|
Tiexin GuoOS Developer @Ubuntu CNCF ambassador | LinkedIn |
In my previous blogs, I have covered how to handle secrets in Helm and Jupyter notebooks. If you haven't read them yet, here are the links:
They are part of the "How to Handle Secrets" series, and there are more:
To complete the list, today, let's examine how to handle secrets in another popular programming language: Golang.
According to the TIOBE Index, Go has grown from No.17 in 2019 to No.9 in 2024, and it constantly ranks in the top 10 this year. Plus, Go is a first-class citizen in the cloud-native ecosystem: Kubernetes, Helm, and many other things are written in Go, which means that Go can smoothly interact with their APIs, making it an ideal choice for developing cloud-native tooling or applications running in a cloud environment.
As Go's popularity grows, it's becoming increasingly important to handle secrets properly. So, next, let's examine different ways of handling secrets in Go and some recommendations and best practices.
Like many other programming languages, the simplest method to read secrets is from an ENV file. You can do this with the godotenv
package (ported From Ruby's dotenv
lib):
First, let's create a project:
mkdir test && cd test
go mod init github.com/ironcore864/test
Then, create a .env
file containing fake secrets for demo purposes:
cat > .env<< EOF
S3_BUCKET=YOURS3BUCKET
SECRET_KEY=YOURSECRETKEYGOESHERE
EOF
Next, create the main source code file main.go
, and use godotenv
to read the key-value pairs from .env
:
package main
import (
"fmt"
"log"
"os"
"github.com/joho/godotenv"
)
func main() {
err := godotenv.Load()
if err != nil {
log.Fatal("Error loading .env file")
}
s3Bucket := os.Getenv("S3_BUCKET")
secretKey := os.Getenv("SECRET_KEY")
// now do something with s3 or whatever
fmt.Println(s3Bucket)
fmt.Println(secretKey)
}
Install dependencies and run it:
go mod tidy
go run main.go
As you can see, it's simple and intuitive: just one line of code (godotenv.Load()
) and then you can treat the secrets like environment variables as if they were in there. But beware!
Although it's simple, this approach is not recommended in the modern cloud-native world (we only start with this method for the sake of completeness). Here's why:
In many cases, one of the main reasons to choose Go, besides its popularity, is that it is extremely suitable for containerized apps. As Go is a compiled language, we don't need a runtime (unlike Python): we just need to deploy a pre-built binary to run it. As a result, Go images are usually small, hence fast to pull to the runtime platform (especially if we use a lightweight base image like Alpine Linux).
However, we can't hard-code the ENV file containing secrets in the Docker image.
Although, technically, it's possible to mount a file to a container (for example, in K8s you can inject configuration data into Pods using a ConfigMap), this isn't ideal for two reasons:
So, reading secrets from a file doesn't really meet the needs of a cloud-native environment.
What's the alternative, then? Let's continue exploring.
To regular readers of the GitGuardian blog and my articles, a secret manager is not an unfamiliar concept. And yes, it's much better (not only more secure but also more compatible with the cloud-native environment) to read secrets from a secret manager.
If you haven't used a secret manager in a major public cloud, read more about it in my previous blogs:
Before diving into how to read secrets from a secret manager (which is kind of simple; we only need to call some APIs), it's more important to figure out how to authenticate with a secret manager.
Since secret managers are services hosting sensitive information, our apps need some form of secret token to authenticate with them. Generally speaking, there are three basic ways to get a token for our apps:
Next, let's analyze the three methods.
Like many web services, secret managers can generate tokens (e.g., JWT, OAuth2), which we can then provide directly to our apps so that they can call secret managers' APIs.
Although this is simple, it's the least preferred method of the three aforementioned choices:
So, let's skip this non-ideal method, and continue exploring.
Using a non-platform credential, like a username/password authentication (non-platform means that it's not provided by the runtime platform, to differ from the option in the next section), is better. This kind of credential can associate an identity with the app that is using it.
Think of this method as using a web service that requires login: first, you log in to a website using your username and password so that the service knows it's you who's using it (the identity). Then, after logging in, the backend returns some token to the frontend so that logged-in users can access protected APIs with that returned token.
This is already a significant improvement over the token authentication method, but still, there are some challenges:
Some secret managers, such as HashiCorp Vault, handle these challenges automatically by using a mechanism called an AppRole, which basically is a username/password authentication mechanism, but with some interesting implementation:
If the description above confuses you, check out this diagram:
In this way, since the username and password are delivered by different channels at different times, and the password is scoped and short-lived, it's much more secure than the token method.
