Time-based, revocable, leased – dynamic access credentials for InfluxDB

Automated token management for InfluxDB Cloud

Today we’re excited to announce the InfluxDB add-on for Ockam Orchestrator. Through the use of the add-on, customers that are using InfluxDB Cloud can use Ockam to improve their security posture by automatically granting uniquely identifiable, least privilege, time-limited credentials for any client that needs to connect to InfluxDB cloud.

The problem with managing access at scale

Managing client access credentials for thousands of discrete clients can be a challenge for customers at scale. Issuing unique credentials to each client can be such an operational burden that we’ve seen some companies opt to have a single credential that is shared across all their client services and devices. This trade-off though comes with an increase in risk: any one of those thousands of clients could potentially expose the same secrets used by the whole fleet. It also increases the operational burden of remediation when one of those credentials is exposed: you’re now scrambling to work out how to revoke and deploy new credentials to your entire fleet all at once. Instead industry best-practice would recommend regularly auditing and rotating those credentials to reduce the risk to the business. That regular revocation and rotation results in an on-going operational complexity that only continues to increase as the number of clients grows.

The InfluxDB add-on for Ockam Orchestrator is a drop-in solution that works with any InfluxDB client. It allows an organization to define a standardized policy that defines uniquely identifiable, least privilege, time-limited credentials appropriate for their use case. Each client can then request its own credential which, if granted, can then be used wherever existing InfluxDB credentials are used. The time-limited nature means that when the lease period expires the credential is automatically revoked, and the client can request a new one to continue communicating.

Let’s take a look at just a couple of examples of what’s now possible, and how to achieve it.

Initial setup of Ockam

If you’ve previously setup Ockam you can skip this section and move straight to the two examples below.

brew install build-trust/ockam/ockam

(if you’re not using brew for package management we have installation instructions for other systems in our documentation)

Once installed you need to enroll your local identity with Ockam Orchestrator, run the command below and follow the instructions provided:

ockam enroll

Enroll clients at scale

Log in to your InfluxDB Cloud Dashboard and get the Cluster URL (Host Name) and Organization ID from your Organization settings page, then generate a new All Access API token (Load Data > API Tokens > Generate API Token > All Access API Token). Take those three values and insert them into the appropriate environment variables below so we can use them later:

export INFLUXDB_ADMIN_TICKET="infludb-cloud-token-here"
export INFLUXDB_ORG_ID="influxdb-org-id-here"
export INFLUXDB_ENDPOINT_URL="https://your-cluster-url-here"
export INFLUXDB_BUCKET="bucket-name-here"

Now it's time to integrate Ockam and InfluxDB Cloud! We'll do that by configuring the add-on to use the configuration settings we exported early, in addition to defining a default set of permissions each future lease request should be granted.

read -r -d '' INFLUXDB_LEASE_PERMISSIONS <<- EOF
[{"action": "write",
  "resource": {
    "type": "buckets",
    "name": "$INFLUXDB_BUCKET",
    "orgID": "$INFLUXDB_ORG_ID"
}}]
EOF

To save you having to unpack all of that: it's an InfluxDB permission definition (in JSON format) that only grants the ability to write to a specific bucket on a specific Org. Clients with this permission will be unable to read any data, modify permissions, etc.

ockam project addon configure influxdb \
  --endpoint-url $INFLUXDB_ENDPOINT_URL \
  --token $INFLUXDB_ADMIN_TICKET \
  --org-id $INFLUXDB_ORG_ID \
  --permissions "$INFLUXDB_LEASE_PERMISSIONS" \
  --max-ttl 900

Before a client can connect to a project, an enrollment token must be generated for it by an authorized entity:

export VEHICLE_TICKET=$( \
  ockam project ticket \
  --attribute service=connected-vehicle )

Next we need to create a new identity for our client, as it's to this identity that the leased InfluxDB token will be issued. In a production environment you would run these next 3 steps on your intended your intended client, in our case the connected vehicle, but for demo purposes we'll run them all from the same machine:

ockam identity create connected-vehicle

Identity created, we can authenticate to our project using the enrolment token SENSOR_TICKET we saved at the start of this section:

ockam project enroll $VEHICLE_TICKET \
  --identity connected-vehicle

We've arrived at the big moment, time to request a new lease:

ockam lease create \
  --identity connected-vehicle

In the output you'll see not just the token you created but when it expires, which should be 15 minutes from the time it was created (we set the max TTL to 900 seconds in the original ockam addon configure command).

Grant temporary read access

What if we wanted to grant someone from our data science or operations teams access to read the data? We could take the same approach as in the previous example, but simply change the permissions and the lease timeout:

read -r -d '' INFLUXDB_LEASE_PERMISSIONS <<- EOF
[{"action": "read",
  "resource": {
    "type": "buckets",
    "name": "$INFLUXDB_BUCKET",
    "orgID": "$INFLUXDB_ORG_ID"
}}]
EOF

This is the same permission definition we used earlier except the write access has been replaced with read.

Next we’ll configure the add-on, but this time we’ll set the time-to-live (TTL) on the issued credentials to be 7 days instead of 15 minutes:

ockam project addon configure influx-db \
  --endpoint-url $INFLUXDB_ENDPOINT_URL \
  --token $INFLUXDB_ADMIN_TICKET \
  --org-id $INFLUXDB_ORG_ID \
  --permissions "$INFLUXDB_LEASE_PERMISSIONS" \
  --max-ttl 604800

As before we will generate a token to allow this person to enroll, and then create and enroll them:

export USER_TICKET=$( \
  ockam project ticket \
  --attribute service=data-user)

ockam identity create alice

ockam project enroll $USER_TICKET \
  --identity alice

Now any time this person needs to request access to query InfluxDB Cloud they can request a new set of credentials by running:

ockam lease create \
  --identity alice

Unique, time-limited, and least privilege access

You’ve hopefully seen from these examples that in just a few minutes you can go through the complete Ockam setup process and implement an improved credential management policy for your InfluxDB Cloud clients. One that reduces your risk by issuing unique per-client credentials. Credentials that are limited in both scope and duration to whatever is most appropriate for the needs of your clients. And credentials that work as a seamless alternative for all of your existing InfluxDB client use cases.

Get started

If you’ve not already followed the example in this guide, you can get started using Ockam for free by following the instructions in our documentation. If you’d like to talk specifically about this or other potential use cases for Ockam, the team would be more than happy to chat with you. Alternatively you can join us, and an ever growing community of developers who want to build trust by making applications that are secure-by-design, in the Build Trust Discord server.