When the Secretless Broker receives a new request on a defined Listener, it automatically passes the request on to the Handler defined in the Secretless Broker configuration. The Listener receives the request, but the Handler processes the request. Each Listener in the Secretless Broker configuration should therefore have a corresponding Handler.

The Handler configuration specifies the Listener that the Handler is handling connections for and any credentials that will be needed for that connection. Several credential sources are currently supported; see the Credential Providers section for more information.

The example below defines a Handler to process connection requests from the pg_socket Listener, and it has three credentials: address, username, and password. The address and username are literally specified in this case, and the password is taken from the environment of the running Secretless Broker process.

  -  name:  pg_via_socket  
    listener:  pg_socket  
      -  name:  address  
        provider:  literal  
        id:  pg:5432  
      -  name:  username  
        provider:  literal  
        id:  myuser  
      -  name:  password  
        provider:  env  
        id:  PG_PASSWORD

In production you would want your credential information to be pulled from a vault, and the Secretless Broker currently supports multiple vault Credential Providers.

When a Handler receives a new connection request, it retrieves any required credentials using the specified Provider(s), injects the correct authentication credentials into the connection request, and opens up a connection to the target service. From there, the Handler simply transparently shuttles data between the client and service.

Select the Handler you are interested in below to learn about its usage and configuration. Are we missing something vital? Please check our GitHub issues to see if the Target Service you are interested in is on our radar, and request it by opening a GitHub issue if not.

In this section: