SECRETLESS BROKER

With the Secretless Broker feature of Conjur, applications can securely connect to databases, services and other protected resources – without fetching or managing secrets.

Secretless Broker is an independent and extensible open source community project maintained by CyberArk.  Today Secretless Broker works within Kubernetes and OpenShift container platforms with Conjur, Application Access Manager’s Dynamic Access Provider, and Kubernetes Secrets vaults.

Simplifies how applications securely access resources

• Eliminates the need for developers to write code (and learn APIs) for their applications to directly interact with secrets management solutions
• Simplifies the process for applications to securely connect to databases, web applications, and other supported services in a transparent way with open source code

Makes secrets management easier for developers by removing it as a responsibility

• It’s easier for developers to write code for their applications using Secretless Broker to securely access resources than to either access resources using insecure mechanisms, such as hardcoding credentials, or to interact directly with the secrets provider and then use those credentials to access the resource.
• Developers are no longer accountable if a secret is compromised because they never had access to it. This is done in a transparent way with open source code.

Reduces the attack surface by preventing secrets being exposed to applications – applications cannot leak credentials that they don’t have access to

• Secretless Broker isolates applications from interacting with credentials – eliminating the potential for credentials to be inadvertently logged by applications or for credentials to be hardcoded in application code.

When an application needs to securely access a resource, such as a database, instead of providing access credentials, the app simply makes a local connection request to Secretless Broker, which then automatically authenticates the app, fetches the required credentials from a Vault and establishes a connection to the database.

• From the developer’s perspective instead of needing to include code in their application to fetch the credentials from a Vault and then use the credentials to access the resource, the developer simply configures the application to connect to the required resource via the Secretless Broker, without needing to change the application code.
• From the security perspective, credentials can no longer be inadvertently logged or exposed by the application because, with Secretless Broker, the application code does not get access to the credential, so it cannot leak secrets.

Full documentation is available here: Secretless Broker Documentation.