Using the Secret Server SDK for DevOps

Overview

The Secret Server Software Development Kit for DevOps tool, was created for securing and streamlining DevOps processes in regard to Secret Server. The SDK for DevOps tool allows you to efficiently engage Secret Server via a Command Line Interface (CLI) without compromising security. It allows for secure retrieval of credentials from, as well as tracking access to a secure vault.

The SDK uses the REST API Reference Download. The SDK is a .NET library (available via a NuGet package), which you can use in a custom application. The SDK .NET library exposes a limited subset of the REST API.

You can download the current and legacy versions of the API on the Downloads for the Secret Server SDK for DevOps page.
The SDK can run on any version of .NET that supports .NET Standard 2.0 apps including .NET Core 2.0 plus, .NET Framework 4.6.1 plus, .NET Framework 4.8 plus, .NET 5 plus, .NET 6 plus, and .NET 7 plus.
See the Delinea SDK Integration Doc on GitHub for more information.
The SDK is designed to be used as shown below, not to be run using IWA to retrieve tokens or Secret information. Given this, the SDK is not supported with IWA.

There is also a .NET Core CLI SDK Client that uses the SDK .NET library. The SDK Client was created to allow customers to write automation scripts to access secrets without having to write code to directly access the REST API.

The .NET SDK library and the .NET Core CLI client both:

  • Automatically store the credentials and remote server in an encrypted file used to acquire an OAUTH token. The token is then used to make subsequent API calls. OAUTH tokens have an expiration time, which is configurable in the UI on the configuration page via the Session Timeout for Webservices value.
  • Get the contents of a secret.
  • Provide client-side caching (SDK client caching).

Secret Server has user and application accounts. Both types of accounts can access Secret Server via the REST API. Application accounts are not counted for licensing purposes. Application accounts can only access Secret Server via the REST API. Both account types never expire. Secret Server provides security for automated clients. SDK rules manage permissions. Client IDs are created when SecretServerClient.Configure() or tss init is called. The client ID is used to reference SDK client instances.

Do not give an application account the Administrator Role or all Role permissions. It is recommended to only assign the minimum roles needed to complete the task, that means to create a new Role with only the permissions it needs for the application account and only share the secrets needed.
For REST API Client Generation (Advanced), please see REST API Client Generation with Swagger.
We have a Python SDK that is independent of the SDK .NET library. It allows a Python script to access secrets without requiring REST knowledge. It has access to a small subset of the REST API.

How it Works

The SDK is a console application written in .NET Core that wires up its own credentials based on the machine it is installed on. Those credentials, called DevOps Users, do not have any rights in Secret Server but can be assigned to other Secret Server users or application user accounts, mimicking permissions to access secrets.

This removes the widespread DevOps issues with hard coding credentials into scripts and configuration files. Instead, the target system is registered via IP address which is whitelisted, providing REST authentication without entering user credentials. You can use the SDK to retrieve a REST user token for our REST API, or you can use the SDK to perform direct queries on Secret Server.

The SDK establishes secure access points so that PowerShell users can employ the Secret Server API directly from the CLI, without wasting time entering privileged account passwords.

Configuration Overview

Secret Server exposes a REST API interface that is used by the SDK client. When the SDK sends a REST request, Secret Server determines where the request came from (via IP address) and what permissions it should be granted (via a rule set in Secret Server). Hence, once the client is initialized with Secret Server and the rule name, this configuration is stored and encrypted on the client machine, ready for subsequent calls.

Out of the box, the SDK offers:

  • Token retrieval
  • Secret retrieval
  • Secret field retrieval
We expect to expand the SDK capabilities over time to allow for even greater access to the REST API.

The SDK requires setup in two areas: Secret Server configuration and SDK installation on the DevOps system.

Required Roles and Permissions

  • Administer Configuration: Allows a user to enable SDK functionality in Secret Server, that is, to enable webservices and the SDK itself.
  • Administer Create Users: Allows a user to access the Settings > All settings > SDK Client Management page in Secret Server, under the Tools and integrations category.
  • Administer scripts: This permission is required to be able to create an SDK Client Onboarding rule. It allows a user to view and edit PowerShell, SQL, and SSH scripts on the Scripts Administration page.
  • Administer Users: Allows a user to operate the SDK to retrieve account credentials on client machines. Alternatively, you can be the owner of the application account used by the SDK.
  • View Launcher Password: Allows a user to unmask the password on the view screen of secrets with a launcher. Typically, this includes Web Passwords accounts, Active Directory accounts, Local Windows accounts, and Linux accounts.