For more details on this mechanism, read this blog and this tutorial.
However, this mechanism has a drawback: not all major secret managers have this kind of mechanism. Because of this, we won't dive deep into a tutorial on this mechanism, but if you are interested, check out this sample app here. For more information on using Vault, check out this blog.
The third option is to use the platform's identity to authenticate with the secret manager so that the app itself won't need to worry about the authentication part.
For example, an app running in AWS EKS can have a service account, which can be mapped to an AWS IAM role. We can grant the role access to AWS Secrets Manager and certain secrets. Let me walk you through this process.
First, let's prepare an AWS EKS cluster with OIDC enabled. The easiest way to do so is by using eksctl
, the official CLI for AWS EKS:
eksctl create cluster --name my-cluster --with-oidc --region ap-southeast-1
Note:
service account
I assume AWS CLI is already installed and configured in your environment. If you haven't done so, follow this guide.You can install
eksctl
by following the official doc here.If you already have an EKS cluster, make sure the OIDC is enabled.
Then, let's create an IAM policy to be used with our app:
cat >my-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "*"
}
]
}
EOF
aws iam create-policy --policy-name my-policy --policy-document file://my-policy.json
Next, create an IAM role and associate it with a Kubernetes service account (remember to replace the AWS account in the policy arn):
eksctl create iamserviceaccount --name my-service-account --namespace default --cluster my-cluster --role-name my-role \
--attach-policy-arn arn:aws:iam::202449767955:policy/my-policy --approve
Create a secret in AWS Secrets Manager for testing:
aws secretsmanager create-secret \
--name MySecret \
--secret-string "{'user':'tiexin','password':'PASSWORD'}"
We deploy a Pod with the service account my-service-account
, which we mapped to a newly created IAM role my-role
with policy my-policy
that allows it to describe and get secrets from AWS Secrets Manager:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
serviceAccountName: my-service-account
containers:
- name: go-container
image: golang
command: [ "sleep", "3600" ]
EOF
Finally, let's get into the Pod to write some Go code to simulate an app accessing the secret:
kubectl exec -it test -- /bin/bash
In the pod:
mkdir test && cd test
go mod init test
cat >main.go <<EOF
package main
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
)
func main() {
secretName := "MySecret"
region := "ap-southeast-1"
config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
log.Fatal(err)
}
svc := secretsmanager.NewFromConfig(config)
input := &secretsmanager.GetSecretValueInput{
SecretId: aws.String(secretName),
VersionStage: aws.String("AWSCURRENT"),
}
result, err := svc.GetSecretValue(context.TODO(), input)
if err != nil {
log.Fatal(err.Error())
}
var secretString string = *result.SecretString
fmt.Println(secretString)
}
EOF
go mod tidy
go run main.go
You should get the content of the secret successfully.
As we can see from the code above, the app doesn't do any authentication, but rather, since it's running with a K8s service account, which is bound to an IAM role. The IAM role handles the access to the secrets manager.
It's worth mentioning that although in this example we demonstrated authenticating with AWS Secrets Manager using IAM roles, authenticating with HashiCorp Vault using IAM roles can be achieved as well.
Apparently, authenticating through the platform is the best, because not only it's secure, but also the apps don't need to worry about identities and authentications altogether. However, there are some limitations: not every cloud platform supports this feature for all secret managers. For example, maybe you are using a cloud with HashiCorp Vault, but that cloud doesn't have an authentication plugin for Vault. Or, for another example, maybe you are running your workload on bare metal servers but you want to use AWS Secrets Managers, and your bare metal servers can't have IAM roles.d
To tear down the IAM role and policy (the EKS cluster is kept for the next section):
We have come quite far from reading secrets from an ENV file, but there are still possible improvements.
Note that our in the previous section's tutorial, the Go app is not "secret-manager-agnostic": It still needs to know which secret manager is used, and it still has the code to call the secret manager's APIs. This can be suboptimal for a few reasons:
And maybe more.
Is there a way to benefit from secret managers while not worrying about them at all, achieving some "secret-manager-transparent" state?
Yes there is, and it could be the ultimate simple solution: don't even think about secret when writing Go apps, let somebody else worry about it.
Allow me to expand:
You may think pushing the task of secret handling to others is irresponsible, but if you look at the big picture, this is the most responsible way possible: the secret handling for all apps, no matter what they are, in what languages they are written, is tackled once and for all, using a unified solution. No duplicated API calls in your dozens of microservices anymore, and no worrying about multicloud anymore.
