Using OCI Vault Service with Microservices

In this article, let us explore OCI (Oracle Cloud Infrastructure) Vault Service. Vault Service helps in the management and storage of encryption keys and secrets securely.

Source: Vault icons created by Freepik — Flaticon

Usecase

While building a microservice, we often need to access sensitive information like credentials used for invoking a 3rd party service, database credentials, etc. Storing this information as part of the code base in properties or YAML files violates security principles. We can use the Vault service offered by OCI to store this information.

OCI Vault

As a first step, let us create a Vault. A Vault is a logical entity that stores keys and secrets. While creating a Vault, we can see an option to create a virtual private Vault. A virtual private Vault saves the keys and secrets in an isolated physical partition on the Hardware Security Module (HSM).

Master Encryption Key

The secrets stored in the Vault will be encrypted by a master encryption key. There are two protection modes for the master encryption key namely, HSM and Software. HSM (Hardware Security Module) keys cannot be exported from the HSM and thus offer additional security.

Let us use AES with 256-bit length as the key algorithm. Asymmetric algorithms like RSA are also supported.

Secret

Let us create a secret by using the above-created encryption key. We can choose either Base64 or plain text as a secret content type. Let us use Base64 as the type and enter a base64 encoded text as the contents of the secret.

Policy

We need a policy to allow the microservice to read secrets. We will use instance principal to authenticate. Instance principal uses the certificates present in the compute instance to authenticate.

If we are running our microservice on a Kubernetes cluster (probably OKE), then we will need to add a policy to allow the dynamic group to read secrets.

Allow dynamic-group <dynamic_group>  to read secret-family in compartment <compartment_name>

SDK

Let us use OCI Python SDK to retrieve the above-created secret.

pip install oci

import oci

# Get the auth signer 
signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
# Create a client
secret_client = oci.secrets.SecretsClient(config={}, signer=signer)
# Fetch the secret
secret_value = secret_client.get_secret_bundle_by_name(secret_name = 'demo-secret', vault_id = 'ocid1.vault.oc1.phx.bzrsblrmaag5u.abyhqljrylqfrncujqefwadtu7y5gehddkifyn7c3qptm4el3yyvyoyb7nqq')
secret_base64 = response.data.secret_bundle_content.content
# Base64 decode 
secret_value = base64.b64decode(secret_base64)
print(secret_value)

Practical Considerations

When we have multiple microservices that need to store sensitive information, we can create one Vault and add multiple secrets to the Vault. The master encryption key and the secret should be rotated periodically, to comply with security standards. We can set rules on the secret to block the secret retrieval upon expiry.

Conclusion

Here, we have used Vault for storing and accessing secrets. This is just one of the many use cases of OCI Vault service.

References

1. https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm