-
Notifications
You must be signed in to change notification settings - Fork 16
Getting Started Managing Secrets
To get started using AuthJanitor, follow the steps below to create your first Managed Secret. This assumes you have used the Deploying AuthJanitor Automation to Azure guide or have deployed the software in a similar way yourself.
In the AuthJanitor Administration Tool, click System from the top menu, and select Providers.
The Provider list contains all modules that AuthJanitor can use to communicate with different services. Icons at the right side of the table indicate what features each Provider supports; this can help in planning rekeying operations.
In the AuthJanitor Administration Tool, click Manage from the top menu, and select Resources.
From the Resource List page, click Manage New Resource in the upper right. A dialog will appear with the settings for the new Resource. Enter the name and description of this Resource (to help identify it later), and select the Provider to be used. These are grouped into Application Lifecycle Providers (things that consume secrets) and Rekeyable Object Providers (things that generate secrets).
Once you have selected your Provider, the dialog will update with the Provider Configuration options. Some options have additional help and/or context if you hover over the question mark icon on the left side of the configuration option name. After filling out all the necessary options, click "Create".
In the AuthJanitor Administration Tool, click Manage from the top menu, and select Secrets.
From the Managed Secret List page, click "Manage New Secret". At the top of the dialog, there is a list of Resources with their names and descriptions. Select all of the Resources which participate in this Managed Secret, and enter a name and description. Enter a valid period in minutes (below, the program will compute and show the value in hours, days, months, etc. for convenience) which represents the amount of time between secret rotations.
The last option in the dialog is the "Approval Type(s)". There are five options available, the advantages and disadvantages of which are discussed at length in Authentication & Authorization Concepts. Any number of these can be selected, but more secure options will be preferred over less secure if available. For example, if a Managed Secret can be rotated both by Administrator Sign-Off and Agent Identity, an Administrator will be notified of the expiry before the Agent Identity would automatically process it. This allows the Administrator to step in and execute the secret rotation with full traceability. If the Administrator does not perform this action or explicitly deny the task, the Agent Identity will execute the rotation when appropriate.
When a Managed Secret nears its expiry time, a Rekeying Task is automatically created around that Managed Secret. If that Secret supports Administrator approval, a notification will be dispatched to those people. When the Administrator logs in to approve the Rekeying Task, they can (and should!) click through the link to the Managed Secret details, and review the action description as well as risks for each Resource involved in the Managed Secret. These pieces of information inform the Administrator as to what action(s) will be taken if they choose to approve that task.
Congratulations, you have begun managing your application secrets with AuthJanitor!