Arpith Siromoney 💬

Getting a service’s credentials from Confidant

Confidant is Lyft’s open source secret management service. Last week I described how it uses AWS KMS for authentication. Here’s how the client fetches credentials from the server.


I go into more detail in last week’s post, but the summary is that the token is generated by the equivalent of:

$ aws kms encrypt --key-id confidant-key --encryption-context to=confidant-server,from=userid,user_type=user --plaintext '{"not_before":timestamp1, "not_after":timestamp2}' --region us-east-1

The username looks like 2/user-type/userid where userid has to match the from field of the encryption context.


The request is a GET request to /v1/services/service-name, with X-Auth-Token and X-Auth-From headers set to the token and username.

$ curl CONFIDANT_URL/v1/services/service-name -H "X-Auth-From: 2/user/from" -H "X-Auth-Token: CONFIDANT_TOKEN"


The JSON response looks like this:

  "credentials": [
      "credential_pairs": {
        "key": "value"
      "data_type": "credential",
      "enabled": true,
      "id": "credential id",
      "name": "credential name",
      "revision": 1
  "enabled": true,
  "id": "service-name",
  "modified_by": "",
  "modified_date": "Fri, 20 Jul 2018 19:21:24 GMT",
  "revision": 1

That’s all there is to it! This is pretty much how the Python client’s get_service option works!