-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Feat: excited to release this major update (#9)
* feat: file based cred resolver * feat: hashicorp vault integration for ServiceNow * feat: hashicorp vault integration for ServiceNow * feat: hashicorp vault integration for ServiceNow
- Loading branch information
1 parent
08d7209
commit b3a3e78
Showing
16 changed files
with
821 additions
and
125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,6 @@ | ||
| ### Minor Release | ||
| Feat: Added file vault. Now you can manage the credentials locally in midserver | ||
| through properties file | ||
| Feat: refactored the code to support multiple secret vault platform | ||
| ### Major Release | ||
| #### Feat: excited to release this major update | ||
| * Added file vault. Now you can manage the credentials locally in midserver through properties file | ||
| * Refactored the code to support multiple secret vault platform | ||
| * ServiceNow External credential resolver support for Hashicorp Vault as secret vault provider | ||
| * Docs: added detailed README for all the components |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,61 @@ | ||
| # servicenow-ecs-azure-key-vault | ||
| ServiceNow External Credential Storage integration with Azure Key Vault | ||
|
|
||
| ## setup | ||
| * Upload the jar file to servicenow instance under mid server jars | ||
|
|
||
| * https://github.com/arumugamsubramanian/servicenow-ecs-multi-secret-vault/releases | ||
|
|
||
|
|
||
|  | ||
|
|
||
| ## file based credential setup | ||
|
|
||
| * copy [creds.properties](setup%2Ffile-vault%2Fcreds.properties) to mid server | ||
| * Add mid server properties in config.xml | ||
| ```text | ||
| <parameter name="ext.cred.file.path" value="/opt/snc_mid_server/creds.properties"/> | ||
| ``` | ||
| * Create a credential in below format | ||
|
|
||
|  | ||
|
|
||
| * creds in file should have | ||
| ```text | ||
| filevault-linux.ssh_password.user=root | ||
| filevault-linux.ssh_password.pswd=xxx | ||
| Pattern: | ||
| credID.credtype.user | ||
| ``` | ||
|
|
||
| ### Note: The cred ID should always start with `file` | ||
|
|
||
| ## Azure Key Vault Setup | ||
|
|
||
| ### Note: The cred ID should always start with `akv` | ||
|
|
||
| ## Hashicorp Vault Setup | ||
|
|
||
| Credit: Thanks to Hashicorp Vault for the code reference. This integration was forked from https://github.com/hashicorp/vault-servicenow-credential-resolver | ||
|
|
||
| * follow [README.md](setup%2Fhashicorp-vault%2FREADME.md) to setup local vault server in docker | ||
| * Add mid-server properties in config.xml | ||
| * mid.external_credentials.vault.address (string: "") - Address of Vault Agent as resolveable by the MID server. For example, if Vault Agent is on the same server as the MID server it could be https://127.0.0.1:8200. | ||
| * mid.external_credentials.vault.ca (string: "") - The CA certificate to trust for TLS in PEM format. If unset, the system's trusted CAs will be used. | ||
| * mid.external_credentials.vault.tls_skip_verify (string: "") - When set to true, skips verification of the Vault server TLS certificiate. Setting this to true is not recommended for production. | ||
| ```text | ||
| <parameter name="mid.external_credentials.vault.address" value="http://127.0.0.1:8200"/> | ||
| <parameter name="mid.external_credentials.vault.ca" value=""/> | ||
| <parameter name="mid.external_credentials.vault.tls_skip_verify" value="true"/> | ||
| ``` | ||
| * credentials ID format in ServiceNow credentials | ||
| ```text | ||
| hv/secret/data/linux # always start with 'hv/' without quotes, otherwise it will not consider hashicorp vault as secret provider. | ||
| Format: | ||
| hv/<secret_path_in_vault> | ||
| ``` | ||
|  |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| # Hashicorp vault setup | ||
|
|
||
| * Install vault in docker as vault server | ||
| ```shell | ||
| docker run -d --cap-add=IPC_LOCK \ | ||
| -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' \ | ||
| -v $(PWD)/setup/hashicorp-vault:/vault/file \ | ||
| -p 8200:8200 \ | ||
| --name vault \ | ||
| hashicorp/vault server | ||
| ``` | ||
| * Login to docker container | ||
| ```shell | ||
| docker exec -it vault sh | ||
| ``` | ||
| * Vault setup | ||
| ```shell | ||
| export VAULT_ADDR=http://127.0.0.1:8200 | ||
| vault status | ||
| vault operator init | ||
| vault operator unseal # three times | ||
| vault login # use root token | ||
| ``` | ||
| * List the secrets | ||
| ```shell | ||
| vault secrets list | ||
| ``` | ||
| * Enable secret engine and create secrets | ||
| ```shell | ||
| vault secrets enable -path=secret kv | ||
| vault kv put -mount=secret linux password="root123" username="root" | ||
| vault kv put -mount=secret foo password="root123" username="root" | ||
| ``` | ||
| * Create policy to provide access to the above secrets | ||
| ```shell | ||
| vault policy write my-policy - << EOF | ||
| # Dev servers have version 2 of KV secrets engine mounted by default, so will | ||
| # need these paths to grant permissions: | ||
| path "secret/data/*" { | ||
| capabilities = ["read"] | ||
| } | ||
| path "secret/data/foo" { | ||
| capabilities = ["read"] | ||
| } | ||
| EOF | ||
|
|
||
| vault policy list | ||
| vault policy read my-policy | ||
| ``` | ||
| * create userpass path as 'servicenow'. Use `userpass` as vault auth method | ||
| * username can be anything because you are passing as mid-server config param | ||
| ```shell | ||
| vault auth enable -path=servicenow userpass | ||
|
|
||
| vault write auth/servicenow/users/servicenow \ | ||
| password=servicenow \ | ||
| policies=my-policy | ||
| ``` |
Oops, something went wrong.