Protecting Secrets Manager resources with context-based restrictions
After you set up your IBM Cloud® Secrets Manager service instance, you can manage access by using context-based restrictions (CBR).
Managing CBR settings
With context-based restrictions, you can define and enforce user and service access restrictions to Secrets Manager resources based on specified criteria.
You can control Secrets Manager resources with context-based restrictions and identity and access management (IAM) policies. These resources include Virtual Private Cloud (VPC) references and Internet Protocol (IP) addresses that are linked to your Secrets Manager instance.
These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.
A user must have the Administrator role on the Secrets Manager service to create, update, or delete rules. A user must also have either the Editor or Administrator role on the context-based restrictions
service to create, update, or delete network zones. A user with the Viewer role on the context-based restrictions service can add only network zones to a rule.
Any IBM Cloud Activity Tracker or audit log events that are generated come from the context-based restrictions service, not Secrets Manager. For more information, see Monitoring context-based restrictions.
To get started with protecting your Secrets Manager resources with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.
How Secrets Manager integrates with context-based restrictions
To restrict access, you must create zones and rules.
First, create a zone with the appropriate details for network or resource definitions. Then, attach that zone to the specified resource to restrict access. You can create zones and rules by using a RESTful API or with context-based restrictions. After you create or update a zone or a rule, it might take a few minutes for the change to take effect.
CBR rules do not apply to provisioning or deprovision processes.
Limitations
When a user has instance level IAM access, CBR rules that are applied to specific secret groups do not take effect. To work around this limitation, set the user's IAM access policies to only secret groups.
Context-based restrictions protect only the actions that are associated with the Secrets Manager API. Actions that are associated with the following platform APIs are not protected by context-based restrictions. Refer to the API docs for the specific action IDs.
Creating network zones
By creating network zones, you can define an allowlist of network locations where access requests originate to determine when a rule can be applied. The list of network locations can be specified by the following attributes:
- IP addresses, which include individual addresses, ranges, or subnets.
- VPCs
- Service references, which allow access from other IBM Cloud services.
Make sure to add Secrets Manager to network zones for rules that target other IBM Cloud resources, or some operations in your workflow might fail.
If you created an IBM Cloud virtual server on classic infrastructure in your Virtual Private Cloud, the private IP address that you must use for the CBR rule is a Virtual Private Cloud gateway IP. Do not use the internal IP address for the virtual server on classic infrastructure. To find the gateway IP address, select the relevant IBM Cloud service endpoint source IP address in your Virtual Private Cloud Infrastructure.
Creating network zones by using the API
You can create network zones by using the create-zone command. For more information, see the API docs. You can add Secrets Manager to network zones as a service reference to allow Secrets Manager to access resources and services in your account that are the subject of a rule.
The serviceRef attribute for Secrets Manager is secrets-manager.
You can determine which services are available by checking for reference targets.
Example payload to add Secrets Manager to a network zone.
{
"name": "Example zone 1",
"description": "",
"addresses": [
{
"type": "serviceRef",
"ref": {
"service_name": "secrets-manager",
"account_id": "ACCOUNT-ID"
}
}
]
}
Example payload to add multiple services, IP addresses, and VPCs to a network zone.
{
"name": "zone",
"description": "",
"addresses": [
{
"type": "ipAddress",
"value": "192.168.0.0"
},
{
"type": "vpc",
"value": "crn:v1:bluemix:public:is:us-east:a/CRN"
},
{
"type": "vpc",
"value": "crn:v1:bluemix:public:is:us-south:a/CRN"
},
{
"type": "serviceRef",
"ref": {
"service_name": "cloud-object-storage",
"account_id": "ACCOUNT-ID"
}
},
{
"type": "serviceRef",
"ref": {
"service_name": "codeengine",
"account_id": "ACCOUNT-ID"
}
},
{
"type": "serviceRef",
"ref": {
"service_name": "containers-kubernetes",
"account_id": "ACCOUNT-ID"
}
},
{
"type": "serviceRef",
"ref": {
"service_type": "platform_service",
"account_id": "ACCOUNT-ID"
}
},
{
"type": "serviceRef",
"ref": {
"service_name": "iam-groups",
"account_id": "ACCOUNT-ID"
}
}
],
"excluded": []
}
Creating network zones by using the UI
After you set the prerequisites and requirements, you can create zones in the UI. For more information, see Creating context-based restrictions.
