Back to the main page

OCI Vault service

Intro

The OCI Vault can manage both keys and secrets.

One of common use case is to retrieve a secret from Vault in order to access a resource. Additionally, an applications can be designed to cache a secret and use it as long as it's needed.

Setup

Create Vault

Burger menu - Security - Vault

Create Key

In the Vault, create a key that will be used to protect your secrets.

Create Secret

Finally create secrets, with one or more versions (if secret is to be rotated).

Usage

Find a secret (or password)

For those who has access rights, the secret's content can be seen via OCI Console, or using oci command, or Python SDK.

Use a secret (password) in a script or application

But the more useful use case is getting a secret from the Vault and using it in a script or application. Ex, this oci command (adding sed and base64) can be used to read secret named "well_known_root_password". You must know secret OCID.
$ oci secrets secret-bundle get --secret-id=ocid1.vaultsecret.oc1.iad.amayzvoveqahzqpzagexotmoinw6rkfkyy5a7zgo2r2xzyvu2xizlca \
  --query 'data."secret-bundle-content".content' | sed 's/"//g' | base64 -d
 
youknowme

This code can be used in other scripts that require usage of this password. In case of password rotation (or setup new one), no change is needed in script/application, since above code returns the current (valid) password.

Similarly, this can be used to SSH as root into a host (zdudic-host). The sshpass (noninteractive ssh password provider) runs SSH using the mode "keyboard-interactive" password authentication, but as non-interactive!
$ sshpass -p \
> `oci secrets secret-bundle get --secret-id=ocid1.vaultsecret.oc1.iad.amayzvoveqahzqpzagexotmoinw6rkfkyy5a7zgo2r2xzyvu2xizlca \
> --query 'data."secret-bundle-content".content' | sed 's/"//g' | base64 -d` \
> ssh root@zdudic-host
 
Last login: Wed Apr  8 17:15:32 2020 from dhcp-xxx
[root@zdudic-host ~]#

Python-SDK

This is short Python3 script to read a secret (password) by querying a Vault and using secret's OCID. Again, this code can be used by other tools, or function inside other scripts.

If OCI config file and profile are not default values, you can provide values for your case.
$ read-secret.py -h
usage: read-secret.py [-h] -s SECRET_ID [-c CONFIG] [-p PROFILE]
 
Read OCI secret
 
optional arguments:
  -h, --help            show this help message and exit
  -s SECRET_ID, --secret_id SECRET_ID
                        OCI secret ID
  -c CONFIG, --config CONFIG
                        OCI config file, default is ~/.oci/config
  -p PROFILE, --profile PROFILE
                        Config profile, default is DEFAULT

 
$ read-secret.py -s ocid1.vaultsecret.oc1.iad.amayzvoveqahzqpzagexotmoinw6rkfkyy5a7zgo2r2xzyvu2xizlca

youknowme
The code:
#!/usr/bin/python3
import os
import sys
import oci
import base64
import argparse
 
parser = argparse.ArgumentParser(
         description="Read OCI secret")
parser.add_argument("-s", "--secret_id", help="OCI secret ID", required=True)
parser.add_argument("-c", "--config", help="OCI config file, default is ~/.oci/config", default="~/.oci/config")
parser.add_argument("-p", "--profile", help="Config profile, default is DEFAULT", default="DEFAULT")
args = parser.parse_args()
config=args.config
secret_id=args.secret_id
profile=args.profile
 
ociconfig = oci.config.from_file(config, profile)
 
try:
    secret_client = oci.secrets.SecretsClient(ociconfig)
    response = secret_client.get_secret_bundle(secret_id)
    base64_Secret_content = response.data.secret_bundle_content.content
    base64_secret_bytes = base64_Secret_content.encode('ascii')
    base64_message_bytes = base64.b64decode(base64_secret_bytes)
    secret_content = base64_message_bytes.decode('ascii')
    print(secret_content)
except oci.exceptions.ConfigFileNotFound:
    sys.exit("oci.exceptions.ConfigFileNotFound: {0}")
except oci.exceptions.ProfileNotFound:
    sys.exit("oci.exceptions.ProfileNotFound: {0}")
except:
    sys.exit("Cannot get secret " + args.secret_id)


Back to the main page