README
¶
locksmith
Locksmith seeks to solve a common problem in GCP organizations in which integrations with 3dP applications/services require a GCP service account key (Example services: tenable, trend micro, prisma). Because this is a common pattern in GCP and service account keys present a risk due to their long-lived credentials, organizations are forced to make a tradeoff between rejecting a solution which may provide a genuine security service/improvement to their posture or rejecting the solution because of its reliance on service account keys. Because this is a common enough pattern in GCP there's a reasonable need to offer a stable, repeatable solution for addressing this tradeoff across an enterprise/GCP org.
A custom service such as locksmith removes the need to grant service account key permissions to developers and instead ensures that service account keys created in a given GCP Org are managed in a consistent manner.
Locksmith simplifies the management of service account keys in a few key ways:
- It orchestrates creating, vaulting (placing in GCP Secrets Manager), rotating, and disabling of keys.
- Because the management of the keys is eased, it becomes a low cost effort to frequently rotate the service account keys, which reduces the primary issue with service account keys (the long-lived nature of the credential).
- It provides a natural funnel/forcing mechanism to ensure all keys in a given org are managed consistently. Additionally, configurations could be established to ensure keys are rotated within a certain time frame while easily notifying developer teams/applications that a new version has been vaulted in secrets manager.
- Asset Key Thief provides a clear example of how a misconfiguration within other GCP services can force organizations to need to rapidly rotate all or some keys within their GCP environment. Locksmith can address this situation easily with the yet to be released emergency key rotation option.
Deployment Configuration
The Service Account used to run the cloud function will require the following roles: Secret Manager Admin and Service Account Key Admin.
A runtime environment variable of SecureStoreProjectID is expected to be provided and needs to contain a valid projectID in the form my-project-id-123
NOTE: The Identity and Access Management (IAM) and Secrets Manager APIs must be enabled in the projects where service account keys and secrets will be created.
Documentation
¶
Index ¶
- func CreateServiceAccountKey(ctx context.Context, iamService *iam.Service, serviceAccountEmail string, ...) (*iam.ServiceAccountKey, error)
- func Handler(w http.ResponseWriter, r *http.Request)
- func VaultKey(ctx context.Context, sm *secretmanager.Client, key []byte, secretName string, ...) error
- type Directive
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateServiceAccountKey ¶
func CreateServiceAccountKey(ctx context.Context, iamService *iam.Service, serviceAccountEmail string, disableAction bool) (*iam.ServiceAccountKey, error)
CreateServiceAccountKey creates a service account key, and if DisableServiceAccountKeys is set to 'true' in the directive, it will disable all other service account keys for that service account. It will return one of []byte or error. The []byte (the KeyFile) contains the key material of the service account. This should be treated as a secret and should only ever be placed in secret manager.
func VaultKey ¶
func VaultKey(ctx context.Context, sm *secretmanager.Client, key []byte, secretName string, disableSecretAction bool) error
Create a new secret version and vaults the given value in that version. If DisableSecretVersions is set to 'true' in the Directive, all other version of the secret will be disabled.
Types ¶
type Directive ¶
type Directive struct {
// In a future version, this field will be used to allow
// for specifying whether a GCP service account key or
// API Key is the target. Support may be extended for all
// secrets/keys on GCP that developers need/want to rotate.
RotationType string `json:"rotationType,omitempty"`
// The service account email whose keys will be rotated
ServiceAccountEmail string `json:"serviceAccountEmail"`
// The application service account that needs access to the secret
ApplicationServiceAccount string `json:"applicationServiceAccount"`
// Option to disable the secret version. If true, all previous versions
// of the secret will be disabled.
DisableSecretVersions bool `json:"disableSecretVersions,omitempty"`
// Option to disable the key. If true all previous serviceAccount
// keys will be disabled.
DisableServiceAccountKeys bool `json:"disableServiceAccountKeys,omitempty"`
// The name of the secret. ex: my-prod-secret
// If omitted, a new secret will be created, unless an
// existing secret can be found that is tied to the same service account.
SecretName string `json:"secretName,omitempty"`
}
Directive is used to tell the 'locksmith' what operations to perform.
Source Files