UrbanCode Deploy 7.3 New Feature: Vault Integration

Author: Randy Langehennig

Date: 12/12/2022

Overview

Security is top of mind for many of our IBM clients in this current day and age.   Many organizations deal with ‘secret sprawl’ where secrets are stored in different locations.  Here are a few examples:

• Secrets can be stored in documents on a developer’s computer
• Secrets can be accidentally committed to a source control repository
• Secrets can be written on a sticky note left at your desk

The problem is that this ‘secret sprawl’ can lead to security breaches that can be very costly to an organization and can keep your CEO up at night.   This is where a secrets management solution like HashiCorp Vault comes into play which allows you to centrally manage all of your secrets.   Many of our IBM clients are moving to solutions like Vault and we are working to ensure our products integrate with them to ease administration of secrets.

HashiCorp Vault

HashiCorp Vault is a cloud agnostic secrets management system.   It is a solution that is API-driven and it allows you to safely store and manage sensitive data in hybrid environments.   

The value of Vault for many clients is moving away from long-lived credentials to more dynamic, short-lived credentials.   The value of Vault when used in conjunction with IBM UrbanCode Deploy (now IBM DevOps Deploy) is that you can manage the secrets in Vault and there is no need to manually update secure environment properties or secure resource properties with updated passwords for your many Applications.   This can be a time consuming task for UrbanCode Deploy (UCD) administrators and integrating UCD with Vault makes this process so much easier to manage.

Vault can be installed on-premise or it can be a cloud-hosted version of the product (SaaS model).   For the purpose of my blog post, I did use a cloud offering from HashiCorp that provides a 30-day trial.

What is a Secret?

You may wonder what a secret is.  Here are some common types of secrets:

• Username and passwords
• Certificates
• SSH keys
• API keys
• Encryption keys

Managing secrets can be cumbersome as they can be stored in different locations across an organization.  HashiCorp Vault helps to address this by allowing you to store, access, and distribute secrets in a centrally managed solution.

High Level Overview of Vault’s Secrets Engine

A very high-level understanding of how the Vault secrets engine works is a pre-requisite for understanding how IBM UrbanCode Deploy integrates with Vault.   The following diagram helps to illustrate this:

Step 1: The client (human or program like IBM UrbanCode Deploy) will make a request to Vault for a secret.   It will make this request using a specific path to a secret.   To make this request, the client will present a token to Vault.  

Step 2:  The token presented to Vault is associated with a policy.   The policy is the authorization mechanism into Vault.    The policy will check to make sure the owner of this token is allowed to access the secret at the specific path provided.   This includes read, write, and create permissions.  In our case, we just need read access to retrieve the secret.

Steps 3 and 4: If you have access to the secret, Vault will retrieve the secret (step 3) and then provide the secret value back to the client (step 4).   In our case, it is the IBM UrbanCode Deploy server.   Vault uses a key/value pair and this system is sometimes referred to as the ‘KV Engine’.   In this diagram, the key is ‘password’ and the value is ‘s3cr3t’ as shown above.

How to Setup IBM UrbanCode Deploy to use Vault

In order to leverage Vault for secrets management, please follow these steps:

1. Login to your IBM UrbanCode Deploy (UCD) web console.

2. Click on the ‘Secret Stores’ tab at the top of the page

3. Click the ‘Create Vault Secret Store’ button as shown below:

4. Provide a Name, URL to your Vault instance, and Namespace

5. Click Save

6. Click on your new secret store (e.g. ‘randy’ in my example)

7. Click the ‘Create Vault AppRole’ button

8. Provide a name, your AppRole ID, and Secret ID as shown below:

9. Click Save

You are now ready to test this integration.

Accessing a Vault Secret from an IBM UrbanCode Deploy Component Process

Once your Vault secret store is added, you can then use this secret store to access secrets in Vault from IBM UrbanCode Deploy.   To do this, you use properties defined at the environment scope as an example that will refer to the secret.

A secret store property in IBM UrbanCode Deploy has a prefix that starts with this syntax:

            ${p:secret:vault:<more to come here>}

To build on the property prefix shown above, you will then append the following:

            ${p:secret:vault:<ucd-secret-store-name>:<ucd-app-role-name>:<more to come here>}

The secret store is the name you provided in the UCD web console.   For me this is ‘randy’.  The app role name is the name you provided in the UCD web console for the secret store you created.  In my case, this is ‘default’.

Finally, to build on what is above, you will provide the specific path to the secret you are requesting and the secret key name:

            ${p:secret:vault:randy:default:secret/sample-secret:first-secret}

The path ‘secret/sample-secret’ is provided followed by the secret name (or key) which in my case is ‘first-secret’.

Here is an environment property for a UCD Application in the QA environment called ‘vault-secret-example:

I setup a component process to echo this environment property value.   Here is my shell step which will echo the Vault secret after it is returned back to IBM UrbanCode Deploy:

The secret that returns from Vault is obscured and not visible in the output log.   When I run this component process, the output looks like this:

In this case, the secret value is not visible in the logs as you would expect. 

Summary

Configuring IBM UrbanCode Deploy to integrate with HashiCorp Vault can be achieved easily.   It extends the value of the centrally managed secrets solution by allowing you to refer to these secrets in your UCD component processes.   This is an exciting new capability built into the product beginning with the 7.3 release. 

Finally, this is just the beginning as our product management team is planning to build on this initial implementation and provide built-in support for other secrets management offerings in the near future.   Thank you very much for reading this blog post and please look for additional blog posts that highlight exciting new IBM UrbanCode Deploy features and capabilities.

#UrbanCodeDeploy