Conceal, Summon, PROFIT!!!

By Joe Garcia

Elevator Pitch

CLIs are becoming more frequently used, but are notorious for dropping plain-text secrets for authentication on the user’s local filesystem. In this session, I’ll show you how to get those secrets out of plain-text, into your OS credential store, and still authenticating successfully - all for FREE!

Description

In today’s world of everything “-as-a-Service”, it’s becoming increasingly difficult to securely authenticate to these external services using a local CLI. CLIs are notorious for dropping plain-text credentials into a file locally on the user’s filesystem. Every OS available today has a credential store available out-of-the-box, but despite this, they are still under used or not used at all. Whether they’re deemed too complex or there’s no easy way to retrieve what is stored inside them, a better end-to-end experience is needed. In this session, we’ll use open source tools and OS-provided credential stores to securely connect to AWS using their CLI without ever exposing any secrets whatsoever. We’ll explore how to easily store necessary secrets in Windows Credential Manager or OS Keychain. We’ll use open-source tools, such as Summon and Secretless, to inject those secrets just-in-time for easy authentication. Finally, we’ll use the AWS CLI to make connections to the external service without ever needing to unmask the secrets allowing you to “shift security as far left” as you possibly can – to the user’s endpoint.

  • Conceal will allow us to easily store and retrieve secrets from the OS-provided credential stores.
  • Summon will allow us to inject secrets from the OS-provided credential stores into the AWS CLI sub-process.
  • Secretless Broker will allow us to proxy all HTTPS traffic to inject only requests made to AWS API endpoints with the necessary Access Key information.

Notes

Some notes:

  • Conceal is not supported by CyberArk and is an open-source project created and maintained by myself.
    • It supports the OS Keychain and Windows Credential Manager for secret storing and retrieval.
  • Summon is an open-source project that is maintained by CyberArk.
    • For this talk, we will be utilizing the keyring provider for Summon.
  • Secretless Broker is an open-source project that is maintained by CyberArk.
    • For this talk, we will be utilizing the AWS service connector with the Keyring provider.

This talk is intended for individual use and is not recommended for enterprise-wide or production usage.