No Secrets, No Friction
Ship Safer Apps Faster

What is the Secretless Broker?

The Secretless Broker lets your applications connect securely to services - without ever having to fetch or manage passwords or keys.

Build Faster Without Secrets

Eliminate secrets management from the application development process and speed up time to market. Secretless Broker transparently manages secrets so you don't have to. Abstracting secrets management means you don’t need to learn vault APIs or update application code to fetch secrets.

Prevent Secret Leaks

Applications cannot leak what they don’t have. Even short-lived secrets could be exposed or accidentally leaked. Secretless Broker eliminates the risk of credential theft from your applications and transparently handles runtime changes to secret values.

Open Source

Secretless Broker is open source, and its code is open and auditable. It is designed to be pluggable, so it’s easy to add support for additional services or vaults. It is natively integrated with Kubernetes for operational simplicity.

The Old Way

Traditional Architecture

Developer Responsibilities

  • Fetch secrets from vault​
  • Securely handle fetched secrets within app​
  • Resiliently handle secret rotations
  • Manage connection disruptions
  • Connect to target services using fetched secrets

With Secretless Broker

Secretless Broker Architecture

Developer Responsibilities

  • Manage connection disruptions
  • Connect to target services using local sockets and URLs
Secretless Broker Automates the Rest

Get started with a simple example

Follow the instructions below to run through a simple example to see how Secretless works. If you don't have it already, you will need to install Docker.

Interested in seeing the full list of services we support? Check out our documentation.

  1. Run this command to download the Secretless Broker quick start Docker image and run it as a Docker container:

    $ docker container run \
    --rm \
    -p 5432:5432 \
    -p 5454:5454 \
    cyberark/secretless-broker-quickstart
  2. In a separate terminal window, you can try to send requests to PostgreSQL from outside the container.

    Direct access to the PostgreSQL database is available over port 5432. Try to query some data. Since you don't have the credentials required to connect (even if you know the username), your attempt will fail:

    $ psql \
    "host=localhost port=5432 user=secretless dbname=quickstart sslmode=disable" \
    -c 'select * from counties;'
    
    Password for user secretless:
    psql: FATAL:  password authentication failed for user "secretless"
  3. The good news is that you don't need any credentials! Instead, you can connect to the password-protected PostgreSQL database via the Secretless Broker on port 5454, without knowing the password. Give it a try:

    $ psql \
    "host=localhost port=5454 user=secretless dbname=quickstart sslmode=disable" \
    -c 'select * from counties;'
    
    id |    name
    ----+------------
     1 | Middlesex
     2 | Worcester
     3 | Essex
     4 | Suffolk
     5 | Norfolk
     6 | Bristol
     7 | Plymouth
     8 | Hampden
     9 | Barnstable
    10 | Hampshire
    11 | Berkshire
    12 | Franklin
    13 | Dukes
    14 | Nantucket
    (14 rows)
  1. Run this command to download the Secretless Broker quick start Docker image and run it as a Docker container:

    $ docker container run \
    --rm \
    -p 2221:22 \
    -p 2222:2222 \
    cyberark/secretless-broker-quickstart
  2. In a separate terminal window, you can try to SSH into the container.

    The default SSH service is exposed over port 2221. Try to open an SSH connection to the server. Since you don't have the credentials to log in, your attempt will fail:

    $ ssh -p 2221 user@localhost
    
    The authenticity of host '[localhost]:2221 ([127.0.0.1]:2221)' can't be established.
    ECDSA key fingerprint is SHA256:FLnEsQ6aa1qEQopwywlWXI0LeNb04An72BThZZ8GNy8.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[localhost]:2221' (ECDSA) to the list of known hosts.
    Permission denied (publickey,keyboard-interactive).
  3. The good news is that you don't need credentials! You can establish an SSH connection through the Secretless Broker on port 2222 without any credentials. Give it a try:

    $ ssh -p 2222 user@localhost
    
    The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
    RSA key fingerprint is SHA256:fSn95WSqzC9JpAdZNs3iAEuRQckQSts26dJM9Hqwwh8.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
    
    You've established an SSH connection via Secretless!
    
    Check out https://secretless.io for more information.
    
    bdfe24ac8aaf:~$
  1. Run this command to download the Secretless Broker quick start Docker image and run it as a Docker container:

    $ docker container run \
    --rm \
    -p 8080:80 \
    -p 8081:8081 \
    cyberark/secretless-broker-quickstart
  2. In a separate terminal window, you can try to send the service HTTP requests from outside the container.

    The service we're trying to connect to is listening on port 8080. Try to access the service directly. Since you don't know the credentials, the service will inform you that you're unauthorized:

    $ curl -i localhost:8080
    
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.14.0
    Date: Thu, 20 Sep 2018 16:11:44 GMT
    Content-Type: text/plain
    Content-Length: 26
    Connection: keep-alive
    WWW-Authenticate: Basic realm="Authentication required"
    
    You are not authenticated.
    
  3. Instead, you can make an authenticated HTTP request by proxying through the Secretless Broker on port 8081. The Secretless Broker will inject the proper credentials into the request without you needing to know what they are. Give it a try:

    $ http_proxy=localhost:8081 curl -i localhost:8080
    
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 35
    Content-Type: text/plain
    Date: Thu, 20 Sep 2018 16:12:25 GMT
    Server: nginx/1.14.0
    
    You are successfully authenticated.
    

Want to learn more? Check out our documentation for more information, like how to use Secretless Broker in your Kubernetes environment!