RabbitMQ Dynamic Secrets
You can define a dynamic RabbitMQ secret to generate user credentials dynamically based on configured permissions.
When a client requests a dynamic secret value, the Akeyless Platform connects to the target RabbitMQ server through the Gateway and creates a new user.
Prerequisites
-
An Akeyless Gateway.
-
RabbitMQ privileged user.
Before creating a dynamic RabbitMQ secret, ensure that the RabbitMQ user has sufficient privileges to create users.
Create a Dynamic RabbitMQ Secret from the CLI
Note
We recommend using dynamic secrets with Targets. While it saves time for multiple secret-level configurations by not requiring you to provide an inline connection string each time, it is also important for security streamlining. Using a target allows you to rotate credentials without breaking the credential chain for the objects connected to the server used, using inline will force you to go and change the credentials in each individual item instead of just the target.
To create a dynamic RabbitMQ secret from the CLI using an existing RabbitMQ Target , run the following command:
akeyless dynamic-secret create rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--password-length 16
Or using an inline connection string:
akeyless dynamic-secret create akeyless dynamic-secret get-valuerabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-server-uri <RabbitMQ server URI> \
--rabbitmq-admin-user <RabbitMQ server admin> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Where:
-
name
: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash/
separators. If the folder does not exist, it will be created together with the dynamic secret. -
target-name
: A name of the target that enables connection to the RabbitMQ server. The name can include the path to the virtual folder where this target resides. -
gateway-url
: Akeyless Gateway Configuration Manager URL (port8000
). -
rabbitmq-user-conf-permission
: User configuration permissions, for example:.*,queue-name
. -
rabbitmq-user-write-permission
: User write permissions, for example:.*,queue-name
. -
rabbitmq-user-read-permission
: User read permissions, for example:.*,queue-name
. -
password-length
: Optional The temporary user password length.
Inline connection string
If you don't have RabbitMQ Target yet, you can use the command with your RabbitMQ target server connection settings:
-
rabbitmq-server-uri
: URI of the RabbitMQ server. -
rabbitmq-admin-user
: Admin username for the RabbitMQ server. -
rabbitmq-admin-pwd
: Admin password for the RabbitMQ server.
You can find the complete list of parameters for this command in the CLI Reference - Dynamic Secrets section.
Fetch a Dynamic RabbitMQ Secret value from the CLI
To fetch a dynamic RabbitMQ secret value from the CLI, run the following command:
akeyless dynamic-secret get-value --name <Path to your dynamic secret>
Create a Dynamic RabbitMQ Secret in the Akeyless Console
Note
To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.
To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.
-
Log in to the Akeyless Console, and go to Items > New > Dynamic Secret.
-
Select the RabbitMQ secret type and click Next.
-
Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash
/
separators. If the folder does not exist, it will be created together with the dynamic secret. -
Define the remaining parameters as follows:
-
Delete Protection: When enabled, protects the secret from accidental deletion.
-
Target mode: In this section, you can either select an existing RabbitMQ Target or specify details of the target RabbitMQ server explicitly.
-
Use the Choose an existing target drop-down list to select the existing RabbitMQ Target.
-
Select the Explicitly specify target properties to provide details of the target RabbitMQ server in the next step.
-
RabbitMQ distinguishes between configure
, write
, and read
operations on a resource. To perform an operation on a resource, the user must be granted the appropriate permissions for it. The RabbitMQ permissions reference outlines the relevant resources and operations.
-
User Configuration Permission: Enter the resources for which the
configure
operation can be performed when accessed using the relevant dynamic key. -
User Write Permission: Enter the resources for which the
write
operation can be performed when accessed using the relevant dynamic key. -
User Read Permission: Enter the resources for which the
read
operation can be performed when accessed using the relevant dynamic key. -
User Virtual Host: In RabbitMQ, user permissions are granted per virtual host. Bind the user to the specific virtual host (default “/”).
-
User Tags: Access to management UI in RabbitMQ can be controlled with user tags. Insert relevant user tags in a comma-separated list, including these tags: management, administrator, monitoring, policymaker.
-
User TTL: Provide a time-to-live value for a dynamic secret (i.e., a key). When TTL expires, the key becomes obsolete.
-
Temporary Password Length Set the length of the temporary password.
-
Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.
-
Gateway: Select the Gateway through which the dynamic secret will create users.
-
Protection key: To enable zero-Knowledge, select a key with a Customer Fragment. For more information about zero-Knowledge, see Implement Zero Knowledge
-
If you checked the Explicitly specify target properties option, click Next.
-
Provide details of the target RabbitMQ server:
-
Server URI: Enter the RabbitMQ server address.
-
Admin User: Enter your RabbitMQ admin credentials.
-
Admin Password: Enter your RabbitMQ admin credentials.
- Click Finish.
Fetch a Dynamic RabbitMQ Secret Value from the Akeyless Console
-
Log in to the Akeyless Console, and go to Items.
-
Browse to the folder where you created a dynamic secret.
-
Select the secret and click the Get Dynamic Secret button.
Updated 5 months ago