BETA

Synqly Bridge is currently under development and may undergo breaking changes before declared generally available.

Bridge agent local credential storage

The bridge agent can utilize credentials stored locally to the bridge agent. Giving customer control over their service credentials. The Synqly integration provider configurations now support local credential declarations. These BridgeLocalCredentials can store literal values, environment keys or Vault paths.

The Synqly Bridge Agent can be configured to authenticate to the Hashicorp Vault service with either "Token" or "AppRole" credentials. The recommended setup is "AppRole" which uses ACLs to control access to the vault storage.

The Synqly Bridge Agent can utilize BridgeLocalCredential environment keys can reference the Bridge Agent container environment variables.

Customers configure their integrations provider credentials as Bridge Credentials (BridgeBasic, BridgeSecret, BridgeOAuthClient, BridgeToken). Individual secrets and tokens are references by the BridgeLocalCredential. The BridgeLocalCredentials.Vault.Path contains the vault path to use; containing vault mount point, path and item (eg. "/secret/data/synqly-app-secret/elasticsearch/client_id"). The BridgeLocalCredential.Environment.Key contains the environment string to lookup in the process environment. The BridgeLocalCredential.Literal.Vault contains literal (non-key) material.

Sample integration creation:

request := &mgmt.CreateIntegrationRequest{
  Name:           engine.String("my-integration"),
  ProviderConfig: &mgmt.ProviderConfig{},
}

request.ProviderConfig.SiemElasticsearch = &mgmt.SiemElasticsearch{
    Url: baseUrl,
    Index: "synqly-data",
    Credential: &mgmt.ElasticsearchCredential{
      Bridge: &mgmt.ElasticsearchBridgeCredentials{
        BridgeOAuthClient: &mgmt.BridgeOAuthClientCredential{
          ClientId: &mgmt.BridgeLocalCredential{
            Environment: &mgmt.BridgeEnvironment{Key: elasticsearchOAuthClientId},
          },
          ClientSecret: &mgmt.BridgeLocalCredential{
            Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/client_secret"},
          },
          TokenUrl: &mgmt.BridgeLocalCredential{
            Literal: &mgmt.BridgeLiteral{Value: authUrl},
          },
          Extra: &mgmt.BridgeLocalCredential{
            Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/extra"},
          },
        },
      },
    },
  }
}

if sharedSecret != "" || runAs != "" {
  request.ProviderConfig.SiemElasticsearch.AuthOptions = &mgmt.ElasticsearchAuthOptions{}
  if sharedSecret != "" {
    request.ProviderConfig.SiemElasticsearch.AuthOptions.SharedSecret = &mgmt.ElasticsearchSharedSecret{
      Bridge: &mgmt.ElasticsearchBridgeSharedSecret{
        BridgeSecret: &mgmt.BridgeSecretCredential{
          Secret: &mgmt.BridgeLocalCredential{
            Vault: &mgmt.VaultCredential{Path: "/secret/data/synqly-app-secret/elasticsearch/secret"},
          },
        },
      },
    }
  }
  if runAs != "" {
    request.ProviderConfig.SiemElasticsearch.AuthOptions.RunAs = &runAs
  }
}

if bridgeId != "" {
  request.BridgeSelector = &mgmt.BridgeSelector{Id: bridgeId},
} else {
  request.BridgeSelector = &mgmt.BridgeSelector{Labels: []string{"elasticsearch"}},
}

integration, err := fixture.MgmtClient.Integrations.Create(ctx, accountId, request)

Vault service setup

The following provides a sample synqly-app AppRole and ACL policy. Secrets can be stored individually or grouped together.

Enable approle

vault auth enable approle

Create synqly-app ACL policy

echo 'path "secret/data/synqly-app-secret/*" {\n capabilities = ["create", "read", "update"]\n}' > synqly-policy.hcl
vault policy write synqly-app synqly-policy.hcl

Create synql-app AppRole

vault write auth/approle/role/synqly-app token_policies="synqly-app" token_ttl=1h token_max_ttl=4h

Get AppRole role-id

vault read auth/approle/role/synqly-app/role-id

Get AppRole secret-id

vault write -force auth/approle/role/synqly-app/secret-id

Create splunk secret

vault kv put -mount="secret" "synqly-app-secret/splunk" "hec=123456"

Create elasticsearch secret

vault kv put -mount="secret" "synqly-app-secret/elasticsearch" "client_id=id" "client_secret=secret" "auth_url=url" 'secret=secret' 'extra={"scopes": ["esaccess"]}'

Read secret

vault kv get -mount="secret" "synqly-app-secret/splunk"