github/infisical
1
1
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-05-02 03:02:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

docs: improved secret rotation documentation with better understanding

Browse Source
This commit is contained in:
Akhil Mohan
2024-02-27 19:02:55 +05:30
parent d8d2741868
commit 533de93199
3 changed files with 198 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
docs/documentation/platform/secret-rotation/mysql.mdx
View File

@@ -3,35 +3,98 @@ title: "MySQL/MariaDB"
description: "Rotated database user password of a MySQL or MariaDB"
---
Infisical will update periodically the provided database user's password.
Infisical MySQL secret rotation allows you to automatically rotate your MySQL database user's password at regular intervals.
<Warning>
At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
</Warning>
## Prerequisite
1. Create two users with the required permission in your MySQL instance. Let's call them `user-a` and `user-b`.
2. Create another MySQL user with permission to update the passwords of `user-a` and `user-b`. Let's call it `admin`
To learn more about MySQL Permissioning, please follow this [documentation](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html).
## Working
1. User's has to create the two user's for Infisical to rotate and provide them required database access
2. Infisical will connect with your database with admin access
3. If last rotated one was username1, then username2 is chosen to be rotated
5. Update it's password with random value
6. After testing it gets saved to the provided secret mapping
1. Infisical connects to your database using the provided `admin` user account.
2. A random value is generated and the password for `user-a` is updated with the new value.
3. The new password is then tested by logging into the database
4. If test is success, its saved to the output secret mappings so that rest of the system gets access.
5. The process is then repeated for `user-b` on the next rotation.
6. And the loop continues.
<AccordionGroup>
<Accordion title="Why can't we delete the other user when rotating?">
When a system has multiple nodes by horizontal scaling, redeployment doesn't happen instantly.
This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out.
To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user's credentials are updated.
</Accordion>
<Accordion title="Why do you need root user account?">
The rotatora account is used by Infisical to update the credentials for `user-a` and `user-b`.
You don't need to grant all permission for it. SQL has an amazing permission system, which means that the admin user only requires permission to update both the user passwords.
</Accordion>
</AccordionGroup>
## Rotation Configuration
1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
2. Click on `MySQL`
3. Provide the inputs
- Admin Username: DB admin username
- Admin Password: DB admin password
- Host: DB host
- Port: DB port(number)
- Username1: The first username in two to rotate
- Username2: The second username in two to rotate
- CA: Certificate to connect with database(string)
4. Final step
<Steps>
<Step title="Open Secret Rotation Page">
Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar
</Step>
<Step title="Click on MySQL Card" />
<Step title="Provide the inputs">
These are inputs required by MySQL Rotation Providers
<Info>
Here Admin username and password means the rotator account. You don't need to provide the Database admin account.
</Info>
- Admin Username
Rotator Admin username
- Admin password
Rotator Admin password
- Host
Database host url
- Port
Database port number
- Username1
The first username in two to rotate - `user-a`
- Username2
The second username in two to rotate - `user-b`
- CA
Certificate to connect with database(string)
</Step>
<Step title="Configure the output secret mapping">
The secret keys to be replaced in the provided board after successful secret rotation
- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
- Finally select the secrets in your provided board to replace with new secret after each rotation
- DB Username
The rotated database username.
- DB Password
The new generated credentials for the database user.
- Your done and good to go.
</Step>
</Steps>
Congrats. You have 10x your MySQL/MariaDB access security.

