This is the last module in ALAMOSE workshop
https://sites.google.com/view/alamose-v1/m10-secret?authuser=0
The corrected test-secret.py code is:
# First import necessary libraries
from http import client
from itertools import count
from venv import create
import hvac
import random
# This function will create the connection with the vault.
def makeConnection():
hvc_client = hvac.Client(url='http://127.0.0.1:8200', token='hvs.68t8nmnxDb1UT65q0f9ZxQhI' )
return hvc_client
# This fuction will save or store secreate data to the vault
def storeSecret(client, secr1, cnt):
secret_path = 'SECRET_PATH_' + str(cnt)
create_response = client.secrets.kv.v2.create_or_update_secret(path='secret-path-1', secret=dict(password='Hashi123'))
# This function will get or retrieve the data for secrtet from the vault.
def retrieveSecret(client_, cnt_):
secret_path = 'SECRET_PATH_' + str(cnt_)
read_response = client_.secrets.kv.read_secret_version(path='secret-path-1')
secret_from_vault = read_response['data']['data']['password']
print(secret_from_vault)
# Main function to start the program
if __name__ == '__main__':
clientObject = makeConnection()
secretToStore = 'A_VERY_SPECIAL_SECRET'
counter = 0
print('The secret we want to store ', secretToStore)
print('='*50)
storeSecret(clientObject, secretToStore, counter)
print('=' * 50)
retrieveSecret(clientObject, counter)
print('=' * 50)
M10-AUTOMATED SECRET MANAGEMENT
Develop a Python script to automatically manage secrets with Hashicorp Vault.
Courses Where This Module Is Integrated
Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)Pre-lab Content Dissemination
Secrets in software development can have detrimental consequences if obtained by unauthorized actors. According to the Common Weakness Enumeration (CWE) organization, *Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the software administrator. This hole might be difficult for the system administrator to detect. Even if detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.* (CWE-798: https://cwe.mitre.org/data/definitions/798.html)
Practitioners have developed a set of tools to manage secrets. One of the most popular tool is [Hashicorp Vault](https://www.vaultproject.io/) that helps practitioners in managing secrets programmatically. We will be using the open source version of Hashicorp Vault (HCP Vault) to store and retrieve secrets.
In-class Hands-on Experience
We will follow an existing tutorial (https://learn.hashicorp.com/tutorials/vault/getting-started-install?in=vault/getting-started) provided by HCP Vault.
The full tutorial is available as a video recording here.
Installation of Hashicorp Vault and Relevant API:
Follow the installation steps in the M0-Installation module's Vault installation section, or you can follow the steps from the official site Verify the HCP Vault installation using this command: vault --version
Start the HCP Vault server using the command below. This will help us to store secrets programmatically vault server -dev
Keep an eye on the output of 'vault server -dev' command. We will use 'address' and 'token' from the output. Implementation in the Python script:
HVAC is a Python library designed for interacting with HashiCorp Vault, a tool for managing secrets and protecting sensitive data in a distributed infrastructure. The HVAC library provides a convenient and Pythonic way to access and manipulate Vault's features, allowing developers to integrate secure storage and retrieval of secrets seamlessly into their applications. With HVAC, users can authenticate with Vault, manage encryption keys, and perform various operations, such as reading and writing secrets securely. It simplifies incorporating Vault's functionality into Python applications, ensuring robust security practices for secret management in modern software development.
For more information, you can visit the official site of HVAC.
Python script development:
Install the HVAC library using the following command of pip: pip install hvac.You will find the code below:# First import necessary libraries
from http import client
from itertools import count
from venv import create
import hvac
import random
# This function will create the connection with the vault.
def makeConnection():
hvc_client = hvac.Client(url='YOUR_IP_ADDRESS', token='<YOUR_TOKEN>' )
return hvc_client
# This fuction will save or store secreate data to the vault
def storeSecret(cleint, secr1, cnt):
secret_path = 'SECRET_PATH_' + str(cnt)
create_response = client.secrets.kv.v2.create_or_update_secret(path='secret-path-1', secret=dict(password='Hashi123'))
# This function will get or retrieve the data for secrtet from the vault.
def retrieveSecret(cleint_, cnt_):
secret_path = 'SECRET_PATH_' + str(cnt_)
read_response = cleint_.secrets.kv.read_secret_version(path='secret-path-1')
secret_from_vault = read_response['data']['data']['password']
print(secret_from_vault)
# Main function to start the program
if __name__ == '__main__':
clientObject = makeConnection()
secretToStore = 'A_VERY_SPECIAL_SECRET'
counter = 0
print('The secret we want to store ', secretToStore)
print('='*50)
storeSecret(client, secretToStore, counter)
print('=' * 50)
retrieveSecret(clientObject, counter)
print('=' * 50)
Post Lab Experience
Store the following secrets in your Hashicorp Vault using the HCP Vault Python API (`hvac`):
`root_user` `test_password` `ghp_ahAyHoRwoQ``MTIzANO=` `t5f28U`Complete the survey: https://auburn.qualtrics.com/jfe/form/SV_5hYDSu9P9jAMZWm