Conjur Service Broker Supports Secure Binding Credentials

[micahlee]

Background

A service broker supports (Secure Binding Credentials)[https://github.com/cloudfoundry-incubator/credhub/blob/master/docs/secure-service-credentials.md] when it writes binding credentials (e.g. passwords, API keys) to credhub and gives the application a reference. This is a more secure alternative to sending the credential values directly back to the binding application through the cloud controller.

Motivation

There are several advantages to supporting the secure binding credentials flow:

• Lower risk of inadvertent secret disclosure
  There are fewer opportunities for secrets to leak through logs or environment variables while flowing through the cloud foundry system components.

• Improved rotation support
  Secret values in credhub may be rotated without having to re-bind applications to conjur to receive the updated value.

Proposed Workflow

(from #103 (comment))

On provision:

• the SB creates a space host in Conjur
• the SB parses the space host API key
• the SB adds the space host API key to credhub with a predictable path related to the space GUID

On bind:

• the SB updates the access control on the space host API key in credhub so the app can access it
• the SB passes the app a reference to the space host API key in CH (instead of an actual API key)

On app start (we hope - TBD):

• diego replaces the CH references with values in the app env
• the conjur buildpack is invoked and uses the process VCAP_SERVICES values to retrieve secrets as usual

Development Notes

• The service broker may authenticate to CredHub using its (Instance Identity certificate)[https://docs.pivotal.io/pivotalcf/2-2/devguide/deploy-apps/instance-identity.html].

  NOTE: This identity must be permitted to read and write to credhub before operation, this is done using the service brokers app guid. An example API call to authorize a service broker app would be something like:

  curl -v "https://credhub.service.cf.internal:8844/api/v2/permissions" \
    -k \
    -X POST \
    -d '{
      "path": "/conjur-service-broker/*",
      "actor": "mtls-app:d865ddf1-4bfb-4bed-9b41-c8fd406a5074",
      "operations": ["read", "write"]
    }' \
    -H "authorization: $TOKEN" \
    -H 'content-type: application/json'
  

  NOTE: The Instance Identity certificate is actually a bundle of the certificate and its intermediate signing CA. Most Ruby HTTP libraries do not support client certificate bundles currently.

Still To Resolved

• How does the service broker credhub authorization occur?

  Is this a manual operator step? Can this happen as part of the Tile deployment? Etc.

• How does the service broker pass the credhub reference to the application?

• How does the service broker (or Conjur) rotate the host identity?

• Does anything need to change in the buildpack to support this flow?

• Determine if mTLS writing to CredHub will be well supported.

  There is some indication through our Pivotal Partner network that it might not be permitted in all versions of PCF.

References:

• https://docs.pivotal.io/tiledev/2-2/ssi-creds-tiledev.html