Skip to content

Enabling Secrets Storage in Scale

Jump to bottom Edit New page
Mike Holt edited this page Oct 23, 2018 · 2 revisions

Implementing Secrets Storage with Scale

Starting with version 4.4, Scale supports the use of an external secrets storage and management service. By setting up one of the supported services, job settings that are designated as a secret will not be stored in the Scale database. Instead, these values will be stored with the configured secrets service and gathered when that job is run.

Secrets usage in Scale is currently compatible with Vault by Hashicorp and the DC/OS Secrets Store.

Vault by Hashicorp

A standalone secrets management service. Reference Documentation

If you already have an instance of Vault running, you can skip to deploying Scale.

Running Vault standalone

Hashicorp has good documentation on installing Vault standalone here.

Running Vault in DC/OS

See this Github project for the needed files and a walk through.

Generate Token

See this documentation on generating a new token for Scale. At this time Scale will need a token with root access.

Deploying Scale with Vault

Assuming you already have a working Scale service running in DC/OS, the only thing you will need to do is provide two additional Environment Variables to Scale to start using secrets. These can be added by modifying the Scale service configuration in DC/OS.

  • SECRETS_URL is the URL to the API entry point for the Vault service.

    • Example: 
      "SECRETS_URL": "http://140.32.192.60:8200"

  • SECRETS_TOKEN is the permission token that scale will use to authenticate with Vault

    • Example: 
      "SECRETS_TOKEN": "feskrt64-02kq-vh22-l3q5-xh3p65123456"

DC/OS Secrets Store

A secrets management solution included in DC/OS Enterprise Edition. Reference Documentation

Setting up a service account

  1. Remote in to a DC/OS node
  2. $ dcos security org service-accounts keypair private-key.pem public-key.pem
  3. Add the private key to DC/OS as a new secret:
    • Browse to System > Security > Secrets in the web interface and click New Secret
    • Name the secret SCALE_SECRETS_SA_KEY, or something similar.
    • Copy in the contents of private-key.pem from Step 2.
  4. Add a new service account that Scale will use to access the secrets in DC/OS:
    • Browse to System > Organization > Service Accounts and Add New Service Account
    • Enter Scale_Secrets_Agent, or something similar as the ID
    • Enter Service account for accessing secrets with Scale, or something similar for the description.
    • Copy in the contents of public-key.pem from Step 2.
  5. Modify the settings of the new account:
    • Browse to System > Organization > Service Account > [Scale_Secrets_Agent].
    • Click Add Permission, set Enforcer to Secrets Store and Allow all actions.
    • NOTE: As of 17 March 2017 this function is not working, to get things working:
      • Browse to System > Organization > Groups > superusers > Service Accounts and Add Service Account from Step 4.

Deploying Scale

Assuming you already have a working Scale service running in DC/OS, the only thing you will need to do is provide three additional Environment Variables to Scale to start using secrets. These can be added by modifying the Scale service configuration in DC/OS.

  • SECRETS_URL is the URL address of the DC/OS cluster.

    • Example: 
      "SECRETS_URL": "http://140.32.192.62"

  • DCOS_SERVICE_ACCOUNT is the account setup to access secrets.

    • Example: 
      "DCOS_SERVICE_ACCOUNT": "Scale_Secrets_Agent"

  • SECRETS_TOKEN is the private key generated when setting up a service account.

    • Example: 
      "SECRETS_TOKEN": {
    "secret": "secret0"
}

      "secrets": {
    "secret0": {
        "source": "SCALE_SECRETS_SA_KEY"
    }
}
Add a custom footer

Clone this wiki locally