confidant
6.5.6-0bdd43
Basics
Installation
Quickstart for testing
Docker installation
To run confidant in Docker
To build the image
pip installation
Make a virtualenv and install pip requirements
Manual installation
Clone Confidant
Make a virtualenv and install pip requirements
Build the frontend
Run confidant
Configuration
Docker vs bash
Environment configuration
gunicorn configuration for SSL termination support
Google authentication configuration
SAML authentication configuration
User authentication session settings
Disabling credential conflict checks
statsd metrics
Sending graphite events
Google authentication user restrictions
Auth token lifetime
Frontend configuration
Development and testing settings
Bootstrapping Confidant’s own secrets
Multi-account authentication
KMS authentication for end-users
KMS grant management
Confidant client configuration
Maintenance mode settings
Confidant performance settings
Certificate Authority settings
Settings for local development
KMS key policy configuration
Confidant IAM role configuration
Confidant DynamoDB table configuration
Managing secrets and mappings
Using the resources view
Creating secrets
Mapping secrets to services
Finding credentials and services in the sidebar
Using the history view
Using the Confidant client
Installation
Configuration
Usage
Reformatting get_service output
Advanced
API
API route documentation
Access Controls (ACLs)
Design
ACL Hookpoints
Credentials
List credentials
Get credential metadata
Get credential
Create credential
Update credential
Revert credential
Services
List services
Get service metadata
Get service
Create service
Update service
Revert service
Server-blinded secrets
What are server-blinded secrets?
KMS keys and IAM policy examples for server-blinded secrets
Creating and updating server-blinded secrets using the confidant client
KMS authentication
Service-to-service authentication
IAM policy configuration for service-to-service auth
Passing encrypted data between services
User-to-service authentication
Multi-account KMS authentication
Threat model
Web client threat model
Assumptions
What an authenticated user can achieve
What compromise of an authenticated user’s computer can achieve
What an unauthenticated local network attacker who can observe network traffic can achieve
What an unauthenticated attacker from the Internet can achieve
Web server threat model
Assumptions
What an attacker can achieve through compromise of the Confidant web server
Service client threat model
Assumptions
What the service can achieve
What an attacker can achieve with a filesystem read vulnerability
Storage threat model
Assumptions
What an attacker with DynamoDB access can achieve
Contributing
Code of conduct
Contributing code
Sign the Contributor License Agreement (CLA)
File issues in Github
Submit pull requests
Development guide
Starting confidant
Running tests
DynamoDB Data Schema
At-rest encryption model
Maintenance
Permanantly archiving disabled credentials to a separate DynamoDB table
Restoring archived credentials back into the primary DynamoDB table
Upgrading
Upgrading to 2.0.0 or 3.0.0
Performing the data migration
Upgrading to 4.0.0
Peforming the data migration for 4.0.0
Changelog
6.4.0
6.3.0
6.2.0
6.1.0
6.0.0
5.2.0
5.1.0
5.0.1
5.0.0
4.4.0
4.3.1
4.3.0
4.2.0
4.1.0
4.0.0
3.0.0
2.0.1
2.0.0
1.11.0
1.10.1
1.10.0
1.9.0
1.8.0
1.7.0
1.6.0
1.5.1
1.5.0
1.4.0
1.3.0
1.2.0
1.1.21
1.1.20
1.1.19
1.1.16 - 1.1.18
1.1.15
1.1.14
1.1.13
Communication
Support
Reporting security vulnerabilities
confidant
Docs
»
dev_wsgi module
View page source
dev_wsgi module
¶