One Identity Safeguard Secrets Broker for DevOps HashiCorp Integration

For this demo, I'm using an Azure VM again through a Safeguard session. I'm logged in through SPS 1, which is publicly hosted on Azure with IP restrictions. But I'm accessing this Win10 1 VM that is on a private network with no public IP address in Azure. This is a great way to securely access VMs in the cloud. In this demo I'm going to be showing how to use the command line to configure Azure containers and Secrets broker to demonstrate some of the techniques you might use to automate some DevOps scenarios. So let's start by getting logged into Azure from the Azure CLI. OK, once we are logged in, let's make sure to select the right subscription that has my network and resource groups set up. Now we're going to be using the Azure CLI to deploy HashiCorp vault to Azure running in a Docker container. You can see from the command that I just need to select the Docker image I want to run, the network, and subnet, and expose the port that I'm going to be using to access vault. That command takes about a minute to run. Then I can go back to the Azure portal to see the container running in my environment. Make sure that the container status says "running." And using the IP, I can access the vault UI on port 8200 that I exposed earlier. As you can see, vault wants me to log in. To get the route token for vault, I will view the container log, which is easy from the Azure portal. I'll just scroll down to find that and copy it to my clipboard. Heading back over to the vault UI, we can log in and check out the initial setup. As you can see, the default Secret key value engine is configured, but there's nothing in there. But while I have that route token on my clipboard, I'm going to go ahead and add it to Safeguard so that I can use it later for my vault account in the Secrets broker. I can just do that by manually setting the password for an account. Now let's head back over to the command line where we can use a very similar Azure CLI command to deploy Secrets broker. The image name for Secrets broker is Safeguard-DevOps. And the port we are going to expose is 4443. It takes a minute for the container to deploy to Azure. Let's use the portal to watch for it to be ready. If it says "pending", we can just refresh until it says "running." Now using the IP address, we can use the web browser to connect to the Secrets broker web API using the Swagger page. All of the functionality of Secrets broker is available via the web API. And the automation tools we're going to use later in this demo are written against this API. So let's head over to the Secrets broker GitHub page to look at some of those automation tools. The Secrets broker project is called Safeguard DevOps Service. Along with the service we built a PowerShell module that can be used for administration and automation. The module is easy to install from the PowerShell gallery. There is also a Samples directory where we will publish Secrets broker automation examples. This is the script that we are going to use in this demo. Its purpose is to completely configure a Secrets broker to push secrets to a HashiCorp vault. Back on the command line, you can see that I have this script and a client certificate in my current directory. The client certificate is going to be used for secure communications between Secrets broker and Safeguard. Now let's call the script. Looking at some of these parameters, you can see that I'm specifying the location of the Secrets broker and HashiCorp vault, including the ports. This next line provides an admin connection for pairing Secrets broker with a Safeguard appliance in my environment-- the same Secret appliance that I'm using to create this [INAUDIBLE] session. That is followed by a client certificate file path and password. I'm also specifying the vault account that I stored the route token in earlier, and a Safeguard asset account to be synced through the plugin to a HashiCorp vault. Just a prompt for my admin password, and then we can just watch it run. The script does all the hard work to get Secrets broker communicating with Safeguard so that it can watch for password changes. It also configures a plugin that can talk to the HashiCorp vault we deployed. As you can see, the latest version of the plugin was downloaded from GitHub where it is published as a release aspect. So now let's test it out. First we need to connect to Safeguard using PowerShell from the command line. Just need to type my password. Now that I'm connected to Safeguard I can use any of the Safeguard PowerShell command lines to control Safeguard. Let's use one to change the password of that account that Secrets broker is watching. I'll just type that in there, set it running, and watch the progress as the password is changed. Commandlet shows a little bit of progress, and it's done. Now if you go back up to the vault UI in the browser again, you can see that the Secret engine is no longer empty and that there is the password there from Safeguard. If I head back to the command line, I can run another password change to make sure it updates in vault again. As you can see, there is a new version of the Secret and the new password is there. One more thing to show is how to connect to Secrets broker from PowerShell. The SG DevOps module provides a connect commandlet that actually reuses my Safeguard connection. Because Secrets broker trusts Safeguard for authentication identity. I'll just run a test command here and then show you the list of commandlets that are used to implement the script that we saw today.