Synqly Bridge is currently under development and may undergo breaking changes before declared generally available.
The bridge agent can utilize credentials stored locally to the bridge agent. Giving customer control over their service credentials. The Synqly integration provider configurations now support local credential declarations. These BridgeLocalCredentials can store literal values, environment keys or Vault paths.
The Synqly Bridge Agent can be configured to authenticate to the Hashicorp Vault service with either "Token" or "AppRole" credentials. The recommended setup is "AppRole" which uses ACLs to control access to the vault storage.
The Synqly Bridge Agent can utilize BridgeLocalCredential environment keys can reference the Bridge Agent container environment variables.
Customers configure their integrations provider credentials as Bridge Credentials (BridgeBasic, BridgeSecret, BridgeOAuthClient, BridgeToken). Individual secrets and tokens are references by the BridgeLocalCredential. The BridgeLocalCredentials.Vault.Path contains the vault path to use; containing vault mount point, path and item (eg. "/secret/data/synqly-app-secret/elasticsearch/client_id"). The BridgeLocalCredential.Environment.Key contains the environment string to lookup in the process environment. The BridgeLocalCredential.Literal.Vault contains literal (non-key) material.
Sample integration creation:
request := &mgmt.CreateIntegrationRequest{
Name: engine.String("my-integration"),
ProviderConfig: &mgmt.ProviderConfig{},
}
request.ProviderConfig.SiemElasticsearch = &mgmt.SiemElasticsearch{
Url: baseUrl,
Index: "synqly-data",
Credential: &mgmt.ElasticsearchCredential{
Bridge: &mgmt.ElasticsearchBridgeCredentials{
BridgeOAuthClient: &mgmt.BridgeOAuthClientCredential{
ClientId: &mgmt.BridgeLocalCredential{
Environment: &mgmt.BridgeEnvironment{Key: elasticsearchOAuthClientId},
},
ClientSecret: &mgmt.BridgeLocalCredential{
Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/client_secret"},
},
TokenUrl: &mgmt.BridgeLocalCredential{
Literal: &mgmt.BridgeLiteral{Value: authUrl},
},
Extra: &mgmt.BridgeLocalCredential{
Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/extra"},
},
},
},
},
}
}
if sharedSecret != "" || runAs != "" {
request.ProviderConfig.SiemElasticsearch.AuthOptions = &mgmt.ElasticsearchAuthOptions{}
if sharedSecret != "" {
request.ProviderConfig.SiemElasticsearch.AuthOptions.SharedSecret = &mgmt.ElasticsearchSharedSecret{
Bridge: &mgmt.ElasticsearchBridgeSharedSecret{
BridgeSecret: &mgmt.BridgeSecretCredential{
Secret: &mgmt.BridgeLocalCredential{
Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/secret"},
},
},
},
}
}
if runAs != "" {
request.ProviderConfig.SiemElasticsearch.AuthOptions.RunAs = &runAs
}
}
if bridgeId != "" {
request.BridgeSelector = &mgmt.BridgeSelector{Id: bridgeId},
} else {
request.BridgeSelector = &mgmt.BridgeSelector{Labels: []string{"elasticsearch"}},
}
integration, err := fixture.MgmtClient.Integrations.Create(ctx, accountId, request)The following provides a sample synqly-app AppRole and ACL policy. Secrets can be stored individually or grouped together.
vault auth enable approleecho 'path "secret/data/synqly-app-secret/*" {\n capabilities = ["create", "read", "update"]\n}' > synqly-policy.hcl
vault policy write synqly-app synqly-policy.hclvault write auth/approle/role/synqly-app token_policies="synqly-app" token_ttl=1h token_max_ttl=4hvault read auth/approle/role/synqly-app/role-idvault write -force auth/approle/role/synqly-app/secret-idvault kv put -mount="secret" "synqly-app-secret/splunk" "hec=123456"vault kv put -mount="secret" "synqly-app-secret/elasticsearch" "client_id=id" "client_secret=secret" "auth_url=url" 'secret=secret' 'extra={"scopes": ["esaccess"]}'vault kv get -mount="secret" "synqly-app-secret/splunk"