Config.yml file unclear #12
Comments
|
Ref question 1, Ref question 2, |
Why is it necessary to include the literal value of the secret in the configuration file? Doesn’t this defeat the purpose of using Azure Key Vault to securely store secrets? |
|
The litteral value is needed for FalconHound to be able to fetch its secrets from the keyvault. I don't know the intention behind the implementation. If I were to guess im assuming it has something to do with large corporations have multiple tenants and FalconForce is asked to do an audit? Possibly simpler to provide access to the keyvault than giving out all the various credentials for the other applications? (Yes I know you can fetch the secret using the keyvault which leads me to im unsure of the intension) I sent a pull request to include support for managed identity which should allow you to use an azure keyvault without supplying client id / client secret for authentication. |
|
the initial intention was to add support for a client that ran FalconHound on a non-Azure system where it required access to the credentials in the keyvault which were managed by another team. Yes there are still some credentials in the config but often this is an acceptable tradeoff most teams. The data handled is very sensitive as well and these machines should be properly isolated. I've just merged Tor's PR which allows for Managed System Identity support to access the key vaults. I'll also work on supporting MSI's to access other Azure based resources |
Hi,
I’m attempting to install Falconhound, but I’m encountering some unclear information. According to the
config.yml-sample, when using a keyvault, we need to configure the appSecret for the keyvault. Could you clarify whether this refers to the name of the secret or the literal value of the secret?Additionally, when configuring it with the keyvault, is the configuration under
# Add your Sentinel connection informationhere still necessary?The text was updated successfully, but these errors were encountered: