Secure API Credentials with OCI Customer Secret Keys

Question

Pulumi · Accepted Answer

To secure API credentials in Oracle Cloud Infrastructure (OCI), you can make use of the OCI Vault service that allows you to manage secrets and encryption keys securely. You may want to use customer secret keys to enable your applications to authenticate with OCI services without embedding sensitive information in your source code.

Below, you will find a Pulumi program that demonstrates how to create a secret in OCI Vault and how to use it to store an API key securely. The example assumes you already have an OCI Vault set up along with a master encryption key. The program will use the `oci.Vault.Secret` resource to create a new secret within the vault.

### Program Explanation

1. **Import the required modules**: We start by importing Pulumi, the OCI package for Pulumi, and other necessary Python modules.
2. **Create a Secret in OCI Vault**: We create a new secret, which contains the API credentials that need to be protected. In a real-world scenario, the contents of this secret would be the sensitive API key or token that you need to store securely.
3. **Grant Access to the Secret**: While this step is not explicitly shown in the code, in practice, you would define policies in OCI to grant the necessary access to the secret for your applications or users.

Please make sure to replace `"your-vault-id"` and `"your-master-key-id"` placeholders with the actual OCIDs of your vault and master encryption key.

### Pulumi Program for Storing API Credentials in OCI Vault

```python
import pulumi
import pulumi_oci as oci

# Replace these placeholders with your actual vault and master key identifiers.
vault_id = "your-vault-id"
master_key_id = "your-master-key-id"

# The API key that you want to secure. This should be the sensitive information that needs protection.
api_key_to_secure = "<Your API Key>"

# Create a new secret in the Vault to securely store the API key.
api_key_secret = oci.vault.Secret("apiKeySecret",
    compartment_id=oci.config.require("compartmentId"),
    vault_id=vault_id,
    key_id=master_key_id,
    secret_content=oci.vault.SecretSecretContentArgs(
        content=api_key_to_secure,
        content_type="BASE64"  # The type of content (e.g. plaintext, base64), based on how you will consume it.
    ),
    metadata={
        "description": "This secret contains an API key for XYZ service."
    },
    secret_rules=[oci.vault.SecretSecretRuleArgs(
        rule_type="EXPIRY",  # Example rule, you can specify when the secret should expire.
        time_of_absolute_expiry="2024-01-01T00:00:00Z"  # The expiration date in RFC 3339 format.
    )]
)

# To retrieve your secret later in your applications, you will need the secret's OCID.
# You can obtain it by exporting it as shown below.
pulumi.export("api_key_secret_id", api_key_secret.id)
```

### Important Security Notes

- **Never hardcode sensitive information** like API keys in your source code. In our program, the API key is used as an example and should be obtained from a secure source at runtime.

- **Access control**: In OCI, you can control who has access to use the secrets via IAM policies. Ensure that only the necessary identities have access to read and use the secret.

- **Audit**: OCI provides auditing capabilities. It is recommended to enable auditing for access and use of your secrets and keys to identify any unauthorized access or usage patterns.

Implementing these best practices ensures that even if your application's source code is compromised, your API credentials remain secured within the OCI Vault service, thus reducing the risk of unauthorized access to your APIs.