Setup Procedure

Task 1: Configuring Secret Server

Configure Secret Server for communication with the SDK:

  1. Search for "SDK" in universal search bar.

  2. Select the SDK Client result.

  3. Under the Configuration tab of the SDK Client Management page, click Edit to enable SDK Configuration and then click Save:

  4. Go to Settings > All settings, and under the Configuration > General categories select Application.

  5. On the Application page click Edit and select the Enable Webservices check box:

  6. Leave the default settings for webservices and click the Save button that appears at the bottom of the screen.

Select or setup any application accounts that you want for use by SDK clients. Make sure these application accounts have appropriate permissions to access any secrets or execute any operations the client host needs to perform.

To create a new account with the needed permissions:

  1. Go to Access > Users, the User Management page appears.

  2. Click the Create User button. The Add User page appears:

    image-20200604105821104

  3. Type the account name in the User Name and Display Name text boxes.

  4. Type a password in the New Password and Confirm Password text boxes. Record the password for future use.

  5. Select the Application Account check box.

  6. Click the Add User button.

  7. Create a new role:

    1. Go to Access > Roles.

    2. Click the Create Role button. The Create Role page appears:

      image-20200604111551561

    3. Fill in the Name text box, make sure the Enabled checkbox is selected and click Create Role. The page for the new role appears.

    4. Assign the View Secret permission to this role:

      1. Select the Permissions tab.

      2. Click Edit, change the Scope selection to All and search for the View Secret permission with the search box.

      3. Select it and click Save.

  8. Assign the role you just created to the application user created above:

    1. Access the role you just created, it has no users assigned:

    2. Select Edit and for the Scope field which appears, change the Assigned value to All.

    3. Search for the user you previously created, toggle the domains as needed to show all users.

    4. Add the user by selecting the checkbox by its name and clicking Save:

  9. Assign the View Launcher Password role permission to the application user previously created if this account requires access to secrets with launchers associated to them. Use the same steps for assigning this permission as described for View Secret in the previous steps:

  10. Set up an SDK client rule:

    1. Search for SDK in the top search bar. This will lead you to the SDK Client Management page.

    2. Under the Client Onboarding tab, click Create Rule:

    3. The New Rule page appears:

    4. Type a short, unique name in the Name text box. Clients must provide a valid rule name when connecting. For example: ProductionWebApp.

    5. Type an IPv4 address or address range (in CIDR notation) in the Allowed IP Ranges (CIDR) text box. Secret Server will only allow clients to use this rule if they connect from a valid IP address. If not provided, Secret Server will not enforce IP address restrictions on this rule. We strongly recommend using this feature.

      There is a 250-character limit, so you can only add a few dozen IP addresses unless you use CIDR notation.

    6. In the User drop-down list leave the default All value selected and search for the application user you just created.

      Clients are granted the same permissions as this account within Secret Server. If not provided, an account will be automatically created for clients, but will have no default permissions. You must use an application account (the one you created) for the rule. Application accounts are restricted from logging into the system through the normal user interface and do not count towards your license quota.

    7. Select the Require Onboarding Key check box.

      Clients must provide a generated additional key string when authenticating. If not provided, Secret Server allows any client to use the rule if its IP address is within the specified range. We strongly recommend using this feature.

    8. Click the Save button:

      The page for the new rule you just created will load automatically.

    9. Return to the SDK Client Management page, and under the Client Onboarding tab click on the rule that you have just created, the rule details will expand to the right.

    10. Select Show Key, then copy and save the generated onboarding key value, e.g. U9Ue9PsMYknfoskQvd/0BYMTaTTx2vtWbB/tHI3exDE=, for future use:

If you cannot copy the key text after selecting it, you probably need to add the Secret Server Utilities extension to your browser. For now, just manually copy it.

Task 2: Installing the SDK Client

This requires Secret Server version 10.4+ or Secret Server Cloud.
IWA is not supported by the SDK.
The SDK can run on any version of .NET that supports .NET Standard 2.0 apps including: .NET Core 2.0 plus, .NET Framework 4.6.1 plus, .NET 5 plus, and .NET 6 plus.

  1. Access Downloads for the Secret Server SDK for DevOps and choose the right kit for your platform.

  2. Unzip the SDK zip file you downloaded.

    1. Optionally, to get the SDK NuGet packages, see our documentation on GitHub.

  3. For non-Windows systems, you must make the tss program executable by running chmod u+x tss.

  4. On Linux systems, you must install libunwind:

    • On Red Hat or Centos, run sudo yum install libunwind libicu
    • On Ubuntu, run sudo apt-get install libunwind-dev

  5. To confirm the SDK client tool is installed and working, run help:

    • On Windows, run tss --help
    • On non-Windows systems, run ./tss --help

Task 3: Connecting to Secret Server

The SDK connection is per user on the machine. If the user who runs the SDK is different than the user who initialized it, the SDK will not work and will need to be re-registered.