- Determine the resources that you want add to your allowlist.
- Follow the steps to create context-based restrictions in the console. Add the Secrets Manager service to your network zones to allow IBM Cloud® Secrets Manager to access services and resources in your account.
After you create zones, you can also update and delete them.
Creating network zones by using the CLI
You can use the cbr-zone-create command to add network locations, VPCs, and service references to network zones. For more information, see the CBR CLI reference.
Add Secrets Manager to network zones as a service reference to allow Secrets Manager to access resources and services in your account that are the subject of a rule.
- To create network zones from the CLI, install the CBR CLI plug-in.
- Use the
cbr-zone-createcommand to add resources to network zones. For more information, see the CBR CLI reference. Note that theservice_namefor Secrets Manager issecrets-manager.
To find a list of available service references, run the ibmcloud cbr service-ref-targets command.
Example command to add the secrets-manager service to a network zone.
ibmcloud cbr zone-create --name example-zone-1 --description "Example zone 1" --service-ref service_name=secrets-manager
Understanding rules
After you create your zones, you can attach the zones to your network resources by creating rules. When you add resources to a rule, you can choose from the available types of endpoints that are specific to your network topology.
Create rules by using the API
You can define rules with the API by using the information that you collected from creating network zones.
Review the following example to learn how to create rules for Secrets Manager. For more information, see the API docs.
The following example payload creates a rule that protects the CLUSTER-ID cluster. Only resources in the NETWORK-ZONE-ID zone can access the cluster. Given that no operations are specified, resources
in the NETWORK-ZONE-ID zone can access both the cluster and management APIs.
{
"description": "Example rule 1",
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT-ID"
},
{
"name": "serviceName",
"value": "secrets-manager"
},
{
"name": "serviceInstance",
"value": "CLUSTER-ID"
}
]
}
],
"contexts": [
{
"attributes": [
{
"name": "networkZoneId",
"value": "NETWORK-ZONE-ID"
},
{
"name": "endpointType",
"value": "private"
}
]
}
]
}
Creating rules by using the UI
After you set the prerequisites and requirements, you can create rules in the UI.
- Determine the resources that you want add to your allowlist.
- Follow the steps to create context-based restrictions in the console. Add the Secrets Manager service to your network zones to allow IBM Cloud® Secrets Manager to access services and resources in your account.
Create rules by using the CLI
Review the following examples to learn how to create rules for Secrets Manager. For more information, see the CBR CLI reference.
- To create rules from the CLI, install the CBR CLI plug-in.
- You can use the
ibmcloud cbr rule-createcommand to create CBR rules. For more information, see the CBR CLI reference. Note that theservice_namefor Secrets Manager issecrets-manager. To find a list of service names, run theibmcloud cbr service-ref-targetscommand. To find a list of API types for a service, run theibmcloud cbr api-types --service-name SERVICEcommand.
Example command to create a rule that uses the addresses key and the cluster API type and the ipAddress type.
ibmcloud cbr rule-create my-rule-1 --service-name secrets-manager --api-type crn:v1:bluemix:public:secrets-manager::::api-type:cluster --zone-id ZONE-ID
The following command creates a rule that protects the CLUSTER-ID cluster. Only resources in the NETWORK-ZONE-ID network zone can access the cluster. This rule includes both the cluster and management API types.
ibmcloud cbr rule-create my-rule-2 --service-name secrets-manager --service-instance CLUSTER-ID --zone-id NETWORK-ZONE-ID
Next steps
You must follow the creation or modification of zones or rules with adequate testing to ensure access and availability.
Users who attempt to access your resources outside of the defined zones receive HTTP error 401 when the appropriate rules are not established.