how do people handle secrets that need to be used in scripts that Cribl may run?
how do people handle secrets that need to be used in scripts that Cribl may run?
Answers
-
With exec data sources?
0 -
yeah via a scheduled script collector source
0 -
Might be worth a quick read here <@U04U5SWFKBL> : https://docs.cribl.io/stream/collectors-script/ ```With Great Power Comes Great Responsibility! Scripts will allow you to execute almost anything on the system where Cribl Stream is running. Make sure you understand the impact of what you're executing before you do so! These scripts run as the user running Cribl Stream, so if you are running it as root, these commands will run with root user permissions.```
0 -
Is the concern more that the creds/secrets are visible in the Cribl UI?
0 -
Right, I'd rather not embed secrets (generally API keys for 3rd party services) into my scripts. Especially when I may be putting them into source control external to cribl. It's just another thing to remember to remove ahead of committing
0 -
I hear ya. A lot of times I think we end up just moving the problem around. Put the creds in the script itself, in the collector call, etc. Even if you put the creds in a secret store you are probably needing to call that with some creds. Are you running workers in the cloud? (assuming this is stream and not edge)
0 -
Yeah running Stream in GCP
0 -
Might be worth considering this. https://cloud.google.com/secret-manager/docs/view-secret-details#secretmanager-get-secret-python
0 -
Did some research on this last night. My thinking is this. Set up an IAM role with access to the secret in GC Secrets Manager, and apply it to the GCE instance in which Stream is running. Use a python script to grab the secret and then execute your script. May lab this up as well.
0 -
that definitely sounds like a good approach. I've also just realized I need to take into account dependencies and libraries that a given script needs, and installing those onto workers.
0 -
I feel your pain there. Being a collector script I'd be tempted to containerize it and run it that way. Managing dependencies is tough.
0 -
I typically have been running these sort of data collection scripts via GCP Functions, perhaps that is still the easier way. Can always send into Cribl via HEC and process that way
0