Open-Source Tool Securely Connects Apps Without Passwords
▼ Summary
– Secretless Broker is an open-source tool that allows client applications to access services like databases or SSH endpoints without handling secrets directly.
– It solves the “last mile” problem in secret delivery by fetching and using secrets securely from vaults, keeping them hidden from the application.
– Clients connect locally to Secretless Broker, which uses a Credential Provider to retrieve secrets and authenticate with the target service on their behalf.
– The tool currently supports MySQL, PostgreSQL, SSH/SSH-Agent (Beta), and HTTP with various auth strategies, with plans to expand to more services.
– Secretless Broker is free on GitHub and may integrate with identity-based solutions like SPIFFE in the future for enhanced security.
Managing application security just got simpler with an innovative open-source solution that removes password handling from the equation. Secretless Broker provides a secure bridge between client applications and backend services without exposing sensitive credentials to the application layer. This lightweight connection broker acts as an intermediary, handling authentication while keeping secrets safely stored in vaults or credential management systems.
Developed to address critical gaps in secret management, Secretless Broker solves the “last mile” challenge by ensuring credentials never pass through application code. Instead, it establishes direct, authenticated connections to services like databases, web APIs, and SSH endpoints through protocol-aware connectors. Applications simply communicate locally with the broker, which then manages the entire authentication process transparently.
The system operates through a streamlined architecture. When an application needs to access a service, it connects to the local Secretless Broker instance. The broker’s credential provider retrieves necessary secrets from supported storage solutions including CyberArk Conjur, local keychains, or encrypted files. These credentials are then used exclusively within the broker to establish the secure connection, preventing any exposure to the client application.
Current protocol support includes robust production-ready options for MySQL and PostgreSQL (via both socket and TCP connections), with beta functionality for SSH/SSH-Agent and HTTP services using Basic Auth, Conjur, or AWS authorization methods. This coverage addresses many common enterprise integration scenarios while maintaining flexibility for diverse infrastructure environments.
Development roadmaps indicate expanding capabilities to support additional service types and deeper integration with identity-based security frameworks. Potential future enhancements include native compatibility with SPIFFE identity documents, allowing the broker to translate verified identities into appropriate service credentials automatically. This evolution could further reduce dependency on traditional secret storage while maintaining rigorous access controls.
Available as free open-source software on GitHub, Secretless Broker represents a practical approach to credential management that aligns with modern security best practices. By abstracting secrets away from application logic, it reduces attack surfaces and simplifies compliance requirements without sacrificing functionality. The project welcomes community contributions to extend its protocol support and integration capabilities.
(Source: HELPNETSECURITY)
