Page Comparison

Table of Contents

This page is aimed to consolidate and document all known requirements (both functional and non-functional) applicable to FOLIO secrets management.

Use Use cases

A user (administrator) wants to create/manage secrets through the secret storage directly and allow FOLIO modules to access those secrets (read-only access)
A user (administrator) wants to create/manage secrets through FOLIO. E.g., a module might need to store credentials to some external system (like FTP or SMTP server credentials, API keys etc. UI forms are involved as well for interaction with a user
A module wants to create/manage secrets so that a user is not even in the loop here, and the interaction is only between the module and secret storage. Examples are modules which are creating system/tenant users (like mod-pubsub), or a case with generating and storing signing keys in such a way that all instances of the mod-authtoken container can easily stay aligned.

The following secret types are to be supported:

Secret type	Format	Who creates?	Who accesses?	How does it work now?	Additional notescomments
login & password	String	FOLIO resource administrator external system administrator	modules working with any resource with logo-pass	different modules use their own storages for that
API key	String	administrator system	modules working with APIs	different modules use their own storages for that
token	String	system	mod-authtoken modules working with tokens
SSL certificate	file	administrator	modules using certificate for work with Kafka		Cannot be stored in SSM, Vault etc. Encrypted S3?

...

Secret store mechanism	LinksEnvironments or needs	Environment & Comments
HarshiCorp Vault	https://www.vaultproject.io/	onOn-premises installations
AWS Systems Manager Parameter Store ( or just AWS SSM)	https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html	As an option for AWS cloud hosting
AWS Secrets Manager	https://aws.amazon.com/secrets-manager/	As an option for AWS cloud hosting
properties-file		for For dev / test needs
environment variables		K8S secrets

...

		Standard EC2 machine with all dockers on it (native docker, so Env Var are only available) - IndexData (snapshots, testing)
Kubernetes Secrets		K8S Secrets with Env Var is used there to ensure compatibility with native docker deployment Rancher has UI for displaying & configuration

Home-grown unified web UI vs. store-specific UIs

...

check AWS ssm:GetParameters permission - it is the policy used to enforce access control and protect one service’s secrets from another (here is a good overview of this process https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/ there is a pretty good overview of this process)
in Vault an access can be managed via roles, tokens etc. (https://www.vaultproject.io/docs/auth)

...

A tenant should only access its own secrets

Notes:

tenants tenant are FOLIO internal term, so that it seems now that access verification on tenant level cannot be supported on Secret store level
tenant ID can be used as a part of secret IDname

Adding new secrets (even for a new tenant) should be available without restart

...