Generic interface to Password Vault
We have a heterogenuous environment with multiple password stores that we want to consolidate with a common PAM solution. RDM and other tools shall be integrated in the PAM solution on jump hosts. Password stores are on different systems, such as Wallix Bastion, HSM, Azure Vault, LastPass and others, which cannot be easily replaced by a single system. We plan to use a proxy that will require users to authenticate with an IDP, and provide an API to retrieve the secret in a secure way to RDM.
To avoid re-inventing the wheel OAuth2 could help. The flow would go like this:
- RDM would launch an authorization flow/PKCE using the system browser
- The proxy will require the user to authenticate to the IDP if there is no active session
- The proxy will return the access token to the redirect-URL of RDM
- RDM will take back control by closing the system browser window
- RDP will retrieve the secret using the access token from the API endpoint of the proxy, like GET <proxy>/<domain>/<account>/secrettype
- The domain can be Wallix, HSM, Azure Vault, LastPass etc. How this is best mapped in RDM is not clear to me. Possibly it can be the responsibility of the proxy, if it can derive the domain from account and target host.
- Secrettype would be password or SSH key
Does this approach make sense to you?
All Comments (2)
Hello,
Perhaps you could take a look at the "Custom credential" entry? It allows you to write a powershell script to fetch credentials, so assuming you're able to achieve what you want with Powershell, it should be possible to do the same within RDM.
Regards,
Hubert Mireault
This should be possible. I need to do a test implementation to check if it feasible. OAuth should be easy, but I am not sure how smooth it is to start the system browser and take back control when the response is redirected.