1.首先
IBM Cloud 的 Secret Manager 是一项管理和存储称为机密的“机密信息”的服务。例如,密码和密钥信息是访问系统的重要信息,但是随着许多成员一起工作并且链接系统的数量增加,
- 如果放在本地,每次改都很难在所有环境下都改(应该放在远程吗?但是访问远程的认证信息在哪里?留着?)
- 如果任何人都可以在本地访问它会是一个问题,因此很难保护“机密信息”(如果你在“机密信息”上设置了密码,那么密码是我下次应该存储在哪里? )
- 如果我想暂时支付怎么办? (我还想要一个自动禁用它的功能。)
- 您如何处理定期更改(例如密码更改)?
面临诸如Secrets Manager 是解决这些问题的“秘密信息”综合管理服务。
另请参阅下面的 Secrets Manager 概述文章。
- IBM Cloud:Secrets Manager 概述
- IBM Cloud:Secrets Manager 和 Certificate Manager 的功能比较
2. Secrets Manager 可以管理的秘密
Secrets Manager 可以管理以下五种机密,即“保密信息”。
- 用户凭据:所谓的 ID/密码信息
- IAM 凭证:用于访问 IBM Cloud IAM 的服务标识/API 密钥
- TLS 证书:可以管理 CA 证书、服务器证书和客户端证书。也可以从外部导入,例如,您可以使用从 Certificate Manager 导出的证书信息(私钥、证书、中间证书)将证书导入 ALB for VPC。使用 mTLS 配置时,客户端证书也可用于客户端管理。
- Key-Value:可以以任意 JSON 格式存储用户数据。高达 512KB。
- 其他机密类型:任何值。高达 1MB。
可以通过 API 访问 Secrets Manager。作为示例代码,列出了 CLI/curl/Java/Node/Python/Go 等示例,但在某些方面需要提前访问 Secrets Manager 本身的 IAM 信息。 IBM Cloud:如果您使用 VSI for VPC 使用 Trusted Profile 的安全 API/CLI 调用方法,则无需密码即可从目标服务器获取 IAM 身份验证信息。也可以访问。
用户凭证和 IAM 凭证的使用示例如下所述。 (TLS 证书用于其他场合)。
3. 使用示例(用户凭据)
3-1. 设置
- 添加秘密
- 选择用户凭据。
- 输入凭据信息。这一次,我还指定了到期日期和轮换时间。
- 已创建。还包括访问这次创建的秘密的示例示例。
- 我在之前的设置画面中设置了自动旋转,但也可以手动旋转
3-2. 访问用户凭证
- 这一次,我想完全无密码地访问 Secrets Manager,因此我使用 Trusted Profile 获取 IAM 信息并使用 curl 从 Secret Manager 获取用户凭据。
- 请参阅 IBM Cloud:如何使用可信配置文件从 VSI for VPC 进行安全 API/CLI 调用以设置可信配置文件。
- Secrets Manager 也可以通过专用端点访问。 UI 上显示的片段是一个公共端点,因此如果您想从 IBM Cloud 中访问它,您应该根据以下信息将其重写为私有端点 URL。
- Secret Manager 私有端点信息
- 来自用户界面的确认屏幕
我能够得到用户名=syasuda1,密码=zaq12wsxcde34rfv。
[root@syasuda-metavsi ~]# instance_identity_token=`curl -sX PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-31" -H "Metadata-Flavor: ibm" -d '{ "expires_in": 600}' | jq -r '(.access_token)'`
[root@syasuda-metavsi ~]# iam_token=`curl -sX POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-31" -H "Authorization: Bearer ${instance_identity_token}" | jq -r '(.access_token)'`
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/username_password/24b424de-cbe5-dada-96f7-cdaabe6f44ff" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq
{
"metadata": {
"collection_type": "application/vnd.ibm.secrets-manager.secret+json",
"collection_total": 1
},
"resources": [
{
"created_by": "IBMid-110000HEJF",
"creation_date": "2022-09-30T00:23:17Z",
"crn": "crn:v1:bluemix:public:secrets-manager:jp-tok:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:secret:24b424de-cbe5-dada-96f7-cdaabe6f44ff",
"custom_metadata": {},
"description": "test1",
