Skip to main content

Credential Tokenization with SlashID and Gate

Introduction

In modern application architectures, securely managing and using secrets such as API keys, database passwords, and other sensitive credentials is crucial. Gate provides a powerful solution for credential tokenization, allowing you to store and use secrets securely without exposing them directly to your application code, CI/CD pipeline, or code repository.

Benefits

Using SlashID and Gate for credential tokenization provides several benefits:

  • Reduced Attack Surface: By keeping secrets out of your application code and configuration files, you reduce the risk of accidental exposure or leaks.

  • Enforce fine-grained access control: Gate's Tokenizer plugin can be combined with our OPA or OAuth 2.0 plugins to enforce fine-grained access control policies for secret retrieval and injection, especially useful when the secret itself doesn't have RBAC/roles restriction.

  • Separation of duty and easier rotation: Developers don’t have to worry about credentials lifecycle and management. Credentials can be rotated without downtime.

Overview

The credential tokenization process involves the following components:

  1. Secret Manager: This could be your existing Secret Manager (eg: Hashicorp Vault, AWS secret manager) or SlashID itself.

  2. Gate: Gate is a proxy that sits between your application and external services. It intercepts requests from your application and injects the necessary secrets into the requests before forwarding them to the destination services. Gate uses the Tokenizer plugin to handle the tokenization process.

  3. Tokenizer Plugin: The Tokenizer plugin is responsible for retrieving the encrypted secrets from SlashID, decrypting them, and injecting them into the requests based on the specified configuration.

  4. Secret Generator Utility: The secret generator utility is a command-line tool that simplifies the process of creating secrets compatible with Gate's tokenization format. It allows you to generate secrets with specific configurations and store them in SlashID or other secret engines.

Workflow

Here's a high-level overview of how credential tokenization works with SlashID and Gate:

  1. Secret Creation: Use the secret generator utility to create a secret with the desired configuration. The utility allows you to specify the secret engine (e.g., SlashID, AWS Secrets Manager, GCP Secret Manager), the injection method (e.g., header injection, HMAC injection), and other relevant settings. The secret is then stored in the chosen secret engine.

  2. Application Request: When your application needs to make a request to an external service that requires a secret (e.g., an API key), it sends the request to the Gate proxy instead of directly to the service. The request includes a special header (e.g., Proxy-Tokenizer) that contains the secret identifier.

  3. Secret Retrieval: Gate's Tokenizer plugin intercepts the request and extracts the secret identifier from the Proxy-Tokenizer header. It then makes a request to the secret manager to retrieve the corresponding secret using the secret identifier.

  4. Secret Injection: Once the Tokenizer plugin receives the decrypted secret from SlashID, it injects the secret into the request based on the specified configuration. This can involve setting a header value, computing an HMAC signature, or injecting an OAuth token.

  5. Request Forwarding: After injecting the secret, Gate forwards the modified request to the destination service. The service receives the request with the required secret, processes it, and sends the response back to Gate.

  6. Response Handling: Gate receives the response from the service and forwards it back to your application. The application receives the response without any knowledge of the tokenization process that occurred behind the scenes.

Example

Here's an example configuration for Gate's Tokenizer plugin:

Container AGate-APod-Aremote-server
gate:
  port: 8088
  level: trace
  tls:
    enabled: "false"
  log:
    outputs:
      - sink: stdout
        format: text
        level: trace
  tracing:
    exporter:
      jaeger:
        enabled: false
        collector_endpoint: http://opentelemetry-collector:14268/api/traces
    service: gate.sidecarecho
  plugins_http_cache:
    - pattern: "*"
      cache_control_override: private, max-age=600, stale-while-revalidate=300
  plugins:
...
    - id: tokenize_requests
      type: tokenizer
      enabled: true
      parameters:
        header_with_proxy_token: SID_Proxy_Auth
        secret_engine: slashid
        slashid_org_id: 65e43220-439d-7ae5-9934-d1c4999c0d64
        slashid_api_key: <API_KEY>
        slashid_base_url: https://api.slashid.com/
  default:
    transparent: true
    target: http://localhost:8090
  urls:
    - pattern: "*/ab*"
      target: http://localhost:8090
      plugins:
        tokenize_requests:
          enabled: true

In this configuration:

  • header_with_proxy_token specifies the header that contains the encrypted secret identifier.
  • secret_engine is set to "slashid", indicating that SlashID is being used as the secret engine.
  • slashid_org_id and slashid_api_key provide the necessary credentials to authenticate with SlashID's API.
  • slashid_base_url specifies the base URL of SlashID's API endpoint.

With this configuration, Gate's Tokenizer plugin will intercept requests, retrieve the corresponding secret from SlashID based on the secret ID in the SID_Proxy_Auth header, and inject it into the request based on the secret's configuration.

Now let's create a secret: 

$ secret-tokenizer-generator --inject-field Authorization --inject-value SECRET --secret-engine slashid --slashid-org-id 65e43220-439d-7ae5-9934-d1c4999c0d64 --slashid-api-key <API_KEY> --secret-label test_cred --secret-cache-duration 1800

Secret stored successfully in secret engine with key: c2795d2a-5401-4ee6-b485-fc981a0ba777

ContainerGateremote-serverGET /abSID_Proxy_Auth: c2795d2a-5401-4ee6-b485-fc981a0ba777GET /abAuthorization: Bearer SECRETResponseResponseContainerGateremote-server

Finally, let's make a request: 

$ curl --trace - http://remote-server:8088/ab -H "SID_Proxy_Auth: c2795d2a-5401-4ee6-b485-fc981a0ba777"

$ nc -l 8090
GET /ab HTTP/1.1
Host: localhost:8090
User-Agent: curl/8.4.0
Accept: */*
Authorization: Bearer SECRET
X-B3-Sampled: 1
X-B3-Spanid: 3785f379e9fbbe71
X-B3-Traceid: a5878b7206dd5ea7b9c921f0d9928e66
Accept-Encoding: gzip

Note how the header we receive is Authorization: Bearer SECRET

Conclusion

Credential tokenization with SlashID and Gate provides a robust and secure solution for managing and using secrets in your applications. By leveraging Gate's Tokenizer plugin, you can keep your secrets safe without leaking key material in your application code, CI/CD, and code repository. The secret generator utility further simplifies the process of creating and storing secrets compatible with Gate's tokenization format. With this approach, you can focus on building your application logic while leaving the complexities of secret management to SlashID and Gate.