Secret Stores Reference
This feature is currently in closed-access beta. Functionality and documentation may change.
What are Secret Stores?
Secret Stores provide the option to store resource credentials in a secrets storage tool controlled by you, rather than saving them with strongDM. If your organization already manages and rotates credentials with a tool such as Hashicorp Vault or AWS Secrets Manager, nothing about that workflow will have to change.
To learn how to set up Secret Stores with a specific secrets storage tool, read the configuration guides.
Why Secret Stores?
Secret Stores enable organizations to easily manage and automate the storage and rotation of credentials using third-party secrets storage tools.
Some organizations' security policies forbid the storage of credentials outside of a designated secrets storage tool. You can use strongDM Secret Stores to meet this requirement. When using the Secret Stores feature, your credentials will never be recorded on our servers. Your gateway servers request credentials directly from your secrets storage tool to enable credential-free user authentication.
How do Secret Stores work?
To setup Secret Stores:
- Configure a secrets storage tool for use with strongDM.
- Set up relay servers to be able to authenticate with the secrets storage tool.
- Each time you set up a new resource, give strongDM a path to the credential it needs in the store.
When a client connects to a resource, the relay authenticates to your secrets storage tool, and fetches credentials for the resource. Those credentials never leave the relay, and are never stored or recorded by strongDM.
Once you set up a resource with a specific secrets storage tool, you cannot assign a different secrets storage tool to that resource later. However, you can recreate the resource, or create an additional instance of the resource as necessary.
When you add, change, or rotate credentials, strongDM will neither notice nor care. However, if you move or remove a credential within the secrets storage tool itself, you must update its path within strongDM to avoid disrupting service.
All credentials for resources accessed through strongDM are stored in your secrets storage tool. Credentials to access your secrets storage tool are stored on the relays you host. No credentials, either for your secrets storage tool or your resources, are ever transmitted to strongDM.
Allowing credential storage in strongDM
You have the option to exclusively use Secret Stores and globally disallow saving resource credentials with strongDM.
Conversely, you also have the option to allow credentials to be stored with strongDM, and potentially have a mixed system. In this case, some resource credentials would use Secret Stores, while others would be stored with strongDM. You can even have two versions of the same resource, one with stored credentials, the other without.
Authentication with Secret Stores
Your relay needs to be able to authenticate with the secrets storage tool. If the tool is down or inaccessible, that resource will be unavailable. The diagnostics panel for the resource indicates whether credentials are available, and details any errors that may occur during the process.
If a resource goes offline due to the inability of your gateway(s) to locate proper credentials for it, existing connections to that resource that have already been authenticated will persist.
Secret Stores currently support the following secrets storage tools:
AWS Secrets Manager
AWS Secrets Manager is managed and hosted on AWS. strongDM supports two authentication modes with AWS Secrets Manager: authentication with an AWS Access Key ID and Access Key, saved on the relay; and authorizing the relay to access Secrets Manager using AWS IAM.
- AWS Documentation: Use IAM Policies for Secrets Manager
- AWS Tutorial: Create and Retrieve a Secret
- AWS Article: Authentication and Access Control for AWS Secrets Manager.
- You will need to store the
AWS_ACCESS_KEYfor a key that has access to the Secrets Manager as environment variables on the relay server.
Vault is a secrets storage tool which is self-hosted on your own infrastructure. strongDM supports authenticating to HashiCorp Vault with either a TLS Certificate or Token Authentication.
Putting it together
Without Secret Stores:
- A user attempts to access a resource and their request is routed to a gateway.
- The gateway queries strongDM, verifying that the user's connection is authorized.
- strongDM sends back encrypted credentials to the gateway to authenticate with the resource.
- The gateway reaches out to the resource and authenticates.
- A secure tunnel is established from client to resource.
With Secret Stores, this process is similar, with a key difference. The gateway still reaches out to strongDM for authorization, but is not given any credentials for the resource (strongDM does not have them). Instead, the gateway then reaches out to the assigned secrets storage tool, to collect the credentials.