Saturday, May 4, 2024

M10-AUTOMATED SECRET MANAGEMENT

This is the last module in ALAMOSE workshop 

https://sites.google.com/view/alamose-v1/m10-secret?authuser=0

The corrected test-secret.py code is:

# First import necessary libraries




from http import client


from itertools import count


from venv import create


import hvac


import random




# This function will create the connection with the vault.


def makeConnection():


   hvc_client = hvac.Client(url='http://127.0.0.1:8200', token='hvs.68t8nmnxDb1UT65q0f9ZxQhI' )


   return hvc_client






# This fuction will save or store secreate data to the vault


def storeSecret(client, secr1, cnt):


   secret_path = 'SECRET_PATH_' + str(cnt)


   create_response = client.secrets.kv.v2.create_or_update_secret(path='secret-path-1', secret=dict(password='Hashi123'))






# This function will get or retrieve the data for secrtet from the vault.


def retrieveSecret(client_, cnt_):


   secret_path = 'SECRET_PATH_' + str(cnt_)


   read_response      = client_.secrets.kv.read_secret_version(path='secret-path-1')


   secret_from_vault  = read_response['data']['data']['password']


   print(secret_from_vault)






# Main function to start the program


if __name__ == '__main__':


   clientObject = makeConnection()


   secretToStore = 'A_VERY_SPECIAL_SECRET'


   counter = 0




   print('The secret we want to store ', secretToStore)


   print('='*50)


   storeSecret(clientObject, secretToStore, counter)


   print('=' * 50)




   retrieveSecret(clientObject, counter)


   print('=' * 50)

M10-AUTOMATED SECRET MANAGEMENT

Description

Develop a Python script to automatically manage secrets with Hashicorp Vault.

Courses Where This Module Is Integrated

Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)

Activities 

Pre-lab Content Dissemination

Secrets in software development can have detrimental consequences if obtained by unauthorized actors.  According to the Common Weakness Enumeration (CWE) organization, *Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the software administrator. This hole might be difficult for the system administrator to detect. Even if detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.* (CWE-798: https://cwe.mitre.org/data/definitions/798.html)

Practitioners have developed a set of tools to manage secrets. One of the most popular tool is [Hashicorp Vault](https://www.vaultproject.io/) that helps practitioners in managing secrets programmatically. We will be using the open source version of Hashicorp Vault (HCP Vault) to store and retrieve secrets.  


In-class Hands-on Experience

We will follow an existing tutorial (https://learn.hashicorp.com/tutorials/vault/getting-started-install?in=vault/getting-started) provided by HCP Vault. 

The full tutorial is available as a video recording here.

Installation of Hashicorp Vault and Relevant API:

Follow the installation steps in the M0-Installation module's Vault installation section, or you can follow the steps from the official site 
Verify the HCP Vault installation using this command: 

vault --version

Start the HCP Vault server using the command below. This will help us to store secrets programmatically 

vault server -dev

Keep an eye on the output of 'vault server -dev' command. We will use 'address' and 'token' from the output. 

Implementation in the Python script:

HVAC is a Python library designed for interacting with HashiCorp Vault, a tool for managing secrets and protecting sensitive data in a distributed infrastructure. The HVAC library provides a convenient and Pythonic way to access and manipulate Vault's features, allowing developers to integrate secure storage and retrieval of secrets seamlessly into their applications. With HVAC, users can authenticate with Vault, manage encryption keys, and perform various operations, such as reading and writing secrets securely. It simplifies incorporating Vault's functionality into Python applications, ensuring robust security practices for secret management in modern software development.

For more information, you can visit the official site of HVAC.

Python script development:

Install the HVAC library using the following command of pip: pip install hvac.
You will find the code below:

# First import necessary libraries


from http import client

from itertools import count

from venv import create

import hvac

import random


# This function will create the connection with the vault.

def makeConnection():

   hvc_client = hvac.Client(url='YOUR_IP_ADDRESS', token='<YOUR_TOKEN>' )

   return hvc_client



# This fuction will save or store secreate data to the vault

def storeSecret(cleint, secr1, cnt):

   secret_path = 'SECRET_PATH_' + str(cnt)

   create_response = client.secrets.kv.v2.create_or_update_secret(path='secret-path-1', secret=dict(password='Hashi123'))



# This function will get or retrieve the data for secrtet from the vault.

def retrieveSecret(cleint_, cnt_):

   secret_path = 'SECRET_PATH_' + str(cnt_)

   read_response      = cleint_.secrets.kv.read_secret_version(path='secret-path-1')

   secret_from_vault  = read_response['data']['data']['password']

   print(secret_from_vault)



# Main function to start the program

if __name__ == '__main__':

   clientObject = makeConnection()

   secretToStore = 'A_VERY_SPECIAL_SECRET'

   counter = 0


   print('The secret we want to store ', secretToStore)

   print('='*50)

   storeSecret(client, secretToStore, counter)

   print('=' * 50)


   retrieveSecret(clientObject, counter)

   print('=' * 50)


Post Lab Experience

Store the following secrets in your Hashicorp Vault using the HCP Vault Python API (`hvac`): 

`root_user` 
`test_password` 
`ghp_ahAyHoRwoQ`
`MTIzANO=` 
`t5f28U`
Complete the survey: https://auburn.qualtrics.com/jfe/form/SV_5hYDSu9P9jAMZWm



No comments:

Post a Comment