"downloaded": true,
"expiration_date": "2022-09-30T00:30:00Z",
"id": "24b424de-cbe5-dada-96f7-cdaabe6f44ff",
"labels": [],
"last_update_date": "2022-09-30T00:23:17Z",
"locks_total": 0,
"name": "syasuda-user-credentaial1",
"next_rotation_date": "2022-10-30T00:23:17Z",
"secret_data": {
"password": "zaq12wsxcde34rfv",
"username": "syasuda1"
},
"secret_type": "username_password",
"state": 1,
"state_description": "Active",
"versions": [
{
"auto_rotated": false,
"created_by": "IBMid-110000HEJF",
"creation_date": "2022-09-30T00:23:17Z",
"downloaded": true,
"id": "96d97508-adae-93a7-a267-84773362ca9a",
"payload_available": true,
"version_custom_metadata": {}
}
],
"versions_total": 1
}
]
}
3-3. 有效期过后的状态
- 在到期日期到来时进入
Destroyed状态
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/username_password/24b424de-cbe5-dada-96f7-cdaabe6f44ff" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq
{
"metadata": {
"collection_type": "application/vnd.ibm.secrets-manager.secret+json",
"collection_total": 1
},
"resources": [
{
"created_by": "IBMid-110000HEJF",
"creation_date": "2022-09-30T00:23:17Z",
"crn": "crn:v1:bluemix:public:secrets-manager:jp-tok:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:secret:24b424de-cbe5-dada-96f7-cdaabe6f44ff",
"custom_metadata": {},
"description": "test1",
"downloaded": true,
"expiration_date": "2022-09-30T00:30:00Z",
"id": "24b424de-cbe5-dada-96f7-cdaabe6f44ff",
"labels": [],
"last_update_date": "2022-09-30T00:23:17Z",
"locks_total": 0,
"name": "syasuda-user-credentaial1",
"secret_data": null,
"secret_type": "username_password",
"state": 5,
"state_description": "Destroyed",
"versions": [
{
"auto_rotated": false,
"created_by": "IBMid-110000HEJF",
"creation_date": "2022-09-30T00:23:17Z",
"downloaded": true,
"id": "96d97508-adae-93a7-a267-84773362ca9a",
"payload_available": false,
"version_custom_metadata": {}
}
],
"versions_total": 1
}
]
}
4. 使用示例(IAM 凭证)
4-1. 设置
- 添加秘密
- 选择 IAM 凭证
- 默认情况下,每次访问 Secret Manager 时都会更改 IAM 凭证信息(出于安全考虑)。如果要在租约完成之前引用相同的凭据信息,请启用
Reuse IAM credentials until lease expires,但这次保留默认值。这次将租用时间设置为 10 分钟。 - 指定访问组以指定向要创建的服务 ID/API 密钥授予哪些权限。
- 已创建。还包括访问本次创建的秘密的示例示例。
用户凭据过期时间是在该时间之后无法再访问凭据。即使您访问过期的用户凭证,您也无法获取 ID/密码。另一方面,IAM 凭证不会过期。租用时间仅指可以使用从 Secrets Manager 获得的 IAM 信息访问 IBM Cloud 服务的时间。因此,即使在租用时间过去之后,您也可以通过再次获取 Secrets Manager 的 IAM 认证信息来再次访问 IBM Cloud。
4-2. IAM认证信息(API密钥)的获取
- 这一次,我想完全无密码地访问 Secrets Manager,因此我使用 Trusted Profile 获取 IAM 信息并使用 curl 从 Secret Manager 获取用户凭据。
