No Secrets, No Friction
Ship Safer Apps Faster

What is the Secretless Broker?

The Secretless Broker lets your applications connect securely to services - without ever having to fetch or manage passwords or keys.

Build Faster Without Secrets

Eliminate secrets management from the application development process and speed up time to market. Secretless Broker transparently manages secrets so you don't have to. Abstracting secrets management means you don’t need to learn vault APIs or update application code to fetch secrets.

Prevent Secret Leaks

Applications cannot leak what they don’t have. Even short-lived secrets could be exposed or accidentally leaked. Secretless Broker eliminates the risk of credential theft from your applications and transparently handles runtime changes to secret values.

Open Source

Secretless Broker is open source, and its code is open and auditable. It is designed to be pluggable, so it’s easy to add support for additional services or vaults. It is natively integrated with Kubernetes for operational simplicity.

The Old Way

Traditional Architecture

Developer Responsibilities

  • Fetch secrets from vault​
  • Securely handle fetched secrets within app​
  • Resiliently handle secret rotations
  • Manage connection disruptions
  • Connect to target services using fetched secrets

With Secretless Broker

Secretless Broker Architecture

Developer Responsibilities

  • Manage connection disruptions
  • Connect to target services using local sockets and URLs
Secretless Broker Automates the Rest

Get started with a simple example

  1. Download and run the Secretless Broker quick-start as a Docker container:

    $ docker container run \
    --rm \
    -p 5432:5432 \
    -p 5454:5454 \
    cyberark/secretless-broker-quickstart
  2. Direct access to the PostgreSQL database is available over port 5432. You can try querying some data, but you don't have the credentials required to connect (even if you know the username):

    $ psql \
    --host localhost \
    --port 5432 \
    --set=sslmode=disable \
    --username secretless \
    -d quickstart \
    -c 'select * from counties;'
    
    Password for user secretless:
    psql: FATAL:  password authentication failed for user "secretless"
  3. The good news is that you don't need any credentials! Instead, you can connect to the password-protected PostgreSQL database via the Secretless Broker on port 5454, without knowing the password. Give it a try:

    $ psql \
    --host localhost \
    --port 5454 \
    --set=sslmode=disable \
    --username secretless \
    -d quickstart \
    -c 'select * from counties;'
    
    id |    name
    ----+------------
     1 | Middlesex
     2 | Worcester
     3 | Essex
     4 | Suffolk
     5 | Norfolk
     6 | Bristol
     7 | Plymouth
     8 | Hampden
     9 | Barnstable
    10 | Hampshire
    11 | Berkshire
    12 | Franklin
    13 | Dukes
    14 | Nantucket
    (14 rows)
  1. Download and run the Secretless Broker quick-start as a Docker container:

    $ docker container run \
    --rm \
    -p 2221:22 \
    -p 2222:2222 \
    cyberark/secretless-broker-quickstart
  2. The default SSH service is exposed over port 2221. You can try opening an SSH connection to the server, but you don't have the credentials to log in:

    $ ssh -p 2221 user@localhost
    
    The authenticity of host '[localhost]:2221 ([127.0.0.1]:2221)' can't be established.
    ECDSA key fingerprint is SHA256:FLnEsQ6aa1qEQopwywlWXI0LeNb04An72BThZZ8GNy8.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[localhost]:2221' (ECDSA) to the list of known hosts.
    Permission denied (publickey,keyboard-interactive).
  3. The good news is that you don't need credentials! You can establish an SSH connection through the Secretless Broker on port 2222 without any credentials. Give it a try:

    $ ssh -p 2222 user@localhost
    
    The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
    RSA key fingerprint is SHA256:fSn95WSqzC9JpAdZNs3iAEuRQckQSts26dJM9Hqwwh8.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
    
    You've established an SSH connection via Secretless!
    
    Check out https://secretless.io for more information.
    
    bdfe24ac8aaf:~$
  1. Download and run the Secretless Broker quick-start as a Docker container:

    $ docker container run \
    --rm \
    -p 8080:80 \
    -p 8081:8081 \
    cyberark/secretless-broker-quickstart
  2. The service we're trying to connect to is listening on port 8080. If you try to access it, the service will inform you that you're unauthorized:

    $ curl -i localhost:8080
    
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.14.0
    Date: Thu, 20 Sep 2018 16:11:44 GMT
    Content-Type: text/plain
    Content-Length: 26
    Connection: keep-alive
    WWW-Authenticate: Basic realm="Authentication required"
    
    You are not authenticated.
    
  3. Instead, you can make an authenticated HTTP request by proxying through the Secretless Broker on port 8081. The Secretless Broker will inject the proper credentials into the request without you needing to know what they are. Give it a try:

    $ http_proxy=localhost:8081 curl -i localhost:8080
    
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 35
    Content-Type: text/plain
    Date: Thu, 20 Sep 2018 16:12:25 GMT
    Server: nginx/1.14.0
    
    You are successfully authenticated.
    

Want to learn more? Check out our documentation for more information, like how to use Secretless Broker in your Kubernetes environment!