Read Fleet `server_private_key` from AWS Secrets Manager

[sharon-fdm]

Goal

User story
As a user self-hosting Fleet and running Docker in AWS,
I want Fleet to read the Fleet server_private_key from AWS Secrets Manager
so that I don't have to add the AWS CLI to my Docker container to read the secret from Secrets Manager.

Roadmap item

None.

Original requests

None.

Request was opened in the form of a PR from @titanous (community member):

• Add support for reading private_key from AWS Secrets Manager #31134

Context

• Product Designer: @noahtalerman
• Engineer: @sharon-fdm

Changes

Product

• Fleet server configuration changes: [Fleet server config] Read Fleet server_private_key from AWS Secrets Manager #32413
• UI changes: No changes
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• REST API changes: No changes
• Fleet's agent (fleetd) changes: No changes
• GitOps Mode UI changes: No changes
• Activity changes: No changes
• Permissions changes: No changes
• Changes to paid features or tiers: No changes
• My device and fleetdm.com/better changes: No changes
• Other reference documentation changes: No changes
• First draft of test plan added
• Once shipped, requester has been notified: Add support for reading private_key from AWS Secrets Manager #31134 (review)
• Once shipped, dogfooding issue has been filed: https://github.com/fleetdm/confidential/issues/12748
• Once shipped, open a :help-customers request to start using this feature for managed cloud Fleet instances.
  • @noahtalerman: Covered by dogfooding issue above.

Engineering

The PR linked above provides code for retrieving the server private_key using the AWS secret manager.
As in other community PRs we need to:

• Review the PR

• Run it locally for sanity tests. (Need to host on AWS)

• Consider security and make sure only AWS can read it and not other elements with API access.

• Test plan is finalized

• Contributor API changes: See PR

• Feature guide changes: Yes. Update this document (or consider a guide if we have one)

• Database schema migrations: None

• Load testing: Not needed

• Load testing/osquery-perf improvements: Not needed <-- List, or link a subtask for, any osquery-perf or load test environment changes required to comprehensively load test this story if load testing is needed. -->

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: Yes
• Risk level: Low
• Risk description: Conduct small loadtest with multiple fleet containers

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

• Standup a Fleet instance in AWS
• Put the Fleet server private key in AWS Secrets Manager and use the new server_private_key_arn, server_private_key_sts_assume_role_arn, and server_private_key_sts_external_id configuration options.
• Verify that the Fleet server is using the key from secrets Manager
• Now set the private key using server_private_key
• Verify that the Fleet server is still using the private key from secrets manager.
• Verify that if only server_private_key_arn is set, Fleet uses the key from secret manager instead of the server_private_key. server_private_key_sts_assume_role_arn and server_private_key_sts_external_id are optional configuration options.
  • UPDATE: @xpkoala: If you do attempt to supply a private key with both the FLEET_SERVER_PRIVATE_KEY and FLEET_SERVER_PRIVATE_KEY_ARN variables an informative error is displayed notifying the user only one can be set at a given time.

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[noahtalerman]

@noahtalerman: Next steps for drafting are in this Google doc.