- 请参阅 IBM Cloud:如何使用可信配置文件从 VSI for VPC 进行安全 API/CLI 调用以设置可信配置文件。
- Secrets Manager 也可以通过专用端点访问。 UI 上显示的片段是一个公共端点,因此如果您想从 IBM Cloud 中访问它,您应该根据以下信息将其重写为私有端点 URL。
- Secret Manager 私有端点信息
- 来自 UI 的确认屏幕
[root@syasuda-metavsi ~]# instance_identity_token=`curl -sX PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-31" -H "Metadata-Flavor: ibm" -d '{ "expires_in": 600}' | jq -r '(.access_token)'`
[root@syasuda-metavsi ~]# iam_token=`curl -sX POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-31" -H "Authorization: Bearer ${instance_identity_token}" | jq -r '(.access_token)'`
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/iam_credentials/c0643817-5cee-9b69-8203-d06195a484d9" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq
{
"metadata": {
"collection_type": "application/vnd.ibm.secrets-manager.secret+json",
"collection_total": 1
},
"resources": [
{
"access_groups": [
"AccessGroupId-9f12573e-4a8c-48dd-81ac-cfda33a355b1"
],
"api_key": "7L2sk1qoTdLLVZWhSXAc3cKvHqKjUHeRawqOWodcymzo",
"api_key_id": "ApiKey-acac0b7f-c413-4e72-9267-46d3422fc62c",
"created_by": "IBMid-110000HEJF",
"creation_date": "2022-09-30T00:43:42Z",
"crn": "crn:v1:bluemix:public:secrets-manager:jp-tok:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:secret:15d825d2-7ab8-09d7-2ef3-a9a11fabb97c",
"custom_metadata": {},
"downloaded": true,
"id": "15d825d2-7ab8-09d7-2ef3-a9a11fabb97c",
"labels": [],
"last_update_date": "2022-09-30T00:46:32Z",
"locks_total": 0,
"name": "syasuda-iam-credential1",
"reuse_api_key": true,
"secret_type": "iam_credentials",
"service_id": "ServiceId-e93007aa-4079-4ff0-bf28-8c7ee755598c",
"service_id_is_static": false,
"state": 1,
"state_description": "Active",
"ttl": 600,
"versions": [
{
"auto_rotated": false,
"created_by": "IBMid-110000HEJF",
"creation_date": "2022-09-30T00:43:42Z",
"downloaded": false,
"id": "f2ce7dd1-8a47-ea4c-a292-eb8a4b9b450a",
"payload_available": false,
"version_custom_metadata": {}
},
{
"auto_rotated": false,
"created_by": "iam-Profile-c7737399-ea96-4878-acf0-5a2690fd3493",
"creation_date": "2022-09-30T00:46:32Z",
"downloaded": true,
"id": "b0eee30d-f1f2-d4fa-7d32-215160bd1ba8",
"payload_available": true,
"version_custom_metadata": {}
}
],
"versions_total": 2
}
]
}
4-3. 尝试登录 ibmcloud CLI
尝试使用之前获得的 API Key 登录。
[root@syasudacentos7 ~]# ibmcloud login --apikey 7L2sk1qoTdLLVZWhSXAc3cKvHqKjUHeRawqOWodcymzo -r jp-tok
API endpoint: https://cloud.ibm.com
Authenticating...
