Secrets Safe Secrets Retrieval

Retrieve Secrets from Secrets Safe

This extension allows for the retrieval of ASCII secrets from an instance of Secrets Safe.

Prerequisites

The Secrets Safe Azure DevOps extension supports retrieval of secrets from BeyondInsight/Password Safe versions 23.1 or greater.

For this extension to retrieve a secret for use in each Azure DevOps pipeline, the Secrets Safe instance must be preconfigured with the secret in question and an account must be authorized to read it.

General Setup

1. Create an API registration in BeyondInsight (does not require a user password).
2. Create or use an existing Secrets Safe group.
3. Create or use an existing BeyondInsight user.
4. Add API registration to the group.
5. Add the user to the group.
6. Add the Secrets Safe feature to the group.

Managed Accounts Setup

1. Create or use an existing access policy that has view password and auto approve set.
2. Add the All Managed Accounts Smart Group to the BeyondInsight group.
3. Add the access policy to the All Managed Accounts Smart Group role, and ensure that both requestor and approver are set.
4. Create or use an existing managed system.
5. Create or use an existing managed account associated with the managed system.
6. Configure the managed account with API Enabled and Max Concurrent Requests Unlimited.

Secrets Safe Service Connection Configuration

It's possible to configure either a Basic or using OAuth Authentication.

Configure a service connection using Basic Authentication for the Secrets Safe pipeline task.

Basic Authentication Service Connection Fields

• Server URL - The URL for the Secrets Safe instance from which to request a secret.
• API username - The username of a BeyondInsight user that has been granted permission to use the API key for the API request to the Secrets Safe instance.
• API Key - The API key configured in BeyondInsight for your application. For use when authenticating to Secrets Safe.
• Certificate Key – (optional) Certificate private key (key.pem). For use when authenticating with an API key using a Client Certificate. See “Extracting Client Secret” section.
• Certificate – (optional) Content of the certificate (cert.pem) for use when authenticating with an API key using a Client Certificate.
• Skip Server Certificate Verification – (optional) Indicates whether to verify the certificate authority on the Secrets Safe instance. For use when authenticating to Secrets Safe.

Configure a service connection using OAuth for the Secrets Safe pipeline task.

OAuth Service Connection Fields

• Server URL - The URL for the Secrets Safe instance from which to request a secret.
• Client ID - The Client ID configured in BeyondInsight.
• Client Secret - The Client Secret configured in BeyondInsight.
• Certificate Key – (optional) Certificate private key (key.pem). For use when authenticating with an API key using a Client Certificate. See “Extracting Client Secret” section.
• Certificate – (optional) Content of the certificate (cert.pem) for use when authenticating with an API key using a Client Certificate.
• Skip Server Certificate Verification – (optional) Indicates whether to verify the certificate authority on the Secrets Safe instance. For use when authenticating to Secrets Safe.

Extracting Client Secret

Download the pfx certificate from Secrets Safe and extract the certificate and the key to be pasted into the service connection.

openssl pkcs12 -in client_certificate.pfx -nocerts -out ps_key.pem -nodes

openssl pkcs12 -in client_certificate.pfx -clcerts -nokeys -out ps_cert.pem

Copy all of the text from the ps_key.pem to the service connection "Certificate key" field. Copy all of the text from the ps_cert.pem to the service connection "Certificate" field.

Secrets Safe Secret Task Configuration

A task for retrieving secrets from BeyondTrust Secrets Safe.

Pick the service connection, and enter the path and title of the requested secret. Specify the name of the pipeline variable to populate. The pipeline variable is created and set at runtime by the task, it will contain your retrieved Secrets Safe secret base64 encoded. Reuse of the variable name in multiple tasks overwrites the existing secret.

Secrets Safe secrets are base64 encoded and saved to the pipeline variable. When using the variable in the pipeline the variable must be decoded. Example:

$(variableFromPipeLine) | base64 –-decode

Note: We suport encoding of text data only. Warning: Take precautions to not accidentally log the secret in the pipeline log after you base64 decode the secret. It is important that security-minded engineers review pipeline composition before changes are run with access to secrets.

Task Fields

• Retrieval Type
  • Secret – Secrets Safe types (credential, text, file) base64 encoded.
    • Secret Path - Path to the Secrets Safe secret. For example folder1/folder2.
    • Secret Title – Title of the Secrets Safe secret found at the path specified above.
  • Managed Account – Password Safe type account associated with a system.
    • Managed system - system managed by Password Safe.
    • Managed account - account associated with the managed system.
• Secrets Safe service connection - Select the Secrets Safe service connection to use.
• Pipeline Variable Name - A pipeline variable created and set at runtime that will contain your retrieved secret. Reuse of the variable name in multiple tasks overwrites the existing secret.

Secrets Safe Secret Managed Account Configuration

A task for retrieving managed account secrets from BeyondTrust Secrets Safe.

Pick the service connection, enter the managed system, and account for the requested secret. Specify the name of the pipeline variable to populate. The pipeline variable is created and set at runtime by the task, it will contain your retrieved secret. Reuse of the variable name in multiple tasks overwrites the existing secret.