101
docs/documentation/platform/secret-rotation/postgres.mdx
View File

@@ -3,31 +3,98 @@ title: "PostgreSQL/CockroachDB"
description: "Rotated database user password of a PostgreSQL or Cockroach DB"
---
Infisical will update periodically the provided database user's password.
Infisical Postgres secret rotation allows you to automatically rotate your PostgreSQL database user's password at regular intervals.
<Warning>
At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
</Warning>
## Prerequisite
1. Create two users with the required permission in your PostgreSQL instance. Let's call them `user-a` and `user-b`.
2. Create another PostgreSQL user with permission to update the passwords of `user-a` and `user-b`. Let's call it `admin`
To learn more about Postgres Permissioning, please follow this [documentation](https://www.postgresql.org/docs/9.1/sql-grant.html).
## Working
1. User's has to create the two user's for Infisical to rotate and provide them required database access.
2. Infisical will connect with your database with admin access.
3. If last rotated one was username1, then username2 is chosen to be rotated.
5. Update it's password with random value.
6. After testing it gets saved to the provided secret mapping.
1. Infisical connects to your database using the provided `admin` user account.
2. A random value is generated and the password for `user-a` is updated with the new value.
3. The new password is then tested by logging into the database.
4. If test is success, its saved to the output secret mappings so that rest of the system gets access.
5. The process is then repeated for `user-b` on the next rotation.
6. And the loop continues.
<AccordionGroup>
<Accordion title="Why can't we delete the other user when rotating?">
When a system has multiple nodes by horizontal scaling, redeployment doesn't happen instantly.
This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out.
To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user's credentials are updated.
</Accordion>
<Accordion title="Why do you need root user account?">
The rotator account is used by Infisical to update the credentials for `user-a` and `user-b`.
You don't need to grant all permission for it. SQL has an amazing permission system, which means that the admin user only requires permission to update both the user passwords.
</Accordion>
</AccordionGroup>
## Rotation Configuration
1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
2. Click on `PostgreSQL`
3. Provide the inputs
- Admin Username: DB admin username
- Admin Password: DB admin password
- Host: DB host
- Port: DB port(number)
- Username1: The first username in two to rotate
- Username2: The second username in two to rotate
- CA: Certificate to connect with database(string)
4. Final step
<Steps>
<Step title="Open Secret Rotation Page">
Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar
</Step>
<Step title="Click on PostgresSQL Card" />
<Step title="Provide the inputs">
These are inputs required by PostgresSQL Rotation Providers
<Info>
Here Admin username and password means the rotator account. You don't need to provide the Database admin account.
</Info>
- Admin Username
Rotator Admin username
- Admin password
Rotator Admin password
- Host
Database host url
- Port
Database port number
- Username1
The first username in two to rotate - `user-a`
- Username2
The second username in two to rotate - `user-b`
- CA
Certificate to connect with database(string)
</Step>
<Step title="Configure the output secret mapping">
The secret keys to be replaced in the provided board after successful secret rotation
- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
- Finally select the secrets in your provided board to replace with new secret after each rotation
- DB Username
The rotated database username.
- DB Password
The new generated credentials for the database user.
- Your done and good to go.
</Step>
</Steps>
Congratulations. You have improved your PostgreSQL/CockroachDB access security.

48
docs/documentation/platform/secret-rotation/sendgrid.mdx
View File

@@ -6,26 +6,46 @@ description: "Rotate Twilio SendGrid API keys"
Twilio SendGrid is a cloud-based email delivery platform that helps businesses send transactional and marketing emails.
It uses an API key to do various operations. Using Infisical you can easily dynamically change the keys.
## Prerequisite
A valid SendGrid admin key with the necessary scope to create additional API keys. Additionally, make sure that your new API keys have the required scopes to perform the desired tasks.
Follow the [SendGrid Docs to create an admin api key](https://docs.sendgrid.com/ui/account-and-settings/api-keys)
## Working
1. Infisical will need an admin token of SendGrid to create API keys dynamically.
2. Using the given admin token and scope by user Infisical will create and rotate API keys periodically
3. Under the hood infisical uses [SendGrid API](https://docs.sendgrid.com/api-reference/api-keys/create-api-keys)
1. Using the provided admin key and the given scope in input Infisical will create and rotate API keys periodically
2. Under the hood infisical uses [SendGrid API](https://docs.sendgrid.com/api-reference/api-keys/create-api-keys)
## Rotation Configuration
1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
2. Click on `Twilio SendGrid Card`
3. Provide the inputs
- Admin API Key:
SendGrid admin key to create lower scoped API keys.
- API Key Scopes
SendGrid generated API Key's scopes. For more info refer [this doc](https://docs.sendgrid.com/api-reference/api-key-permissions/api-key-permissions)
<Steps>
<Step title="Open Secret Rotation Page">
Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar
</Step>
<Step title="Click on Twilio SendGrid Card" />
<Step title="Provide the inputs">
These are inputs required by SendGrid Rotation Providers
- Admin API Key
SendGrid admin API key to create lower scoped API keys.
- API Key Scopes
SendGrid generated API Key's scopes. For more info refer [this doc](https://docs.sendgrid.com/api-reference/api-key-permissions/api-key-permissions)
</Step>
<Step title="Configure the output secret mapping">
The secret keys to be replaced in the provided board after successful secret rotation
4. Final step
- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
- Finally select the secrets in your provided board to replace with new secret after each rotation
- Your done and good to go.
Now your output mapped secret value will be replaced periodically by SendGrid.
- API Key
The rotated new SendGrid API key
- Your done and good to go.
</Step>
</Steps>
Now your output mapped secret value will be replaced periodically by SendGrid.