You may be familiar with storing shared account passwords and how to retrieve them via password checkouts using Centrify Privilege Service (CPS). But did you know that in addition to storing passwords, you can now also store secrets such as API keys/tokens and encryption keys within CPS? This short article will describe how you can store these secrets and make them available for use, while ensuring their security using role-based access control and multifactor authentication.
Note: This is a preview of a CPS 17.6 feature, coming soon!
Step 1 - Adding a Secret
Log into Centrify Privilege Service and under the Infrastructure tab, look for the new "Secrets" feature. Select that and then click on "Add Text" (for a string value such as an API key) or "Add FIle" (for a file such as an encryption key in a particular format).
In this example, we're storing an API key, so we'll chose "Add Text". Give it a name and paste the string value of the Secret:
Click Save to store the secret.
Step 2 - Securing secrets - Access Control and MFA
In this example, we want to control who can access this API key from the CPS interface. Let's restrict it to only developers working on a project called "Project X". I've already created a role within CPS that has the members of the developer team associated with it. To restrict access to the secret, simply:
i. Click on the secret
ii. Select Permissions --> Click Add
iii. Choose the Role - in this case "Project X - Developer" and click Add
iv. Finally, select the Role and give it the "Retrieve Secret" right, and click Save. (Optionally the "Edit" right also, if you want to allow them to change the secret).
Optionally, you can set an MFA policy to require a multifactor authentication challenge be satisfied before access to the secret is granted. To configure that, click on the "Policy" tab and configure the policy to your liking. For brevity I simply set the Default Secret Access Challenge to correspond to my own MFA policy used for demos:
Step 3 - Retrieving a Secret
Select the Secret and using the Actions button, choose Retrieve
If MFA has been configured, you will need to satisfy the MFA challenge to verify that you are an authorized individual before continuing:
You can choose to hide/show the text or copy it to the clipboard.
In summary, Centrify Privilege Service allows you to store secrets such as API keys/tokens, encryption keys and make them available to authorized individuals using role-based access control and multifactor authentication.