3.3 Vault

Table of contents
1. Introduction
2. How does Kaholo Vault work?
3. How to create a Vault
a. From Settings
b. From a Pipeline design view
4. Managing Vaults
a. Modify a Vault
b. Delete a Vault
5. Accessing a Vault value – Kaholo SDK
6. Vaults and Configurations
7. Vaults and Execution Inputs
8. Summary

 

1. Introduction

When browsing the web or working with infrastructure-as-a-service (IaaS) platforms such as Amazon Web Services or Google Cloud Platform, you may encounter certain things that you don’t want others to have access to, such as passwords, special application keys, API encryption keys, certificates, tokens, and others. 

These “things” are called secrets. To perform multiservice tasks, you need to allow 3rd party applications to use your secrets. 

Hardcoding all your credentials or storing them in a text file on your desktop is not the best idea. To store secrets safely, you should use Vaults. 

Any field in an Action that requires sensitive data, such as passwords, secrets, and SSH keys can be stored in our built-in vault. You also have the option of integrating with an external vault management system like Hashicorp. Read more about the HashiCorp plugins here and here.


2. How does Kaholo Vault work?

Kaholo Vault is a secret management and encryption system. It provides an extra layer of security. Vault validates and authorizes clients (users, apps) before providing them access to secrets or stored sensitive data. 

Each secret you provide is encrypted and stored safely. Encryption keys are unique for each environment and tenant. When the pipeline executes, secret gets decrypted and passed to service by an Action.

 

3. How to create a Vault

Vaults in Kaholo can be treated like global variables. It can be accessed by every pipeline you create. 

There are two ways to create a Vault: 

  • From Settings
  • From a Pipeline Design view

 

a. Create a Vault from the Settings tab

To create a vault item, simply click on a Vault field in the Actions Parameters, select “Add new vault item” and enter the Name and Value in the popup that appears.

1. Go to the Settings tab and click on the “Settings” icon. Here you can also find the list of all the Vaults that have ever been created on your agent.

2. To create a new Vault click on the blue “Add Item” button located in the right corner of the screen. 

 

3. Fill in the fields of a pop-up window. 

  • Name – Name of a Vault, that differentiates it from the other Vaults
  • Description – Adds more information about a Vault
  • Value – the value of a secret, it can be a password, token, or any other string

 

Click “Save”. You should be able to see the vault on a list now.

 

b. Create a vault from a Pipeline Design tab

You can create Vaults on the go, during the pipeline creation process. Simply, when selecting a vault for the plugin, click on “Add New Vault Item”. It will call the pop-up window in the pipeline designer section.

 

Some of Kaholo’s plugins require a specific vault value to function properly. See each plugin’s field description for more information on what the connected vault should contain.

For example, the Kubernetes plugin requires you to provide values for Certificate Authority and Service Account Token to execute a method called “Get Service”.

 

4. Managing the Vaults:
a. Modify a Vault 

You can modify a Vault by going to the “Settings” section and clicking on the Pen Icon, located next to a Vault name. The current value of a Vault is hidden, but you can overwrite a new one onto it.

 

b. Delete a Vault

You can delete a Vault by going to the “Settings” section and clicking on the Bin Icon, located next to a Vault name. The value of a Vault will be deleted permanently and you will not be able to restore it.

 

5. Accessing a Vault value – Kaholo SDK

You can access a Vault value and use it in your code by using the Kaholo SDK. In the main Code Layer of a Pipeline, Vaults can be accessed under the “kaholo” object.

kaholo.vault.getValueByKey

 

To be able to print out the Vault value, you need to connect this JavaScript function to the CommandLine plugin. 

async function getVault(){

   return `${await kaholo.vault.getValueByKey("secret_name")}`

}

Use the Code field option to connect the plugin to the function.

 

Save and Execute the pipeline. You should be able to see the Vault value in the Execution Results tab.

 

6. Vaults and Configurations

You can manage your secrets with the use of a Configuration Tab. Vaults are structured like a dictionary – it does have a key and a secret value assigned to them.

 

Therefore, in the single configuration file, for a single Vault, you need to create two fields, that will store the key and value of a secret:

{

  "key_id": "KEY",

  "secret_name": "SECRET"

}


To access the configuration, you can use a asynchronous JavaScript functions which connect the Vault value with a value declared in a Configuration. Add this code in the Main Code Layer of a pipeline:

 

async function get_key_id() {

    kaholo.execution.configuration.key_id = await kaholo.vault.getValueByKey(kaholo.execution.configuration.key_id)

}

async function get_secret() {

    kaholo.execution.configuration.secret = await kaholo.vault.getValueByKey(kaholo.execution.configuration.secret_name)

}

 

Connect the code to the plugin to call the function below. Switch to the coffee in a plugin field and type in the code below:

get_key_id()

get_secret()

 

7. Vaults and Execution Inputs

Kaholo allows you to pass a secret directly to a pipeline by using the Execution Inputs tab. More on the Execution Inputs can be found here.

 

8. Summary

Vaults are essential when it comes to secrets management. It allows you to store and safely manage them, without the need for role monitoring. 

You can safely store your secrets in Kaholo Vaults or choose to integrate them with HashiCorp using the dedicated plugin.