Secretless Configuration

Secretless Broker relies on its configuration to determine the target services it connects to and how it should retrieve the access credentials to authenticate with those services.

Your Secretless Broker configuration file begins with a version and a list of services:

  
version: "2"
services:
  service-1:
    ...

Each individual service definition provides Secretless Broker with the information it needs to connect to a given target service. Specifically, Secretless needs to know:

  • The protocol used by the target service.

  • Where to listen for new connection requests.

  • Where to get credentials for incoming connections.

  • The location of the target service (e.g., where to send requests).

Secretless Broker uses the protocol given in the service configuration to determine which service connector should process the connection request. Secretless retrieves any required credentials, revises the connection request to inject the valid authentication credentials, negotiates the authentication handshake with the target service, and then transparently streams data between the client and service.

 

Secretless must itself be configured to authenticate with any credential providers referenced in its configuration. For example, if Secretless will be retrieving credentials from a vault, the Secretless application must itself be able to authenticate with the vault and must be authorized to retrieve the necessary credentials. For more information on how this works in practice, review the documentation for the individual Secret Providers (Secretless).

To understand better what the service definition looks like in practice, let's look at a sample Secretless Broker configuration and discuss the components. Additional examples are available at the bottom of the page and throughout the documentation.

  
version: "2"
services:
  postgres-db:
    connector: pg
    listenOn: tcp://0.0.0.0:5432 # can be a socket as well (same name for both)
    credentials:
      host: postgres.my-service.internal
      port: 5432
      password:
        from: conjur
        get: id-of-secret-in-conjur
      username:
        from: env
        get: username
    config:  # this section usually blank
      optionalStuff: foo

In this sample, Secretless Broker is configured to connect to a service named postgres-db. Clients send connection requests to this service via localhost using port 5432. This service uses the pg protocol, which indicates that the PostgreSQL service connector should process requests that come in via this port. Credentials from this connection will be retrieved from multiple sources; the address is given as a string value, the password will be retrieved from the Conjur variable with ID id-of-secret-in-conjur, and the username is retrieved from the environment variable named username.

Additional Examples

In the examples below, we share the Secretless configurations that were used in each of the Secretless Quick Demo. For ease of understanding, we've broken them up into three separate configurations. In practice, you can configure Secretless Broker to handle as many types of connections as you need; to see how we configured Secretless Broker to handle all three of these connection types at once, check out the actual configuration we used in building the quick start Docker image.

  
version: "2"
services:
  pg_tcp:
    connector: pg
    listenOn: tcp://0.0.0.0:5454
    credentials:
      host: localhost
      port: 5432
      password:
        from: env
        get: QUICKSTART_USERNAME
      username:
        from: env
        get: QUICKSTART_PASSWORD
  
version: "2"
services:
  ssh:
    connector: ssh
    listenOn: tcp://0.0.0.0:2222
    credentials:
      address: "localhost"
      user: "user"
      privateKey:
        from: env
        get: SSH_PRIVATE_KEY
  
version: "2"
services:
  http_basic_auth:
    connector: basic_auth
    listenOn: tcp://0.0.0.0:8081
    credentials:
      username:
        from: env
        get: BASIC_AUTH_USERNAME
      password:
        from: env
        get: BASIC_AUTH_PASSWORD
    config:
      authenticateURLsMatching:
        - ^http\:\/\/quickstart\/
        - ^http\:\/\/localhost.*
  
version: "2"
services:
  pg_tcp:
    connector: pg
    listenOn: tcp://0.0.0.0:5454
    credentials:
      host: "localhost"
      port: 5432
      password:
        from: env
        get: QUICKSTART_USERNAME
      username:
        from: env
        get: QUICKSTART_PASSWORD

  ssh:
    connector: ssh
    listenOn: tcp://0.0.0.0:2222
    credentials:
      address: "localhost"
      user: "user"
      privateKey:
        from: env
        get: SSH_PRIVATE_KEY

  http_basic_auth:
    connector: basic_auth
    listenOn: tcp://0.0.0.0:8081
    credentials:
      username:
        from: env
        get: BASIC_AUTH_USERNAME
      password:
        from: env
        get: BASIC_AUTH_PASSWORD
    config:
      authenticateURLsMatching:
        - ^http\:\/\/quickstart\/
        - ^http\:\/\/localhost.*

Supplying Secretless Broker with its Configuration

The Secretless Configuration Managers reference provides more information about how to supply Secretless Broker with its configuration in practice.