Configuring the Key Access Management
The Key Access Management is configured in the kas section of the config.json file. You can configure it independently for each tenant.
The template for the Key Access Management configuration block is as follows:
"kas": {
"enable": false,
"authentication": [
{
"discovery_uri": "_KAS_AUTHENTICATION_DISCOVERY_URI_",
"client_id": "_KAS_AUTHENTICATION_ISSUER_"
},
{
"name": "_KAS_AUTHENTICATION_API_KEY_NAME",
"api_key": "_KAS_AUTHENTICATION_API_KEY_VALUE"
}
],
"policy_enforcement": {
"enable": false,
"type": "_POLICY_ENFORCEMENT_TYPE_",
"opa_server": {
"url": "_URL_",
"authentication": {
"type": "basic",
"user_id": "_USER_ID_",
"password": "_PASSWORD_"
}
}
}
},
|
|
Description |
Type |
Optional/ mandatory |
|---|---|---|---|
| enable | Enables or disables the KAS feature for the tenant. | Boolean | Mandatory to use the KAS feature |
Authentication parameter
JSON object containing the configuration that allows authenticating to the Key Access Management. There are two types of authentication: with OpenID and JWT tokens or API keys.
When using the first method, you must have configured the Identity Provider (IDP) to deliver JWT tokens with at least these fields: "iss", "aud", "exp", "iat". For more information, see Configuring the identity provider.
Stormshieldrecommends using OpenID authentication whenever possible, as it provides stronger security guarantees and enables advanced use cases such as ABAC (Attribute-Based Access Control).
|
Parameter |
Description |
Type |
Optional/ mandatory |
|---|---|---|---|
| discovery_uri | URL to the OpenID JSON configuration file for OpenID authentication. | String | Mandatory to use OpenID authentication. |
| client_id |
Recipient of the JWT authentication token (see RFC 7519). An entry must be added for each identity provider. |
String | Mandatory to use OpenID authentication. |
| name | Name of the API key. The character ‘’:’’ is not allowed. See RFC 2617. |
String | Mandatory to use API Key authentication. |
| api_key | Value of the API key. Must be a valid API key provided by Stormshield. | String | Mandatory to use API Key authentication. |
policy_enforcement parameter
JSON object containing the configuration of the optional OPA enforcement feature for Key Access Management. For more information, see Implementing the authorization rules with Open Policy Agent.
|
Parameter |
|||
|---|---|---|---|
| enable | Enable the use of OPA rules for the feature. | Boolean | Mandatory for each feature enabled except the PKI. |
| type |
Kind of OPA policy to use. The possible values are :
|
String | Mandatory if policy_enforcement.enable is set to true |
| opa_server: JSON object describing the parameters required to access the OPA policy server. Stormshield guarantees compatibility with OPA version 1.2.0. |
|||
| url |
URL of data API exposed endpoints. For more information, see OPA documentation. Example: If your rego package is stormshield.kmaas and you have the allow variable in this package, your url will be: https://opa-server/v1/data/stormshield/kmaas/allow The authorized protocols are http and https. Stormshield strongly recommends https in production. |
String | Mandatory if policy_enforcement.type is set to opa_server |
| authentication |
JSON object describing the parameters required to authenticate to the OPA policy server. It includes the following fields:
|
Object | Mandatory if type is set to opa_server |
EXAMPLE
The content below is provided as an example and must not be used as such in the Stormshield KMaaS KAS configuration of one of your tenants.
"kas": {
"enable": true,
"authentication": [
{
"discovery_uri": "https://localhost:4000/static/wrap-private-key/.well-known/openid-configuration",
"client_id": "cse-wrapprivatekey"
}
],
"policy_enforcement": {
"enable": true,
"type": "opa_server",
"opa_server": {
"url": "http://localhost:8181/v1/data/stormshield/kas/allow",
"authentication": {
"type": "basic",
"user_id": "admin",
"password": "admin"
}
}
}
}