Secrets management is a key part of IT automation given the need for the automation securely interact with external systems. Credentials such as passwords and API keys are used to authenticate to those external systems and must be secured. The challenge is securing them in a way that is simple to use but also scales across multiple engineers. Many automation tools attempt to solve this problem through the use of a master password or a cryptographic key pair. Unfortunately, this creates another problem for many tools as the master password or private key now needs to be securely stored but also accessible which often leads to insecure handling of the secret that unlocks access to all the other secrets. Morpheus Cypher helps solves this problem in a simple and easy to use way that is integrated into the platform to help avoid the master secret handling problem.
Cypher is a secrets manager built into the Morpheus platform for storing passwords, API keys and other sensitive data for use in your automation. Secrets can be revoked manually or expired automatically through the use of a lease timeout associated with the secret.
Cypher supports the following types of data:
Secure storage is the core function of Cypher but being able to easily use the secrets stored in Cypher is what makes it truly valuable. Cypher includes a number of native integrations that simplify the use of sensitive data stored in Cypher with common automation tools such as scripts, Ansible and Terraform.
Scripts
Scripts are still widely used to automate IT system configuration. Morpheus provides a simple way to inject secrets into a Bash, PowerShell or Python script when executed as part of a Morpheus automation task or orchestrated workflow. The injection is as simple as adding the following secret reference to a script that is executed by Morpheus.
<%=cypher.read('secret/securepassword')%>
Additional information about using Cypher secrets with scripts can be found in the Morpheus Cypher scripts documentation.
Ansible
Ansible is an open source configuration management tool for configuring IT systems. Morpheus includes a built-in Ansible lookup plugin that simplifies the injection of secrets into an Ansible playbook. The following Ansible code performs a Cypher lookup to retrieve the password stored in Cypher.
- name: Add a user win_user: name: "morpheus" password: "{{ lookup('cypher','secret=secret/securepassword') }}" state: present
Additional information about using Cypher secrets with Ansible can be found in the Morpheus Ansible integration documentation.
Terraform
Terraform is an open source Infrastructure as Code (IaC) tool for declaratively building and configuring infrastructure. The Terraform integration in Morpheus allows you to deploy infrastructure using Terraform code within Morpheus. Sensitive data used by Terraform is added to a variable definition or tfvars file for storing variable values separate from the Terraform code. This variable file is encrypted and securely stored within Cypher and can be associated with a Terraform blueprint to pass the variables during the execution of the Terraform code. The following image shows a tfvars file that contains credentials for Terraform code that deploys VMware vSphere resources.
The tfvars secret is associated with a Terraform blueprint that contains the Terraform code as shown in the image below.
Additional information about using Cypher tfvars with Terraform can be found in the Morpheus Terraform integration documentation.
Automation
The Morpheus CLI and REST API can be used to interact with Cypher secrets. This allows additional tools or systems such as CI/CD pipelines to interact with Cypher secrets. Additional information about the REST API and CLI can be found in the documentation.
Cypher Backend Extensibility
Morpheus supports custom Cypher backends to extend the functionality of Cypher beyond the native functionality in the platform. This means that additional dynamic secret generation or external data storage functionality can be added. The Morpheus plugin framework was introduced in version 5.0.0 to allows developers to create Java based plugins. Additional details about developing plugins and a custom Cypher backend can be found at the Morpheus Developer Zone (https://developer.morpheusdata.com/).
Cypher provides support for various secret formats as well as simplified secrets injection with popular automation tools like Ansible and Terraform. For additional information on using Cypher for secrets management take a look at the Cypher documentation.
Try Morpheus Community Edition
The Morpheus Community Edition lets you fully experience the Morpheus platform including nearly all features and capabilities! Register at Morpheus Hub and try it in your home lab or test environment today!