OK
Targeted account IBM (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
Targeted region jp-tok
API endpoint: https://cloud.ibm.com
Region: jp-tok
User: ServiceId-e93007aa-4079-4ff0-bf28-8c7ee755598c
Account: IBM (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
Resource group: No resource group targeted, use 'ibmcloud target -g RESOURCE_GROUP'
CF API endpoint:
Org:
Space:
4-4.Reuse IAM credentials until lease expires被禁用时的操作检查
每次您从 Secrets Manager 获取 IAM 信息时,API 密钥都会更改。这是因为Reuse IAM credentials until lease expires 被禁用。
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/iam_credentials/c0643817-5cee-9b69-8203-d06195a484d9" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq '.resources[].service_id, .resources[].api_key'
"ServiceId-089ae2cd-3fa1-45cc-b3b6-ee9da105a0d2"
"p0d1sRdvPUjWBWOqpRP1SoyS5wl8ahrCR4GpnCFcD5ce"
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/iam_credentials/c0643817-5cee-9b69-8203-d06195a484d9" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq '.resources[].service_id, .resources[].api_key'
"ServiceId-9dfee6b6-4d8b-4990-94ba-499a42d6f09f"
"63ERPf4mJhO8PZbkxfmeIa8b4LEGRm7P6WOewW4E_o6b"
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/iam_credentials/c0643817-5cee-9b69-8203-d06195a484d9" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq '.resources[].service_id, .resources[].api_key'
"ServiceId-110e29e6-8dcd-4330-97ac-9a251cb45e36"
"v3GpQNakvYGinRbnSgsX3MeiUnqe9t5SUaaScpZlW_8Y"
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/iam_credentials/c0643817-5cee-9b69-8203-d06195a484d9" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq '.resources[].service_id, .resources[].api_key'
"ServiceId-d54b25e9-864f-4719-a16d-bf3d4c65e8ab"
"fsXfdifMekRC3VvpxU1mzptN3PO5SqoqlhJKrmsH_Hb3"
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/iam_credentials/c0643817-5cee-9b69-8203-d06195a484d9" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq '.resources[].service_id, .resources[].api_key'
"ServiceId-7a2a5e78-3188-467d-afa9-dcd199d9540a"
"rB6UznvriCHJD6QAO4Y1KHA86_rdktWs9PrtxH8BoP3X"
[root@syasuda-metavsi ~]# curl -sX GET "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.private.jp-tok.secrets-manager.appdomain.cloud/api/v1/secrets/iam_credentials/c0643817-5cee-9b69-8203-d06195a484d9" -H "Authorization: Bearer $iam_token" -H "Accept: application/json" | jq '.resources[].service_id, .resources[].api_key'
"ServiceId-34628a6e-4a14-40eb-aea9-5b249325293c"
"azh9ACGPd4ifIWEge8j3IJPzRzMEMPrJwQ0Veui7YeqN"
如果您获得新的 IAM 信息,您将无法再使用过去的 API Key,而无需等待租约完成。
不再使用旧 API 密钥访问
[root@syasudacentos7 ~]# ibmcloud login --apikey rB6UznvriCHJD6QAO4Y1KHA86_rdktWs9PrtxH8BoP3X -r jp-tok
API endpoint: https://cloud.ibm.com
Authenticating...
Credentials were rejected.
Code: BXNIM0415E, message: Provided API key could not be found.
API endpoint: https://cloud.ibm.com
Region:
Not logged in.
FAILED
Unable to authenticate.
可使用最新的 API 密钥访问
[root@syasudacentos7 ~]# ibmcloud login --apikey azh9ACGPd4ifIWEge8j3IJPzRzMEMPrJwQ0Veui7YeqN -r jp-tok
API endpoint: https://cloud.ibm.com
Authenticating...
OK
Targeted account IBM (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
Targeted region jp-tok
API endpoint: https://cloud.ibm.com
Region: jp-tok
User: ServiceId-34628a6e-4a14-40eb-aea9-5b249325293c
Account: IBM (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
Resource group: No resource group targeted, use 'ibmcloud target -g RESOURCE_GROUP'
CF API endpoint:
Org:
Space:
4-5. 租用时间到期后的访问
您不能再使用以前的 API Key 访问
[root@syasudacentos7 ~]# ibmcloud login --apikey azh9ACGPd4ifIWEge8j3IJPzRzMEMPrJwQ0Veui7YeqN -r jp-tok
API endpoint: https://cloud.ibm.com
Authenticating...
Credentials were rejected.
Code: BXNIM0415E, message: Provided API key could not be found.
API endpoint: https://cloud.ibm.com
Region:
Not logged in.
FAILED
Unable to authenticate.
如果您再次访问 Secrets Manager 并获得 API 密钥,那么您可以再次访问 IBM Cloud。
原创声明:本文系作者授权爱码网发表,未经许可,不得转载;
原文地址:https://www.likecs.com/show-308627991.html