Automated AI Secret Rotation with SealedSecrets Controller

Question

Pulumi · Accepted Answer

Automated secret rotation is an important aspect of securing sensitive information such as passwords, tokens, certificates, and other credentials within your infrastructure. It helps to minimize the risk of these credentials being compromised over time. In Kubernetes, SealedSecrets is a tool that enables you to encrypt secrets so they can be stored safely, even to a public repository. However, SealedSecrets does not handle the rotation of secrets.

For automated secret rotation, you would typically use a combination of a Kubernetes Operator or a cloud provider's secret management system that supports rotation, and a secure store for the rotated secrets.

In this example, we'll use Pulumi to configure automated secret rotation with AWS as the cloud provider. AWS Secrets Manager supports automatic rotation of secrets by invoking a specified AWS Lambda function on a defined schedule. The Lambda function handles the rotation logic including creating the new version of the secret.

Here's a Python program using Pulumi to set up a secret in AWS Secrets Manager with rotation enabled:

```python
import pulumi
import pulumi_aws as aws

# Create a new secret to be managed by AWS Secrets Manager.
secret = aws.secretsmanager.Secret("MySecret",
                                   # Optional: Description for the secret
                                   description="My managed secret",
                                   # Optional: Define a key within AWS KMS to encrypt the secret
                                   # kms_key_id=your_kms_key_id,
                                   )

# Create a Lambda function that will handle the rotation logic.
rotation_lambda = aws.lambda_.Function("MyRotationLambda",
                                       # The runtime for the Lambda function. Python is commonly used for rotation logic.
                                       runtime="python3.8",
                                       # Your Lambda function's handler.
                                       handler="rotate_secret.lambda_handler",
                                       # The IAM role that the Lambda function assumes. It needs permissions to rotate the secret.
                                       role=your_lambda_role_arn,
                                       # The zipped source code for the Lambda function.
                                       code=pulumi.FileArchive("./your-lambda-function.zip"),
                                       # Environment variables required by the Lambda function, such as endpoint names.
                                       environment={
                                           "variables": {
                                               "EXAMPLE_VARIABLE": "example_value",
                                           }
                                       },
                                       )

# Configure rotation for the secret using the Lambda function.
rotation = aws.secretsmanager.SecretRotation("MySecretRotation",
                                             secret_id=secret.id,
                                             rotation_lambda_arn=rotation_lambda.arn,
                                             # Define the rotation rules
                                             rotation_rules=aws.secretsmanager.SecretRotationRotationRulesArgs(
                                                 automatically_after_days=30,  # Rotate the secret every 30 days
                                             ))

# Export the secret's ARN so you can reference it in other infrastructure, for example in IAM policies.
pulumi.export("secret_arn", secret.arn)
```

In this program, we first create an AWS Secret Manager secret which stores the sensitive data that you need to manage. Then, we define an AWS Lambda function that includes the logic to rotate the secret - be aware that you need to provide your own implementation for this function based on your specific logic of credentials generation, for example, opening a connection to the database and setting a new password. Also, ensure that the role associated with the Lambda function has enough permissions to interact with AWS Secrets Manager. Finally, we associate the Lambda function with the secret for automated rotation by defining a `SecretRotation` resource.

Please provide your own Lambda function code (`rotate_secret.lambda_handler`), the zipped source code (`./your-lambda-function.zip`), and the required IAM role ARN (`your_lambda_role_arn`) according to your use-case specifics.

It's important to note that SealedSecrets itself doesn't have the concept of rotation built-in, it's mainly a way to securely store and manage secrets in Git repositories. For rotation, you generally need to rely on other services (like AWS Secrets Manager, in this example) and orchestrate the rotation process, updating the sealed secrets in your clusters as necessary.

This setup with Pulumi allows for an infrastructure as code approach to managing secrets and their rotation, ensuring that your process is repeatable, version controlled, and can be integrated with CI/CD workflows.