SPIRE Key Manager
Prerequisites
- Akeyless Gateway
v3.35.0
or later - An Authentication Method attached to a role with
create
andread
permissions for Items, as well as Gateway Access Permission to manage Classic Keys.
Authentication
The following Authentication Methods can be used:
Note
In this guide, we will use an API Key Authentication Method for simplicity and we are only using Linux machines. For MacOS, please see the guide here.
Create a new API Key Authentication Method using the CLI:
akeyless create-auth-method --name /Dev/Spire-Server-Auth
Create an Access Role:
akeyless create-role --name /Dev/Spire-Server-Role
Associate your API Key Authentication Method to the Access Role that was created:
akeyless assoc-role-am --role-name /Dev/Spire-Server-Role \
--am-name /Dev/Spire-Server-Auth
Set read, create, list
permissions for Secret & Keys for the Access Role:
akeyless set-role-rule --role-name /Dev/Spire-Server-Role \
--path /SPIRE/Keys/'*' \
--capability read --capability create
Grant Access Permissions on the Gateway
Log into the console using a Gateway admin account, navigate to the Gateways tab, and choose the relevant Gateway.
Click on Access Permissions and click on New:
Give it a meaningful Name, choose the Auth Method, and click next.
Set the relevant permissions for this Auth Method:
Admin - grant full permissions on the Gateway or
Custom - grant specific permissions for at least Classic Keys.
Configuration
Run the following command to download and unpack pre-built spire-server
and spire-agent
executables and example configuration files in a spire-1.7.0 directory.
curl -s -N -L https://github.com/spiffe/spire/releases/download/v1.7.0/spire-1.7.0-linux-amd64-glibc.tar.gz | tar xz
Next, download the AkeylessKeyManager plugin, by running the following command:
curl -o AkeylessKeyManager https://download.akeyless.io/Akeyless_Artifacts/Linux/spire/plugin/server/spire-kms-amd64-linux-v0.0.8
chmod +x AkeylessKeyManager
curl -o AkeylessKeyManager https://download.akeyless.io/Akeyless_Artifacts/Linux/spire/plugin/server/spire-kms-arm64-linux-v0.0.6
chmod +x AkeylessKeyManager
Validate the SHA256 CHECKSUM:
sha256sum AkeylessKeyManager
The sha256sum
command generates a unique, fixed-size hash value (256 bits) for the binary file, ensuring that data remains unchanged.
Open your SPIRE Server Conf file which you will find in the spire-
directory at /conf/server/server.conf
, and edit the KeyManager Plugin section as follows:
KeyManager "akeyless_kms" {
plugin_cmd = "/path/to/plugin_cmd"
plugin_checksum = "sha256 of the plugin binary"
plugin_data {
akeyless_gateway_url = 'https://<Your-Akeyless-GW-URL:8000/api/v2>' # or use port 8081
access_id = "<Your_Access_ID>"
access_key = "<Your_Access_KEY>"
key_metadata_file = "./key_metadata"
target_folder = "/SPIRE/Keys/"
}
}
Where:
-
plugin_cmd
- The location of the binary file that was created. -
plugin_checksum
- sha256 of the binary. -
akeyless_gateway_url
- Akeyless Gateway URL API v2 endpoint. -
access_id
- The Auth MethodAccessID
-
access_key
- Optional, TheAccessKey
. Relevant only for API Key. -
key_metadata_file
- A file path location where information about generated keys will be persisted -
target_folder
- A path to save all items inside Akeyless where the generatedKEY-ID
will be stored using the following form/SPIRE/Keys/{TRUST_DOMAIN}/{SERVER_ID}/{KEY_ID}
For K8s,GCP or AzureAD Auth methods set the following settings as well:
-
k8s_auth_config_name
- K8s Auth Config name as created under your Gateway -
gcp_audience
- The audience to verify the JWT received by the client. By default,akeyless.io
-
azure_object_id
- Optional for Azure,objectID
SPIRE Server Initialization
Info
Key Type
In order to set a key type for the spire server, inside the
server
section, add the following parameter.For example, if we would want to use a key type of
RSA-2048
we will add:
ca_key_type
=rsa-2048
. The default Key Type is:ec-p256
To initialize the server, run the following command:
bin/spire-server run -config conf/server/server.conf &
With a successful server initialization, 2 Classic keys will be created in your Akeyless account and you can find them in the console in the SPIRE/Keys
folder:
- JWT-Signer-A - Uses JSON Web Tokens (JWT) signed by an identity provider for authentication and authorization of clients.
- X509-CA-A - Relies on X.509 certificates issued by a trusted Certificate Authority.
Info
SPIFFE/SPIRE
For the full configuration steps, visit the official Quickstart for Linux and MacOS X guide
Updated 25 days ago