Giter Site home page Giter Site logo

passbolt-salt's Introduction

About

This Python module allows you to manage secrets for Saltstack via Passbolt. This makes managing secrets easier than manually encrypting them and storing the encrpyted password in the Saltstack repository.

Additionally, it is possible to only have one source of truth for passwords for users and IT infrastructure while being able to manage access for each password. That means that all users can contribute to the Saltack configuration and manage (view/add/change) secrets within their responsibility.

License

MIT

Production Setup

  1. Go to your Salt master and install the module with salt-pip

    salt-pip install passbolt-salt

    This will install this module and its dependencies.

  2. Create a Passbolt account for the Salt master.

  3. Copy the private and public PGP key files to /etc/salt.

  4. Import the new Passbolt private key on the Salt master:

    gpg --import /etc/salt/passbolt_private.asc

  5. Create a /etc/salt/passbolt.ini file with the following content:

    [PASSBOLT]
SERVER = https://passbolt.example.com
#SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]
USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]

  6. Change file permissions:

    chown salt /etc/salt/passbolt*
chmod 600 /etc/salt/passbolt*

Use Passwords of Passbolt Group in Pillar

Look into the example directory to see how the integration is done.

  1. Create Pillar sls files for the different Salt minions, insert the content below and replace the group UUID. 
    #!py
def run():
    from salt_passbolt import fetch_passbolt_passwords
    return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")

Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.

  1. In a state, reference secrets with their UUID. See the example/salt/important_secrets/files/secret.conf. 
    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}

Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.

Performance

All passwords are decrypted with a single process (gpg-agent). If many minions need to access their Pillar at the same time, the gpg-agent becomes a bottleneck. To avoid this bottleneck, the Pillar cache can be enabled for the Salt master with pillar_cache: True. The following crontab entry updates the Pillar cache twice a day:

0 */12 * * * rm -rf /var/cache/salt/master/pillar_cache/* && salt '*' -b1 pillar.items

YAML Replacement Structure

If the Passbolt server is not available, for example during local development, a file with the following format can replace the Python code mentioned in step 8:

passbolt:
  3ec2a739-8e51-4c67-89fb-4bbfe9147e17: MY_SECRET

passbolt-salt's People

Contributors

svenseeberg avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

albig

passbolt-salt's Issues

Dependency issue (passbolt-salt -> passbolt-python-api)

Steps to reproduce:

  • Salt (onedir, version 3007.1)
  • salt-pip install passbolt-salt

Result:

# salt-pip install passbolt-salt
Collecting passbolt-salt
  Downloading passbolt_salt-1.0.3-py3-none-any.whl.metadata (3.8 kB)
Collecting passbolt-python-api (from passbolt-salt)
  Downloading passbolt_python_api-0.3.5-py3-none-any.whl.metadata (4.1 kB)
Requirement already satisfied: certifi>=2019.6.16 in /opt/saltstack/salt/lib/python3.10/site-packages (from passbolt-python-api->passbolt-salt) (2023.7.22)
Collecting chardet>=3.0.4 (from passbolt-python-api->passbolt-salt)
  Downloading chardet-5.2.0-py3-none-any.whl.metadata (3.4 kB)
Requirement already satisfied: charset-normalizer>=2.0.8 in /opt/saltstack/salt/lib/python3.10/site-packages (from passbolt-python-api->passbolt-salt) (3.2.0)
Requirement already satisfied: idna>=2.8 in /opt/saltstack/salt/lib/python3.10/site-packages (from passbolt-python-api->passbolt-salt) (3.7)
Requirement already satisfied: python-gnupg>=0.4.7 in /opt/saltstack/salt/lib/python3.10/site-packages (from passbolt-python-api->passbolt-salt) (0.5.2)
Collecting requests==2.26.0 (from passbolt-python-api->passbolt-salt)
  Downloading requests-2.26.0-py2.py3-none-any.whl.metadata (4.8 kB)
Collecting typing-extensions==4.0.0 (from passbolt-python-api->passbolt-salt)
  Downloading typing_extensions-4.0.0-py3-none-any.whl.metadata (1.7 kB)
Requirement already satisfied: urllib3>=1.25.3 in /opt/saltstack/salt/lib/python3.10/site-packages (from passbolt-python-api->passbolt-salt) (1.26.18)
Collecting charset-normalizer>=2.0.8 (from passbolt-python-api->passbolt-salt)
  Downloading charset_normalizer-2.0.12-py3-none-any.whl.metadata (11 kB)
Downloading passbolt_salt-1.0.3-py3-none-any.whl (4.4 kB)
Downloading passbolt_python_api-0.3.5-py3-none-any.whl (10.0 kB)
Downloading requests-2.26.0-py2.py3-none-any.whl (62 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.3/62.3 kB 801.7 kB/s eta 0:00:00
Downloading typing_extensions-4.0.0-py3-none-any.whl (22 kB)
Downloading chardet-5.2.0-py3-none-any.whl (199 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 199.4/199.4 kB 2.7 MB/s eta 0:00:00
Downloading charset_normalizer-2.0.12-py3-none-any.whl (39 kB)
Installing collected packages: typing-extensions, charset-normalizer, chardet, requests, passbolt-python-api, passbolt-salt
  Attempting uninstall: typing-extensions
    Found existing installation: typing_extensions 4.8.0
    Uninstalling typing_extensions-4.8.0:
      Successfully uninstalled typing_extensions-4.8.0
  Attempting uninstall: charset-normalizer
    Found existing installation: charset-normalizer 3.2.0
    Uninstalling charset-normalizer-3.2.0:
      Successfully uninstalled charset-normalizer-3.2.0
  Attempting uninstall: requests
    Found existing installation: requests 2.31.0
    Uninstalling requests-2.31.0:
      Successfully uninstalled requests-2.31.0
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
pydantic 2.6.4 requires typing-extensions>=4.6.1, but you have typing-extensions 4.0.0 which is incompatible.
pydantic-core 2.16.3 requires typing-extensions!=4.7.0,>=4.6.0, but you have typing-extensions 4.0.0 which is incompatible.
salt 3007.1 requires charset-normalizer==3.2.0, but you have charset-normalizer 2.0.12 which is incompatible.
salt 3007.1 requires requests==2.31.0, but you have requests 2.26.0 which is incompatible.
salt 3007.1 requires typing-extensions==4.8.0, but you have typing-extensions 4.0.0 which is incompatible.
Successfully installed chardet-5.2.0 charset-normalizer-2.0.12 passbolt-python-api-0.3.5 passbolt-salt-1.0.3 requests-2.26.0 typing-extensions-4.0.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip is available: 23.3.2 -> 24.0
[notice] To update, run: /opt/saltstack/salt/bin/python3.10 -m pip install --upgrade pip

Any ideas on how to fix salt breaking or avoid dependency issues?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.