Secretless Broker: Open-source tool connects apps securely without passwords or keys

Secretless Broker is an open-source connection broker that eliminates the need for client applications to manage secrets when accessing target services like databases, web services, SSH endpoints, or other TCP-based systems.

Secretless Broker features

“We created Secretless Broker to solve the “last mile” problem in secret delivery. While many tools handle secret storage and retrieval, there was still a gap in how those secrets were used securely by applications. The tool was designed to close that gap, a single, lightweight service that understands how to fetch secrets from vaults and use them securely to establish connections with external services, without ever exposing the secret to the application,” Kumbirai Tanekha, Staff Software Engineer at CyberArk, told Help Net Security.

To connect to a target service without handling secrets directly, the client goes through Secretless Broker. A Service Connector speaks the target service’s protocol and takes care of the authentication step. The client doesn’t need to know the actual password. It just connects to Secretless Broker locally. The tool then gets the needed credentials from a secrets store (like Conjur, a keychain, a file, or something similar) through a Credential Provider. It uses those credentials to connect to the service and passes data between the client and the service as it comes in.

The tool supports several target services out of the box:

• MySQL (Socket and TCP)
• PostgreSQL (Socket and TCP)
• SSH / SSH-Agent (Beta)
• HTTP with Basic auth, Conjur, and AWS authorization strategies (Beta)

Future plans and download

“Looking ahead, we want to expand support for more target services and deepen integration with tools solving the secret zero problem. We’re excited about how Secretless Broker could work alongside identity-based solutions like SPIFFE. For example, in a SPIFFE-enabled environment, our tool could accept an identity document and translate it into whatever credentials are required for secure service access, or, where secrets are still needed, continue providing a secure and abstracted way to consume them,” Tanekha explained.

Secretless Broker is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!