Method and system for distributing secrets

摘要

Secrets data representing one or more secrets required to access associated resources is provided along with secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of the secrets. When a requesting virtual asset submits secrets request data, virtual asset profile data associated with the requesting virtual asset is obtained. The requesting virtual asset profile data is then analyzed using at least one of the secrets distribution factors to authenticate the requesting virtual asset. The requesting virtual asset profile data is then analyzed using one or more of secrets distribution factors to determine what secrets the requesting virtual asset legitimately needs. Authorized secrets data for the requesting virtual asset representing one or more authorized secrets is then generated. The requesting virtual asset is then provided access to the authorized secrets data.

主权项

1. A system for distributing credentials comprising:
at least one processor; and at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for distributing credentials, the process for distributing credentials including: receiving request data from a requesting virtual asset, the request data including a request for one or more credentials required in order for the requesting virtual asset to be allowed to access one or more resources, the requested credentials being of a first type of a plurality of credential types, the one or more resources being cloud-accessible resources; responsive to receiving the request data, obtaining profile data associated with the requesting virtual asset; responsive to receiving the request data, authenticating, by a secrets distribution management system, the requesting virtual asset; responsive to authenticating the requesting virtual asset and obtaining profile data associated with the requesting virtual asset, analyzing, by the secrets distribution management system, the profile data using one or more distribution factors to determine one or more credentials of the first type that the requesting virtual asset is authorized to receive, the determination being at least partly based on a role assigned to the requesting virtual asset, the requesting virtual asset being assigned at least two different roles; determining a first source from which the first type of credential is available, wherein a plurality of credential sources are available each having different types of credentials, wherein credentials of a first type are only available from a first source, and credentials of a second type are only available from a second source; and providing, from the first source, credentials data representing the determined one or more credentials to the requesting virtual asset, the provided credentials data including data representing one or more of the credentials associated with the request data, the providing being accomplished through at least:
encrypting set data;assigning identification data to the encrypted set data;storing the encrypted set data in a credentials store;providing the requesting virtual asset the identification data and an encryption key for identifying and decrypting the encrypted set data; andproviding the requesting virtual asset access to the credentials store.