Confidant is Lyft’s open source secret management service. Last week I described how it uses AWS KMS for authentication. Here’s how the client fetches credentials from the server.
I go into more detail in last week’s post, but the summary is that the token is generated by the equivalent of:
$ aws kms encrypt --key-id confidant-key --encryption-context to=confidant-server,from=userid,user_type=user --plaintext '{"not_before":timestamp1, "not_after":timestamp2}' --region us-east-1
The username looks like 2/user-type/userid where userid has to match the from field of the encryption context.
The request is a GET request to /v1/services/service-name, with X-Auth-Token and X-Auth-From headers set to the token and username.
$ curl CONFIDANT_URL/v1/services/service-name -H "X-Auth-From: 2/user/from" -H "X-Auth-Token: CONFIDANT_TOKEN"
The JSON response looks like this:
{
"credentials": [
{
"credential_pairs": {
"key": "value"
},
"data_type": "credential",
"enabled": true,
"id": "credential id",
"name": "credential name",
"revision": 1
}
],
"enabled": true,
"id": "service-name",
"modified_by": "foo@bar.com",
"modified_date": "Fri, 20 Jul 2018 19:21:24 GMT",
"revision": 1
}
That’s all there is to it! This is pretty much how the Python client’s get_service option works!