Set up a security backend for Linux
This page describes StackState version 4.2.
The StackState 4.2 version range is End of Life (EOL) and no longer supported. We encourage customers still running the 4.2 version range to upgrade to a more recent release.
This document explains the process of setting up a security backend on a Linux system. You can find more information in the Secrets Management section.
Security agent requirements
The Agent V2 runs the secret_backend_command
executable as a sub-process. On Linux, the executable set as secret_backend_command
is required to:
Belong to the same user running the Agent (or
root
inside a container).Have no rights for group or other.
Have at least exec rights for the owner.
How to use the executable API
The executable respects a simple API that reads JSON structures from the standard input, and outputs JSON containing the decrypted secrets to the standard output. If the exit code is anything other than 0, then the integration configuration that is being decrypted is considered faulty and is dropped.
Input
The executable receives a JSON payload from the standard input, containing the list of secrets to fetch:
version
: is a string containing the format version.secrets
: is a list of strings; each string is a handle from a configuration file corresponding to a secret to fetch.
Output
The executable is expected to output to the standard output a JSON payload containing the:
The expected payload is a JSON object, where each key is one of the handles requested in the input payload. The value for each handle is a JSON object with two fields:
value
: a string; the actual value that is used in the check configurationserror
: a string; the error message, if needed. If error is anything other than null, the integration configuration that uses this handle is considered erroneous and is dropped.
Example
The following is a dummy implementation of the secret reader that is prefixing every secret with decrypted_
:
Above example updates the following configuration (from the check file):
into this in the Agent's memory:
Troubleshooting secrets
Listing detected secrets
The secret
command in the Agent CLI shows any errors related to your setup. For example, if the rights on the executable are incorrect. It also lists all handles found, and where they are located.
On Linux, the command outputs file mode, owner and group for the executable. Example:
Checking configurations after secrets were injected
To quickly see how the check’s configurations are resolved, you can use the configcheck
command:
Note: The Agent needs to be restarted to pick up changes on configuration files.
Debugging secret_backend_command
secret_backend_command
To test or debug outside of the Agent, you can mimic how the Agent runs it:
The stackstate-agent user is created when you install the StackState Agent.
Last updated