Support secure retrieval of arbitrary secrets #541
Assignees
Labels
type: feature
Introduction of new or enhanced functionality to the application
Milestone
Comments
glennmatthews
added
the
type: feature
|
It would be cool if this could be easily integrated with Hashicorp Vault as well |
|
Does it make sense for this to allow user provided @ run time secrets? I could envision a system where the you could store or select "prompt user". |
6 tasks
Merged
1 task
This was referenced Oct 29, 2021
Merged
glennmatthews
changed the title
|
See #868 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Environment
Proposed Functionality
Nautobot needs a supported set of UI and APIs for working with secrets (Git tokens, device credentials, OAuth2 parameters, SSoT integration credentials, etc.). This would include
defining arbitrary secrets and providing their values, storing these secrets securely, andprogrammatically retrieving specific secrets as required.Ideally we’d have a recommended deployment solution (possibly Hashicorp Vault or AWS Secrets Manager?) but provide a pattern or generic API capable of extension to integrate with other options, including (read-only) secrets provided as simple environment variables.
Use Cases
As Austin the NAE, I want to write a Job that connects directly to specific devices, for which the login credentials are already securely stored elsewhere, so that I can create network automation within Nautobot.
As Nelly the Network Engineer, I want to be able to store device login credentials securely such that Jobs can make use of them but lower-privileged users such as Ozzie the Operator are not able to retrieve and view these secrets.
As Ozzie the Operator, I want to execute Jobs against arbitrary devices without needing to manually provide (or even know!) the login credentials to those devices, so that I can perform my day-to-day network engineering tasks.
As P.D. the Plugin Developer, I want to define a set of required secrets which an admin user can provide values for, and an API for retrieving these secrets when required, so that I can develop a plugin that integrates Nautobot with an external system (e.g. Git, ServiceNow, AWS, GMail via OAuth2, etc.) that has its own authentication requirements.
As Patti the Platform Admin, I want to ensure that secrets are securely stored in an existing "blessed" secrets management system, so that I don't need to specifically audit Nautobot's secrets storage implementation.
Database Changes
Ideally we should NOT store secrets in Nautobot's own database (this would include replacing the current in-DB storage of Git tokens for Git repos, and probably removing our dependency on
django-cryptographyaltogether) but store them in one of several secure third-party solutions such as Hashicorp Vault or AWS Secrets Manager.External Dependencies
Probably - some possibilities worth investigating include:
The text was updated successfully, but these errors were encountered: