Password Managers

Password managers in Gigantics allow you to integrate with external password management solutions to securely retrieve database credentials at runtime. This approach eliminates the need to store sensitive passwords directly in the application while providing dynamic access to credentials managed by dedicated password management systems.

Overview

Gigantics supports two primary methods for integrating with password managers:

1. API Integration: Connect to REST APIs that provide credential retrieval services
2. Command-line Integration: Execute external commands to retrieve credentials

When to Use Password Managers

Password managers are particularly useful when:

• You need to comply with security policies that prohibit storing passwords in application databases
• Your organization uses centralized password management solutions like HashiCorp Vault, Cyberark Conjur, etc.
• You want to dynamically retrieve credentials without manual updates
• You're dealing with frequently rotated passwords
• You need to provide per-connection username overrides

UI Components

The password managers interface consists of two main components:

Password Managers List Page

┌─────────────────────────────────────────────────────────────────────────────┐
│ PASSWORD MANAGERS                                                           │
├─────────────────────────────────────────────────────────────────────────────┤
│ Connect with your password managers to authenticate a database              │
│ [ Create ]                                                                  │
├─────────────────────────────────────────────────────────────────────────────┤
│ [Search]                                                                    │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Name        │ Type │ Created By │ Updated at │ Actions                  │ │
│ │─────────────────────────────────────────────────────────────────────────│ │
│ │ My Vault    │ API  │ John Doe   │ 2 hours    │ Edit                     │ │
│ │ Manager     │      │            │ ago        │ Delete                   │ │
│ │             │      │            │            │                          │ │
│ │ https://    │      │            │            │                          │ │
│ │ yourserver/ │      │            │            │                          │ │
│ │ v1/secret/  │      │            │            │                          │ │
│ │ data        │      │            │            │                          │ │
│ │─────────────────────────────────────────────────────────────────────────│ │
│ │ CLI Pass    │ CMD  │ Jane Smith │ 1 day      │ Edit                     │ │
│ │ Manager     │      │            │ ago        │ Delete                   │ │
│ │             │      │            │            │                          │ │
│ │ /usr/local/ │      │            │            │                          │ │
│ │ bin/get-    │      │            │            │                          │ │
│ │ credentials │      │            │            │                          │ │
└─────────────────────────────────────────────────────────────────────────────┘

Password Manager Creation/Editing Form

The form is divided into three sections:

General Section

• Name: A descriptive name for your password manager configuration

Connection Section

• Type: Choose between "Rest API" or "Command line" integration methods
• API URL (API type): The endpoint URL to retrieve credentials from
• Headers (API type): YAML-formatted HTTP headers for authentication
• Command Path (CMD type): Path to the executable command that retrieves credentials
• ENV variables (CMD type): YAML-formatted environment variables to pass to the command
• Output format: Choose between "JSON" or "Text" format for credential responses

Matchers Section

• Username will be provided per connection: Checkbox to indicate if usernames will be provided per connection
• Username: Pattern or field name to extract the username from the response
• Password: Pattern or field name to extract the password from the response

Integration Methods

API Integration

For API-based password managers:

1. Configure the endpoint URL that returns credentials
2. Set any required HTTP headers for authentication (e.g., API tokens)
3. Define matchers to extract username/password from the response
4. Choose the output format (JSON or Text)

Example configuration for HashiCorp Vault:

API URL: https://your-vault-server.com/v1/secret/data/database-credentials
Headers:
  X-Vault-Token: s.abc123xyz
Output Format: JSON
Username Matcher: data.username
Password Matcher: data.password

Command-line Integration

For command-line based password managers:

1. Specify the path to the executable that retrieves credentials
2. Configure environment variables needed by the command
3. Define matchers to extract username/password from the command output
4. Choose the output format (JSON or Text)

Example configuration for a custom script:

Command Path: /usr/local/bin/get-db-credentials
ENV variables:
  VAULT_ADDR: https://your-vault-server.com
  VAULT_TOKEN: s.abc123xyz
Output Format: JSON
Username Matcher: username
Password Matcher: password

Supported Password Management Solutions

HashiCorp Vault

Vault is a popular secrets management solution that provides secure storage and access to credentials. You can integrate with Vault through its REST API to dynamically retrieve database credentials.

Resources:

• HashiCorp Vault Documentation
• Vault API Documentation

Cyberark Conjur

Cyberark Conjur is an enterprise-grade secrets management platform that provides secure credential storage, rotation, and access control.

Resources:

• Cyberark Conjur Documentation
• Conjur API Documentation

AWS Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources.

Resources:

• AWS Secrets Manager Documentation
• AWS Secrets Manager API Reference

Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets.

Resources:

• Azure Key Vault Documentation
• Azure Key Vault REST API

Best Practices

1. Security First: Always use secure connections (HTTPS) when integrating with password managers
2. Environment Variables: Use environment variables for sensitive configuration like API tokens instead of storing them directly
3. Proper Matchers: Ensure your username and password matchers correctly extract credentials from the response format
4. Testing: Test your password manager configuration to ensure it properly retrieves credentials
5. Error Handling: Implement appropriate error handling for credential retrieval failures
6. Access Controls: Ensure only authorized users can create or modify password manager configurations

Strategic Implementation Approaches

For HashiCorp Vault Integration

• Create policies in Vault that limit access to only the necessary database credentials
• Use Vault's dynamic secrets capabilities where possible for automatic credential rotation
• Implement approle authentication for the Gigantics application to Vault
• Structure your Vault paths logically to match your Gigantics project organization

For Cyberark Conjur Integration

• Leverage Conjur's identity and access management features to control who can retrieve which credentials
• Use the Conjur API to retrieve secrets at runtime rather than storing them
• Implement host identities for the Gigantics application in Conjur
• Utilize Conjur's secret rotation capabilities to automatically update credentials

For Custom Solutions

• Ensure your custom command-line tools output credentials in a consistent, parseable format
• Implement proper logging and error handling in your custom tools
• Use secure methods to pass authentication tokens to your custom tools (environment variables, temporary files, etc.)
• Validate and sanitize the output from your custom tools before processing

Security Considerations

When implementing password managers, consider these security aspects:

1. Credential Rotation: Integrate with password managers that support automatic credential rotation
2. Audit Trails: Use password managers that provide audit logs for credential access
3. Least Privilege: Configure your password managers to provide minimal necessary access
4. Encryption: Ensure all communication with password managers is encrypted
5. Authentication: Use strong authentication mechanisms for accessing password managers

Using Password Managers with Datasources

Once you've configured a password manager, you can associate it with datasources:

1. Navigate to your datasource configuration
2. In the authentication section, select "Password Manager" as the auth type
3. Choose the password manager you want to use from the dropdown
4. Optionally specify a username if not using per-connection usernames
5. Save the datasource configuration

The system will automatically retrieve credentials from your password manager whenever a connection is established.