevant line of business.
    4. In the Application type field, choose the type of application being registered.
    5. In the Status * field, set the application’s current state.
    6. In the Tags field, enter any tags, separated by commas.
    7. In the Description field, provide a description for the application.
    8. In the Amazon AWS ARNs field, click + Add and enter the ARN(s) of the resource(s) to be registered.
    9. Click Continue.
  5. In the Automatic provisioning tab, enter the following information:
    1. In the Automatic provisioning of secrets field, enable the application provisioning.
    2. In the Cloud dynamic provisioning profile table, click + Add and select the cloud access key profile you configured earlier in the Configure a dynamic access key provisioning profile for cloud providers section.
    3. In the Credential dynamic provisioning profile table, click + Add and select the credential profile you configured earlier in the Configure a dynamic credential provisioning profile section.
    4. Click Continue.
  6. In the Review tab, review all information entered previously and click Save.

After creating the application and assigning the configured profiles, the automatic JIT secrets provisioning and deprovisioning across cloud providers, environments, and systems will be active.

Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
Connect With Us
SEGURA
LEARN
EXPLORE
Copyright © Segura. All Rights Reserved