Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Managed identity authentication for azure keyvault #13

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ By default, FalconHound will look for the actions folder in the current director
```

#### Run with credentials from a keyvault
By default, FalconHound will use the credentials in the config.yml (or a custom loaded one). By setting the `-keyvault` flag FalconHound will get the keyvault from the config and retrieve all secrets from there. Should there be items missing in the keyvault it will fall back to the config file.
By default, FalconHound will use the credentials in the config.yml (or a custom loaded one). By setting the `-keyvault` flag FalconHound will get the keyvault from the config and retrieve all secrets from there. Should there be items missing in the keyvault it will fall back to the config file. Should you wish to grab the secrets from an azure keyvault using a managed identity, define the authtype variable as msi.

```bash
./falconhound -go -keyvault
Expand Down
2 changes: 1 addition & 1 deletion cmd/getcreds.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func GetCreds(configFile string, keyvaultFlag bool) (theCreds internal.Credentia
tag := field.Tag.Get("config")
var value string
if keyvaultFlag {
value, err = GetSecretFromAzureKeyVault(viper.GetString("keyvault.uri"), field.Name)
value, err = GetSecretFromAzureKeyVault(viper.GetString("keyvault.uri"), field.Name, viper.GetString("keyvault.authType"))
if err != nil {
LogInfo("[!] %s not in keyvault, grabbing it from the config...", field.Name)
value = viper.GetString(tag)
Expand Down
11 changes: 9 additions & 2 deletions cmd/getkeyvaultsecrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,21 @@ import (
"fmt"
"log"

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/spf13/viper"
)

func GetSecretFromAzureKeyVault(keyVaultName string, secretName string) (string, error) {
func GetSecretFromAzureKeyVault(keyVaultName string, secretName string, authtype string) (string, error) {
// Create a new DefaultAzureCredential
cred, err := azidentity.NewClientSecretCredential(viper.GetString("keyvault.tenantID"), viper.GetString("keyvault.appID"), viper.GetString("keyvault.appSecret"), nil)
var cred azcore.TokenCredential
var err error
if authtype == "msi" {
cred, err = azidentity.NewManagedIdentityCredential(nil)
} else {
cred, err = azidentity.NewClientSecretCredential(viper.GetString("keyvault.tenantID"), viper.GetString("keyvault.appID"), viper.GetString("keyvault.appSecret"), nil)
}
// cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("Failed to create the credentials: %v", err)
Expand Down
5 changes: 4 additions & 1 deletion config.yml-sample
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,16 @@
# This is optional, when used, FalconHound will pull the
# API keys from Keyvault instead of this file
# start with the -keyvault flag
# if authType is defined with MSI, then appID and appSecret can be omitted.
# if you wish to use client secret credentials, then defined appid, tenantID and appSecret
################################################
keyvault:
uri: https://XXXXXXXX.vault.azure.net/
tenantID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
appID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
appSecret: xxxxxxxxxxxxxx

authType: msi

################################################
# Add your Sentinel connection information here
################################################
Expand Down