Re: Issue with core microservice access credentials in the secret service when secret service is enabled.

White2, James


Based on a call with Trevor, Tingyu and Brandon from my team just after the security working group call, we made some decisions about this design (some that are a reversal of what was discussed on the WG call).


  1. Per Tingyu’s message below, the command line parameter to use Vault secrets by the service is going to be named “secrets” versus “secretservicerequired” in order to shorten it up a bit
  2. The default value for this will be false versus true.  Meaning you have to add this command line parameter in order to turn on secrets by Vault.


This means that by default, services will still get the database username/password info from Consul or config file for the Edinburgh release and will get the secrets out of Vault only if someone adds the “secrets” command parameter setting.


While the preferred way would be to have secrets coming from Vault by default (especially production), the change for developers and the change to all the blackbox tests immediately (and as discussed in our WG meeting) was going to create too much turmoil this close to the release.  We will revisit this default for Fuji.  The functionality will still be there, just not on by default.


If you have comments or additional concerns , please let us know.



Jim White

Director, IoT Platform Development Team & Distinguished Engineer

EdgeX Foundry Technical Steering Committee Vice Chairman

Dell Technologies | IoT Solutions Division

Office +1 512-723-6139, mobile/text +1 612-916-6693




From: EdgeX-TSC-Security@... <EdgeX-TSC-Security@...> On Behalf Of Zeng, Tingyu
Sent: Wednesday, May 15, 2019 10:35 AM
To: EdgeX-TSC-Security@...
Subject: [Edgex-tsc-security] Issue with core microservice access credentials in the secret service when secret service is enabled.





I have created an issue #1341 in the edgex-go repo that addressed the discussion during our secruity WG meeting.



Here I propose to add one more command line option in the core microservice that is going to consume the secret service. Fore coredata service I think the best place is in  as you see it parses the command line parameters. we need to add one more option, something like 



if the secret service is required.")


By default the value is true, which means we need to check if the secret service is up and running to provide credentials. if the secret service is down, then we need to exit the whole micro service.


If it is false, when we check the secret service and if it is down, we need to continue the original logic, means we need to check the configuration file and then consul to get the credentials. In another words, we try our best to look up all the places to get the credentials. 


let me know if you have any questions.




Join to automatically receive all group messages.