Secure the Octopus Deploy API Keys with Runbooks and Azure KeyVault
Octopus Deploy is one of the most powerful continuous Delivery and DevOps tool. Using Octopus, we can create a Release and deploy a package following a given lifecycle. But we use to forget the OPS side of the DevOps. That’s why Octopus Team thought about it so they release “Operations Runbooks”.
As I saw in an Octopus Deploy Webinar, the OPS are familiar with the runbooks which are a kind of black box magic. “Do you have a problem? -no problem, click on this button, resolved ! ”.
The runbooks are usually related to some emergency tasks (I lost my production database, how could I get it back as soon as possible). They also may be useful for infrastructure provisioning or, as I will show in this post, to secure the API Key used by Octopus Deploy.
- I can use deployment pipeline on Octopus instead of runbooks !
Yes, you can, but let me give you a use case which show the importance of runbooks. Let’s assume that you have a Key Vault where you store secrets and keys.
they may expire, sometimes you may forget to update them. Thing that turns from a simple keys update to an emergency.
What do you prefer, create a release pipeline on a “deployment” pipeline (where you will just update the keys and you won’t deploy anything) or having a more logical object called runbook and you just click on run ?
Use Case : Secure the API Keys using Azure Key Vault
As you know, Octopus Deploy use API Keys to access the Rest API and perform tasks such as updating variables, creating releases or upload packages. Talking security :
- API Keys should be well protected (otherwise, everyone will be able to use it to manage Octopus Deploy);
- API Keys must be regenerated from time to time and we should not manually update them inside deployment/management scripts;
- API Keys must be generated automatically instead of using the Octopus Deploy portal.
- The big challenge in our days is to be complient to the security. As Wilfried Woivré said : “ In business, security is a key point. It is not possible to design an application without any notion of security, whether this application is hosted on-premise or in the Cloud (preferably Azure)”
Below is an overview of the architecture that you may implement to secure and unify the Octopus Deploy API Keys :
In order to implement this architecture I will need an Azure Key Vault, an Octopus Deploy service account and I will use Octopus Deploy Runbooks instead of Deployment since it may be an emergency task and after all it is more an OPS task than a DEV one !
First we have to be able to automatically create an API Key. Is this even possible ? yes it is.
You need the libraries :
And you need the following script :
Since we won’t use the API Key, we may authenticate using an account (that’s why I told you we need a service or admin account).
Then you need a script to set a secret inside a given Key Vault :
All you need now is to create an Octopus Deploy Runbook :
Create two steps, the first one to generate the API Key, the second one to push it to the Azure Key Vault :
Thing that gives :
Checking Azure :
Didn’t I forget something ? Cleaning the old Generated keys (I should have only one anyway).
You may use the following script :
Reorder your steps as this :
Now, instead of using the API Keys directly on your scripts, you can use Azure KeyVault to get the API Key and import it inside your script securely !
Bella ciao,