Before the client can retrieve data from Secret Server, it must be initialized to connect to the Secret Server instance. This is a one-time operation on the client machine.

To initialize your connection:

  1. Run tss init --url <url> -r <rule> -k <key> using the parameters you recorded earlier for your Secret Server instance.

    1. Example parameters:

      1. Secret Server is hosted at https://myserver/SecretServer/
      2. You created a rule named ProductionWebApp.
      3. Your onboarding key is CNrQwRBscnq4qAZ6v3EIAcE27vQuLlz6KSpfRJHryyA=

    2. Example of operation and parameters to run for connection initialization:

      tss init --url https://myserver/SecretServer/ -r ProductionWebApp -k CNrQwRBscnq4qAZ6v3EIAcE27vQuLlz6KSpfRJHryyA=

You can also start the SDK client in interactive mode (tss -i) and follow the prompts to run the init command.

Secret Server will validate that the client-provided information is correct and that the IP address matches the configured restrictions. If successful, the client and server have established the connection, and the client can now be used to retrieve Secret Server data.

Usage Examples

  • Retrieving a secret by ID (returns a JSON structure describing the entire secret record): tss secret -s 4
  • Retrieving all secret field values for a secret by ID: tss secret -s 4 -ad
  • Retrieving only the value of a particular secret field by secret ID: tss secret -s 4 -f password
  • Writing a secret field value to a file: tss secret -s 4 -f password -o passwordfile.txt
  • Retrieving an access token for use in other REST API requests: tss token

  • Retrieving a secret by ID when that Secret requires a comment: tss secret -s 4 -c comment

The SDK client also includes an interactive mode (tss -i) that allows you to input multiple commands into a series of prompts. To exit interactive mode, run the exit command.

SDK Client Management

To view and manage a list of connected SDK clients from within Secret Server:

  1. Type "SDK" in the search text box and select SDK client from the results. The SDK Client Management page appears.

  2. In the Accounts tab a list of connected SDK clients appears for all users if available. You can remove or rename them. You can also filter clients by User.

  3. Select the Client Onboarding tab to create and manage client onboarding rules.

  4. Select the Configuration tab to disable or enable all SDK client activity.

  5. Select the Audit tab to see all date and time-stamped SDK client activity.

    If you remove a connected client, they may be able to reconnect unless you alter or remove the rule that the client used.

  6. To remove the Secret Server connection from a client machine, run the tss remove command. This deletes the connection, and the client can no longer retrieve Secret Server data without being re-initialized.

SDK Client Caching

Overview

To increase performance and reliability, you can configure the SDK client to cache values retrieved from Secret Server on the client machine. Cached values are stored encrypted on disk. You can configure client caching in one of four ways:

  • Never (0): With this default setting, the client never caches Secret Server data. All data requests result in a query directly against the Secret Server instance. If the instance is unavailable, the requests fail.
  • Server Then Cache (1): With this setting, the client first attempts to retrieve the value from the server. If the server is unavailable, it checks to see if the same value has been previously fetched within a given period, and if so, it will return the cached value. Use this setting to guard against losing connection to Secret Server.
  • Cache Then Server (2): With this setting, the client first checks to see if the same value has been previously fetched within a given period. If so, it returns the value without consulting the server. If not, it fetches, caches, and returns the value from the server. Use this setting for increased performance by reducing requests sent to Secret Server.
  • Cache Then Server Fallback on Expired Cache (3): This strategy operates similarly to "Cache Then Server," but if the server is unavailable and an expired value exists in the cache, the client returns that value as a last resort. Use this strategy for increased performance and reliability.

All these cache strategies have a configurable age, in minutes, after which the value is considered expired and not used (except in Cache Then Server Fallback mode). Cache settings are set using the client application, see the examples below for more details.

Examples

  • Turn off caching: tss cache --strategy 0
  • Turn on the Cache Then Server setting with a cache age of five minutes: tss cache --strategy 2 --age 5
  • Immediately clear all cached values: tss cache --bust
  • Show the current cache settings: tss cache --current
Anytime you use a cached value, recent changes made to Secret Server may not be applied, including changes to the value itself, permissions, or other access control settings. Examine your organization's security policies and application requirements to determine the best cache settings to use.