Secure property store for cloud applications

Quick Start

Quick Start

This is a quick start guide for application developers who want to use the Cerberus service. This guide assumes a Cerberus environment has been setup as described in the Administration guide.

Cerberus is a complete solution to manage anything that you want to tightly control access to, such as API keys, passwords, certificates, etc. By the end of this document you will be able to provision a safe deposit box (SDB), set the correct permissions, and integrate a cerberus client library to access data from your application. A safe deposit box (SDB) is a logical grouping of data with a single set of access controls.

1. Configure your Service’s IAM Role

The EC2 instance must be assigned an IAM role that has been given permissions to at least one safe deposit box (SDB) in Cerberus. The IAM role to be assigned must contain, at a minimum, a IAM policy statement giving access to call the KMS’ decrypt action.

  1. Login to the AWS console
  2. Navigate to the Identity and Access Management section
  3. Configure a role with the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowKmsDecrypt",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:*:[Cerberus AWS Account ID]:key/*"
            ]
        }
    ]
}

The account ID in the ARN should be the account ID where Cerberus is deployed. See your company’s internal documentation for the account ID that you should use.

2. Create a Safe Deposit Box

  1. Login to the Cerberus dashboard with your credentials.
  2. In the left navigation bar, click the ‘+’ button next to the Applications section.
  3. Enter a friendly name for your SDB. If your app is ‘myawesomeapp’, go with ‘My Awesome App’.
  4. The owner field is the LDAP group that will have ownership for this SDB. You can select one of the LDAP groups you are currently a member of.
  5. Under ‘User Group Permissions’ you can give additional LDAP groups you are a member of read or write access to the SDB.
  6. Under ‘IAM Role Permissions’ you provide the AWS account id and role name that will have either read or write access to the SDB.
  7. Click the ‘SUBMIT’ button

Cerberus Dashboard new SDB screenshot

3. Manage Data in your Safe Deposit Box

Data is stored using a path structure. Note that the application name is normalized to be URL friendly. So, if you had ‘My Awesome App’ in the Applications category your root path will be ‘applications/my-awesome-app’. From there you can add sub-paths to store key value pairs.

Cerberus will allow an SDB to contain a folder structure with many subpaths but for most applications a single path with a list of several key/value pairs is optimal (that way all values can be read later with a single API call).

How to add a subpath:

  1. Click the ‘Add new path’ button.
  2. Enter a subpath name
  3. Add the key/value pairs that you’d like to store at that subpath.
  4. Click ‘SAVE’
  5. The page will refresh and you’ll be able to add more subpaths or edit the subpath you just added.

Cerberus Dashboard add new path screenshot

4. Access Your Secrets with Cerberus

Use one of the clients:

Don’t see your desired client? Cerberus has a REST API. You can contribute a new client or use the REST API directly.

Local Development

Updated guide incoming.

Verifying Your Identity

A common problem encountered during setup is a different role is in effect than expected by the developer.

See Who am I? for more information.