We have updated our Terms of Service, Code of Conduct, and Addendum.

how do people handle secrets that need to be used in scripts that Cribl may run?

Options
etc_cribl
etc_cribl Posts: 14 mod
in General Discussions

how do people handle secrets that need to be used in scripts that Cribl may run?

Answers

  • Chris Rogers
    Chris Rogers Posts: 17 mod
    Options

    With exec data sources?

  • etc_cribl
    etc_cribl Posts: 14 mod
    Options

    yeah via a scheduled script collector source

  • Chris Rogers
    Chris Rogers Posts: 17 mod
    Options

    Might be worth a quick read here <@U04U5SWFKBL&gt; : https://docs.cribl.io/stream/collectors-script/ ```With Great Power Comes Great Responsibility! Scripts will allow you to execute almost anything on the system where Cribl Stream is running. Make sure you understand the impact of what you're executing before you do so! These scripts run as the user running Cribl Stream, so if you are running it as root, these commands will run with root user permissions.```

  • Chris Rogers
    Chris Rogers Posts: 17 mod
    Options

    Is the concern more that the creds/secrets are visible in the Cribl UI?

  • etc_cribl
    etc_cribl Posts: 14 mod
    Options

    Right, I'd rather not embed secrets (generally API keys for 3rd party services) into my scripts. Especially when I may be putting them into source control external to cribl. It's just another thing to remember to remove ahead of committing

  • Chris Rogers
    Chris Rogers Posts: 17 mod
    Options

    I hear ya. A lot of times I think we end up just moving the problem around. Put the creds in the script itself, in the collector call, etc. Even if you put the creds in a secret store you are probably needing to call that with some creds. Are you running workers in the cloud? (assuming this is stream and not edge)

  • etc_cribl
    etc_cribl Posts: 14 mod
    Options

    Yeah running Stream in GCP

  • Chris Rogers
    Chris Rogers Posts: 17 mod
    Options

    Might be worth considering this. https://cloud.google.com/secret-manager/docs/view-secret-details#secretmanager-get-secret-python

  • Chris Rogers
    Chris Rogers Posts: 17 mod
    Options

    Did some research on this last night. My thinking is this. Set up an IAM role with access to the secret in GC Secrets Manager, and apply it to the GCE instance in which Stream is running. Use a python script to grab the secret and then execute your script. May lab this up as well.

  • etc_cribl
    etc_cribl Posts: 14 mod
    Options

    that definitely sounds like a good approach. I've also just realized I need to take into account dependencies and libraries that a given script needs, and installing those onto workers.

  • Chris Rogers
    Chris Rogers Posts: 17 mod
    Options

    I feel your pain there. Being a collector script I'd be tempted to containerize it and run it that way. Managing dependencies is tough.

  • etc_cribl
    etc_cribl Posts: 14 mod
    Options

    I typically have been running these sort of data collection scripts via GCP Functions, perhaps that is still the easier way. Can always send into Cribl via HEC and process that way

Categories