Introducing our Credentials Vault
In many areas of Kentik Portal, users now have to input credentials that our systems will use for a variety of purposes:
- HTTP Synthetic tests
- HTTP(s)/API tests
- PageLoad tests
- Transaction tests
- Kentik-registered devices
- SNMP polling community strings
- Streaming Telemetry Credentials
- BGP MD5
We are introducing Credentials Vault as an elegant way to manage these more centrally and securely.
Where are credentials the most used in Kentik Portal ?
Credentials HTTP Synthetic Tests
Imagine your company runs multiple tens or hundreds of Synthetic tests. Now also imagine that one of the credentials used in these tests needs rotating, which happens quite frequently. This would normally require a user to go and edit all of these tests one by one to update the credentials. This manual update process poses multiple problems:
- The obvious time sink involved to reconfigure every test
- If one of these credentials becomes compromised, users are unable to quickly swap out credentials in an efficient and quick manner, making it difficult for our users to harden their security posture and rotate credentials frequently.
We aimed at fixing this by releasing our Credentials Vault.
Kentik-registered Devices
To enrich the Network Telemetry from your Kentik-registered devices, you provide us with SNMP polling credentials (whether v1, v2c or v3) to pull such attributes as interface descriptions and names at frequent intervals. Our users routinely have multiple hundreds of devices, and this poses the following issues:
- Copy/Pasting credentials across devices definitely increases chances of a typo
- These credentials are defined with each device registered with Kentik -> it makes changing them on large sets of devices time consuming and tedious
- Again, local definition of credentials increases the friction preventing companies from being able to efficiently and frequently rotate credentials
This is another reason we built Credentials Vault.
What is the Credentials Vault
The Credentials Vault can be accessed in the company menu, as shown in the screenshot below:
It is a central facility allowing Kentik users to securely store their credentials.
- Securely:
- All credentials are double encrypted at rest with a unique key for all Kentik tenants and a global key that only our backend systems know
- Credentials are write-only: you can modify an existing credential, but you cannot view it
- Management Capabilities are governed by our newly release RBAC engine
- Centrally:
- Credentials defined in the Vault can be used in different parts of the portal – the initial release focuses on Synthetic tests, but we will extend it in the future quarters.
- Modify a credential in use, and any portal component leveraging it (Synthetic Tests, and even more in the near future) leveraging this credential will immediately use the updated one.
- Delete a credential and all tests immediately stop functioning
- Flexibly: Each credential is either
- 1) a templated credential with fixed fields (this feature will be leveraged in a future release)
- 2) a free form Key/Value store: this means you can store multiple useful fields within a single credential – a good example is for an HTTPS API Credential where you will store
- the name of the HTTP header to put your token in
- the username part of the header value
- the token part of the header value
Using a Credentials Vault secret in Synthetic HTTP(s) Tests
With your credentials ready, you can now summon them in any Synthetic HTTP test, and selectively configure each field of your test with a field of your choice from this credential, as shown below:
Clicking on the Credentials Vault button will summon a credentials manager where you will be able to pick from and copy/paste into whichever field you want, see below:
As you can notice, the fields of the test where the credential key/values are summoned do not contain the actual value, but a programmatic expression of them, such as $vault("kentik_api_token.token_value")
. The value for a key in a credential follows this nomenclature: $vault("
and assigns the value for credential_key
to the test configuration field.
Note:
In order to make this possible, you will notice that Credential Names and Key Names within a credential follow strict rules. This is simply because these can also be summoned in a transaction test, which is the reason why we wanted them to have a javascript friendly format.
What's next ?
We are already working on the next areas of Kentik Portal where Credentials Vault is going to be made available.
One of them is a secret project we are currently working on (be patient, it's coming very soon!), and the other obvious one is Kentik-registered devices, which we are hoping to release within the first quarter of this year.
Next on the list, we are evaluating requests to add Synchronization with Secret Vaults as a Service providers such as AWS or Hashi Corp's Vault – more to come on that in the future.
Lastly, we will eventually turn to Kentik Integrations such as Notification Channels, so that credentials from the Vault can be used in their configurations.