Try a simple example which uses the Secretless Broker to connect to a PostgreSQL database, open an SSH connection, or authenticate to an HTTP service protected with basic auth.
Download and run the Secretless Broker quick-start as a Docker container:
$ docker container run \ --rm \ -p 5432:5432 \ -p 5454:5454 \ cyberark/secretless-broker-quickstart
Direct access to the PostgreSQL database is available over port
5432. You can try querying some data, but you don't
have the credentials required to connect (even if you know the
username):
$ psql \ --host localhost \ --port 5432 \ --set=sslmode=disable \ --username secretless \ -d quickstart \ -c 'select * from counties;' Password for user secretless: psql: FATAL: password authentication failed for user "secretless"
The good news is that you don't need any credentials! Instead, you
can connect to the password-protected PostgreSQL database via the
Secretless Broker on port 5454, without knowing the
password. Give it a try:
$ psql \ --host localhost \ --port 5454 \ --set=sslmode=disable \ --username secretless \ -d quickstart \ -c 'select * from counties;' id | name ----+------------ 1 | Middlesex 2 | Worcester 3 | Essex 4 | Suffolk 5 | Norfolk 6 | Bristol 7 | Plymouth 8 | Hampden 9 | Barnstable 10 | Hampshire 11 | Berkshire 12 | Franklin 13 | Dukes 14 | Nantucket (14 rows)
Download and run the Secretless Broker quick-start as a Docker container:
$ docker container run \ --rm \ -p 2221:22 \ -p 2222:2222 \ cyberark/secretless-broker-quickstart
The default SSH service is exposed over port 2221. You
can try opening an SSH connection to the server, but you don't have
the credentials to log in:
$ ssh -p 2221 user@localhost The authenticity of host '[localhost]:2221 ([127.0.0.1]:2221)' can't be established. ECDSA key fingerprint is SHA256:FLnEsQ6aa1qEQopwywlWXI0LeNb04An72BThZZ8GNy8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:2221' (ECDSA) to the list of known hosts. Permission denied (publickey,keyboard-interactive).
The good news is that you don't need credentials! You can establish
an SSH connection through the Secretless Broker on port
2222 without any credentials. Give it a try:
$ ssh -p 2222 user@localhost The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. RSA key fingerprint is SHA256:fSn95WSqzC9JpAdZNs3iAEuRQckQSts26dJM9Hqwwh8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts. You've established an SSH connection via Secretless! Check out https://secretless.io for more information. bdfe24ac8aaf:~$
Download and run the Secretless Broker quick-start as a Docker container:
$ docker container run \ --rm \ -p 8080:80 \ -p 8081:8081 \ cyberark/secretless-broker-quickstart
The service we're trying to connect to is listening on port
8080. If you try to access it, the service will inform
you that you're unauthorized:
$ curl -i localhost:8080 HTTP/1.1 401 Unauthorized Server: nginx/1.14.0 Date: Thu, 20 Sep 2018 16:11:44 GMT Content-Type: text/plain Content-Length: 26 Connection: keep-alive WWW-Authenticate: Basic realm="Authentication required" You are not authenticated.
Instead, you can make an authenticated HTTP request by proxying
through the Secretless Broker on port 8081. The Secretless Broker
will inject the proper credentials into the request without you
needing to know what they are. Give it a try:
$ http_proxy=localhost:8081 curl -i localhost:8080 HTTP/1.1 200 OK Connection: keep-alive Content-Length: 35 Content-Type: text/plain Date: Thu, 20 Sep 2018 16:12:25 GMT Server: nginx/1.14.0 You are successfully authenticated.