Secrets management (Local development)

To connect identity systems, you will need to include service accounts, administrative credentials, API keys, and other secrets in your configurations. For example, an LDAP Connector will require an admin account and credential in order to lookup users or query for attributes, an Azure AD connector will require a client ID and secret, and your tls configuration may require certificates and keys that are not kept on the local filesystem.

Maverics integrates with various secret management solutions, which store secrets that Orchestrator instances load when starting up. The current integrations include:

• HashiCorp Vault

• AWS Secrets Manager

• Azure Key Vault

• CyberArk Conjur

• CyberArk CCP

• Delinea Secret Server

• YAML file (e.g., secrets.yaml)

If no secret management solution is specified, Maverics will default to loading secrets specified in plain text from the default maverics.yaml configuration file or the base configuration file you've specified (e.g., my-maverics.yaml).

connectors:
   - name: ldap
     type: ldap
     serviceAccountPassword: ldapServiceAccountPassword
     serviceAccountUsername: uid=mycorpadmin,ou=Admins,o=MyCorp,c=US
     # ...

If Connector configurations are split out and incorporated using include, secrets should be defined in connector-specific files (e.g. myAzureADconnector.yaml)

Each Connector requires different credentials, secrets, and keys. Check the Connectors reference for specifics about what you will need to collect and store in your secret management solution.

To declare a value as a secret in a maverics.yaml config file, wrap the secret with angle brackets:

connectors:
  - name: okta
    type: okta
    apiToken: <oktaAPIToken>
    oauthClientID: <oktaOAuthClientID>
    oauthClientSecret: <oktaOAuthClientSecret>

Secrets can be used instead of file paths for certificates and keys in the tls section.

tls:
  maverics:
    certFile: <example.com.crt>
    keyFile: <example.com.key>

If connecting to your secret provider involves traversing a network proxy, please see the network proxy documentation.

Secrets File

Strata strongly recommends using a vault as your secrets provider, even just for evaluation or test instances. The file-based options are provided for convenience only.

To load secrets from a file, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env, using the following pattern:

MAVERICS_SECRET_PROVIDER=secretfile:////etc/maverics/secrets.yaml

On Windows, the environment variable would use the following pattern:

MAVERICS_SECRET_PROVIDER=C:\Program Files\Strata Identity\Maverics\secrets.yaml

To load secrets from a file using the CLI flag, use the following pattern:

maverics -secretProvider secretfile:////etc/maverics/secrets.yaml

The file contents can be filled with any number of secrets:

secrets:
  oktaAPIToken: aReallyGoodToken
  oktaOAuthClientID: aReallyUniqueID
  oktaOAuthClientSecret: aReallyGoodSecret
  samlSigningCert: |+ # Multi-line values require |+.
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  saml-signing-key: |+
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----