Synqly Bridge is currently under development and may undergo breaking changes before declared generally available.
Bridge agent local credential storage
The bridge agent can utilize credentials stored locally to the bridge agent. Giving customer control over their service credentials. The Synqly integration provider configurations now support local credential declarations. These BridgeLocalCredentials can store literal values, environment keys or Vault paths.
The Synqly Bridge Agent can be configured to authenticate to the Hashicorp Vault service with either "Token" or "AppRole" credentials. The recommended setup is "AppRole" which uses ACLs to control access to the vault storage.
The Synqly Bridge Agent can utilize BridgeLocalCredential environment keys can reference the Bridge Agent container environment variables.
Customers configure their integrations provider credentials as Bridge Credentials (BridgeBasic, BridgeSecret, BridgeOAuthClient, BridgeToken). Individual secrets and tokens are references by the BridgeLocalCredential. The BridgeLocalCredentials.Vault.Path contains the vault path to use; containing vault mount point, path and item (eg. "/secret/data/synqly-app-secret/elasticsearch/client_id"). The BridgeLocalCredential.Environment.Key contains the environment string to lookup in the process environment. The BridgeLocalCredential.Literal.Vault contains literal (non-key) material.
Sample integration creation:
request := &mgmt.CreateIntegrationRequest{
Name: engine.String("my-integration"),
ProviderConfig: &mgmt.ProviderConfig{},
}
request.ProviderConfig.SiemElasticsearch = &mgmt.SiemElasticsearch{
Url: baseUrl,
Index: "synqly-data",
Credential: &mgmt.ElasticsearchCredential{
Bridge: &mgmt.ElasticsearchBridgeCredentials{
BridgeOAuthClient: &mgmt.BridgeOAuthClientCredential{
ClientId: &mgmt.BridgeLocalCredential{
Environment: &mgmt.BridgeEnvironment{Key: elasticsearchOAuthClientId},
},
ClientSecret: &mgmt.BridgeLocalCredential{
Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/client_secret"},
},
TokenUrl: &mgmt.BridgeLocalCredential{
Literal: &mgmt.BridgeLiteral{Value: authUrl},
},
Extra: &mgmt.BridgeLocalCredential{
Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/extra"},
},
},
},
},
}
}
if sharedSecret != "" || runAs != "" {
request.ProviderConfig.SiemElasticsearch.AuthOptions = &mgmt.ElasticsearchAuthOptions{}
if sharedSecret != "" {
request.ProviderConfig.SiemElasticsearch.AuthOptions.SharedSecret = &mgmt.ElasticsearchSharedSecret{
Bridge: &mgmt.ElasticsearchBridgeSharedSecret{
BridgeSecret: &mgmt.BridgeSecretCredential{
Secret: &mgmt.BridgeLocalCredential{
Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/secret"},
},
},
},
}
}
if runAs != "" {
request.ProviderConfig.SiemElasticsearch.AuthOptions.RunAs = &runAs
}
}
if bridgeId != "" {
request.BridgeSelector = &mgmt.BridgeSelector{Id: bridgeId},
} else {
request.BridgeSelector = &mgmt.BridgeSelector{Labels: []string{"elasticsearch"}},
}
integration, err := fixture.MgmtClient.Integrations.Create(ctx, accountId, request)
Vault service setup
The following provides a sample synqly-app AppRole and ACL policy. Secrets can be stored individually or grouped together.
Enable approle
vault auth enable approle
Create synqly-app ACL policy
echo 'path "secret/data/synqly-app-secret/*" {\n capabilities = ["create", "read", "update"]\n}' > synqly-policy.hcl
vault policy write synqly-app synqly-policy.hcl
Create synql-app AppRole
vault write auth/approle/role/synqly-app token_policies="synqly-app" token_ttl=1h token_max_ttl=4h
Get AppRole role-id
vault read auth/approle/role/synqly-app/role-id
Get AppRole secret-id
vault write -force auth/approle/role/synqly-app/secret-id
Create splunk secret
vault kv put -mount="secret" "synqly-app-secret/splunk" "hec=123456"
Create elasticsearch secret
vault kv put -mount="secret" "synqly-app-secret/elasticsearch" "client_id=id" "client_secret=secret" "auth_url=url" 'secret=secret' 'extra={"scopes": ["esaccess"]}'
Read secret
vault kv get -mount="secret" "synqly-app-secret/splunk"