OCI Vault with Python to retrieve a Secret From vault

OCI Vault with Python to retrieve a Secret From vault

Kunal Pakhale's photo
Kunal Pakhale
·

5 min read

Steps :

  1. Create a Compartment
  1. Create a Dynamic Group
  1. Create a Vault with a key and secret
  1. Create a Policy using the Dynamic Group
  1. Create Compute Instance in the Compartment
  1. Install Linux packages – python 3.6, pip 20.0.2, and oci-cli 2.10.0
  1. Create a Python script on the Compute Instance to retrieve the secret

  1. Create a Compartment

A compartment is a logical container to organize and control access to OCI resources. In our case, we need a compartment for our Compute instance Vault. If you already have a Compartment feel free to skip to the next section. Use the following steps to create a compartment.

  1. Login to the OCI Console as an Administrator
  1. Go to Menu > Identity > Compartments
  1. Click the Create Compartment button
  1. Enter the following:

  • Name: my-compartment

  • Description: My Compartment

  • Select a Parent Compartment

  1. Click Create Compartment
  1. Go into the new Compartment and copy the OCID; this will be used next.

2.Create a Dynamic Group

A Dynamic Group is a group that dynamically grant access to resources based on a rule. Our Dynamic Group will be used with a matching rule to determine which instances we want to allow API calls against the service we are going to use. The following rule is an example, but could easily be modified to meet other requirements. Use the following steps to create a dynamic group.

  1. Login to the OCI Console as an Administrator
  1. Go to Menu > Identity > Dynamic Groups
  1. Click the Create Dynamic Group button
  1. Enter the following:

  • Name:  my-secret-group

  • Description: My Secret Dynamic Group

  • NOTE:  Where <ocid_compartment> is the ocid copied from my-compartment created earlier
  1. Click the Create Dynamic Group button to save

  1. Create a Vault with a key and secret

We will now create a Vault in the compartment created earlier, then add a key that will be used to encrypt a new secret. The secret could be anything, but for our example, we will store a password. Note that you could add multiple secrets if needed. Using the following steps to create a vault, a key, and a secret.

  1. Login to the OCI Console as an Administrator
  1. Go to Menu > Security > Vault
  1. Select the compartment my-compartment created earlier or an existing 
  1. Click the Create Vault button
  1. Enter the following:
  • Name:  my-vault
  1. Click Create Vault button to save
  1. Click on the my-vault that was just created
  1. Click on the Keys link under Resources 
  1. Click Create Key button
  1. Enter a Name for the key; e.g. my-vault-key
  1. Select 256 bits from the Key Shape
  1. Click Create Key button to save
  1. Click on the Secrets link under Resources
  1. Click Create Secret button
  1. Enter the following:

  • Name:  my-secret

  • Description:  My Secret

  • Encryption Key:  select my-vault-key created earlier

  • Secret Contents:  <my secret here>

  1. Click Create Secret button
  1. Click on the secret “my-secret”
  1. Copy the secret OCID to be used next.

  1. Create a Policy using the Dynamic Group

A policy provides a way to control access to resources. In the OCI documentation in section Creating a Dynamic Group and Matching rules, it gives an example that is really meant to allow administrators to manage Vaults, Keys, and Secrets, which grants a lot of control; i.e. 

allow dynamic-group my-secret-group to read secret-family in compartment my-compartment where target.secret.name = 'my-secret'

  1. Login to the OCI Console as an Administrator
  1. Go to Menu > Identity > Policies
  1. Click the Create Policy button
  1. Enter the following:

  • Name: my-secret-policy

  • Description: My Secret Policy

  • Statements: 
  • allow dynamic-group my-secret-group to read secret-family in compartment my-compartment where target.secret.name = 'my-secret'
  1. Click the Create button to save

  1. Create Compute Instance in the Compartment

In the last two sections we need to install some Linux packages and then create a script, but before we do we need a Compute instance. If you already have a Compute instance you can skip this step. If you need to create a Compute instance these are very basic steps to create a Linux instance. Use the following steps to create a compute instance if needed.

  1. Login to the OCI Console as an Administrator
  1. Go to Menu > Compute > Instances
  1. Click Create Instance button
  1. Use the following example:

  • Name:  linux

  • Image:  <leave default Oracle Linux 7.8 or select Oracle Linux 6.10>

  • Change Shape:  <pick your shape>

  • Configuring networking:  pick your VCN, Subnet Compartment, and Subnet

  • Add SSH keys: Add your ssh rsa public key

  1. Click Create button to create the instance.

  2. Install Linux packages – python 3.6, pip 20.0.2, and oci-cli 2.10.0

  1. Create a environment using cmd : python3 -m venv myenv
  1. Activate that environment using cmd: myenv\Scripts\activate
  1. Install oci-cli using cmd: pip install oci-cli

7.Create Python script on the Compute Instance to retrieve the secret

Finally, we can create a script to retrieve our secret. The following steps creates a Python script that you can use as a framework to build on, but this could also be done in other languages that are supported such as Java, Ruby, and Go — Software Development Kits and Command Line Interface. Use the following steps to create a Python script with the given example.

  1. Terminal into the Linux instance created earlier and create a file.

Cmd : vim get-secret.py

  1. Press "i" and paste in the following Python script.

#!/usr/bin/env python3

# coding: utf-8

# COPYRIGHT (c) 2020 ORACLE A-TEAM

# THIS SAMPLE CODE IS PROVIDED FOR EDUCATIONAL PURPOSES OR

# TO ASSIST YOUR DEVELOPMENT OR ADMINISTRATION EFFORTS AND

# PROVIDED "AS IS" AND IS NOT SUPPORTED BY ORACLE CORPORATION.

# License: http://www.apache.org/licenses/LICENSE-2.0.html

import oci

import base64

import sys

# Replace secret_id value below with the ocid of your secret

secret_id = "ocid1.vaultsecret.oc1.<my_secret_ocid>"

# By default this will hit the auth service in the region the instance is running.

signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()

# In the base case, configuration does not need to be provided as the region and tenancy are obtained from the InstancePrincipalsSecurityTokenSigner

identity_client = oci.identity.IdentityClient(config={}, signer=signer)

# Get instance principal context

secret_client = oci.secrets.SecretsClient(config={}, signer=signer)

# Retrieve secret

def read_secret_value(secret_client, secret_id):

response = secret_client.get_secret_bundle(secret_id)

base64_Secret_content = response.data.secret_bundle_content.content

base64_secret_bytes = base64_Secret_content.encode('ascii')

base64_message_bytes = base64.b64decode(base64_secret_bytes)

secret_content = base64_message_bytes.decode('ascii')

return secret_content

# Print secret

secret_contents = read_secret_value(secret_client, secret_id)

print(format(secret_contents))

  1. Be sure to change the secret_id ocid in the get-secret.py script with your secret, then save and exit.

secret_id = "ocid1.vaultsecret.oc1.<my_secret_ocid>"

  1. Make the get-secret.py script executable.

chmod +x get-secret.py

  1. Run the following command to return the secret. 

./get-secret.py

OCIVault