So, the key is to synchronize secrets from a secret manager to the runtime platform where your app is running, so that your Go app can read them directly from ENV vars without doing anything.
Next, let's have a look at how to achieve this.
There are many ways to achieve this, for example, using the External Secrets Operator to sync secrets from secret managers to K8s, using the Vault Secrets Operator on Kubernetes to sync secrets from HashiCorp Vault to K8s, and more. In this tutorial, let's continue using the EKS cluster and the secret created in the previous section, and use the External Secrets Operator to sync secrets to our Go app.
First, let's install the External Secret Operator:
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace
Then, let's create an IAM role with policies enabling the external secret operator to get secrets from AWS Secrets Manager, solving the authentication problem using the "platform's identity" method:
cat >external-secret-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "*"
}
]
}
EOF
aws iam create-policy --policy-name external-secret-policy --policy-document file://external-secret-policy.json
Then, create an IAM role for the service account with the above policy:
eksctl create iamserviceaccount --name my-external-secret-store --namespace default --cluster my-cluster --role-name my-external-secret-role \
--attach-policy-arn arn:aws:iam::202449767955:policy/external-secret-policy --approve
Then, let's create a SecretStore
pointing to AWS Secrets Manager using the IAM role for serviceaccount for authentication (the production-ready way):
cat <<EOF | kubectl apply -f -
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secretsmanager
namespace: default
spec:
provider:
aws:
service: SecretsManager
region: ap-southeast-1
auth:
jwt:
serviceAccountRef:
name: my-external-secret-store
EOF
cat <<EOF | kubectl apply -f -
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: test-secret
namespace: default
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secretsmanager
kind: SecretStore
target:
name: test-secret
creationPolicy: Owner
data:
- secretKey: secret
remoteRef:
key: MySecret
EOF
Then, we deploy a Pod referencing a K8s Secret as ENV var. We did not create the K8s Secret, it is automatically synchronized by the external secret operator:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: test-es
spec:
containers:
- name: go-container
image: golang
envFrom:
- secretRef:
name: test-secret
command: [ "sleep", "3600" ]
EOF
Get into the Pod to write normal Go code to read from ENV vars:
kubectl exec -it test-es -- /bin/bash
In the pod:
mkdir test && cd test
go mod init test
cat >main.go <<EOF
package main
import (
"fmt"
"os"
)
func main() {
envVarValue := os.Getenv("secret")
fmt.Printf("%s\n", envVarValue)
}
EOF
go mod tidy
go run main.go
The secret value is read from ENV var.
As you can see, our simple Go program can transparently read the environment variable at runtime. This is made possible thanks to the job done automatically by the external secret operator.
Note that this is only a demo, in the real world, we would use Helm charts to package the ExternalSecret
object and our app, and in the app, we don't need to think about secret managers, at all. For more information on how to handle secrets in Helm charts, read this blog.
To tear down after this tutorial:
eksctl delete iamserviceaccount --name my-external-secret-store --namespace default --cluster my-cluster
aws iam delete-policy --policy-arn arn:aws:iam::202449767955:policy/external-secret-policy
aws secretsmanager delete-secret --secret-id MySecret
eksctl delete cluster --name my-cluster
In this blog, we covered various ways of secrets handling in Go.
The ultimate solution, following the 12-factor app methodology, is not to worry about secrets at all: Let someone else worry about how to securely synchronise secrets to the app's runtime platform. No matter which public cloud you are using, chances are there is a solution to achieve this goal, just as demonstrated in the previous tutorial.
If, for some reason, the best choice above isn't available to you, there are also some okayish ways (with some limitations), like using the underlying platform's identity to authenticate your app to a secret manager (but not all platforms support all secret managers) or using a secure auth method like the Vault AppRole (but not all secret managers support this method).
Authenticating using a token is the least preferred method. Use it only when the previous options are absolutely impossible.
The last resort is to read from an ENV file, which is not recommended in today's fast-paced, security-first, cloud-native world.
As a finishing note, if you want to learn more about HashiCorp Vault and data security in general, read my other blog, "Data Security: an Introduction to AWS KMS and HashiCorp Vault."
If you enjoyed reading this article, as always, please share and subscribe. See you in the next piece!
*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Code Security for the DevOps generation authored by Guest Expert. Read the original post at: https://blog.gitguardian.com/how-to-handle-secrets-in-go/