Secrets Management
Overview
Secrets Management enables organizations to use a third-party secrets manager to store endpoint credentials. Instead of entering credentials directly in SnapLogic accounts and relying on SnapLogic to encrypt them, the accounts contain only the information necessary to retrieve the secrets. During validation and execution, pipelines obtain the credentials directly from the secrets manager. With Secrets Management, the configured secrets are never stored by the SnapLogic control plane or by Snaplex nodes.
- AWS Secrets Manager
- Azure Key Vault
- CyberArk Conjur (Enterprise or Open Source)
- HashiCorp Vault (Cloud, Enterprise, or Open Source)
Limitations
- Secrets Management is available only for Groundplexes.
- Secrets Management works only for account credentials, not for SnapLogic authentication or node server keys.
- Only dynamic account types support Secrets Management.
Workflow
- To obtain a subscription for Secrets Management, you must contact your SnapLogic CSM.
- An administrator of the secrets manager configures the storage for endpoint credentials, creates authentication roles and access permissions, and generates secrets.
- The administrator of Snaplex nodes configures them with the token and the information required to communicate with the secrets manager.
- In SnapLogic, a Pipeline designer or Org admin configures the dynamic accounts to authenticate with the secrets manager.
Secrets Cache in Secrets Management
Secrets Management is only compatible with dynamic accounts. As a result, Secret expressions may display different behaviors across accounts, potentially leading to a change in the number of requests made to supported providers.
Benefits
In order to minimize latency resulting from fluctuating requests to all the Supported Secrets Management providers, the Secrets Cache strategy has been implemented. To enhance security, a cache has been added to store secrets at the expression level for all Secrets Management providers. This cache is generic in nature. To activate the Secrets Cache function in the JCC node, the administrator must enable it..
Workflow
- The expression looks for the Secrets Cache alias and path which is the key in the cache during execution.
- If the details are retrieved in the Secrets Cache, it sends the appropriate details back for execution.
- If the details are not retrieved a new Secrets Cache entry is loaded for the expression.
- A periodic expiration check is performed at the same time during execution to remove the previous Secrets Cache entries and reduce its exposure.
Limitations and Assumptions
The following assumptions apply:
- The Key Vaults are not updated often, which can result in more network requests being made.