Vault Settings

Vault Settings is a set of capabilities for administering and configuring your skyflow vault. This functionality is available only to Vault Owners. Vault settings are always managed within a context of a vault. Select the right vault context before making any changes.

IAM

Identity and Access Management (IAM), is a framework for managing identities - users and service accounts, and their access to a vault. Under IAM, you will have the ability to see a list of roles that have been created for your vault and a list of users and service accounts that have access to your vault. You can also create a role or a service account through this interface.

Roles

Overview

Roles help you manage the Skyflow account and vault privileges for the members of your organization. This included users who login to the UI as well as machine identities in the form of service accounts.

A role is an entity that has the following attributes:

  1. Attached policies and permissions
  2. Assigned members

Use roles to enforce access control when sharing a vault with users and service accounts.

Role Types

image alt text

Admin Roles

Admin roles have administrative privileges over your organization’s Skyflow account. This gives them access to the Admin Console UI in Skyflow Studio. There are two admin roles that Skyflow provides out of the box:

Account Admin
  • When a Skyflow Account is created, the first user who is invited is assigned the Account Admin role.
  • The main responsibility of an Account Admin is to invite users to their Skyflow Account.
  • Account Admins can assign users as fellow Account Admins, Workspace Admins or Vault Creators.
  • All Account Admins have the permissions of workspace Admins as well.
Workspace Admin
  • Workspace admins are responsible for managing a workspace and controlling access to it.
  • They can assign already invited users as fellow Workspace Admins or as Vault Creators to the workspaces that they manage.
  • Please note that Workspace Admins do not have permissions to invite new users to their Skyflow Account by default.

Note: Members with Admin roles cannot be assigned Vault roles in the Production workspace. This is by design, to enforce separation of concerns in production workspaces. In Sandbox workspaces, all Admin roles have the permission to create and manage their own vaults.

Vault Roles

Vault roles have access to data that reside in skyflow vaults. They are categorized as System Roles and Custom Roles

System Roles

System Vault roles are the roles Skyflow provides for every vault by default.

Vault Creator

  • Members who have been assigned this role in a specific workspace can create vaults.
  • Once the vault is created they get assigned the Vault Owner role automatically.
  • They still retain their Vault Creator permissions and can create more vaults as needed.

Vault Owner

  • Vault Owners are the highest privileged users when it comes to Skyflow Vaults.
  • They are database admins who are custodians of the data that reside in vaults. This data is often highly sensitive given the nature of Skyflow’s business.
  • Vault owners control access to the vault. They are the only members who can share the vault with other users and create custom roles.
  • They have access to view the data in PLAIN_TEXT.
  • The following is an example policy attached to a Vault Owner of the Customer Identity Vault in terms of data access:

    ALLOW ALL ON persons.* WITH REDACTION = DEFAULT
    
    ALLOW ALL ON persons.* WITH REDACTION = PLAIN_TEXT
    
    ALLOW ALL ON identifiers.* WITH REDACTION = DEFAULT
    
    ALLOW ALL ON identifiers.* WITH REDACTION = PLAIN_TEXT
    
    ALLOW ALL ON contacts.* WITH REDACTION = DEFAULT
    
    ALLOW ALL ON contacts.* WITH REDACTION = PLAIN_TEXT
    
    ALLOW ALL ON organizations.* WITH REDACTION = DEFAULT
    
    ALLOW ALL ON organizations.* WITH REDACTION = PLAIN_TEXT

Vault Editor

  • Vault Editors can view and edit all the data in a vault with the default redaction policies.
  • They do not have access to view the data in PLAIN_TEXT
  • The following is an example policy attached to a Vault Editor of the Customer Identity Vault in terms of data access:

    ALLOW ALL ON persons.* WITH REDACTION = DEFAULT
    
    ALLOW ALL ON identifiers.* WITH REDACTION = DEFAULT
    
    ALLOW ALL ON contacts.* WITH REDACTION = DEFAULT
    
    ALLOW ALL ON organizations.* WITH REDACTION = DEFAULT

Vault Viewer

  • Vault Viewers can view all the data in a vault with the default redaction policies.
  • They do not have access to view the data in PLAIN_TEXT
  • The following is an example policy attached to a Vault Viewer of the Customer Identity Vault in terms of data access:

    ALLOW READ ON persons.* WITH REDACTION = DEFAULT
    
    ALLOW READ ON identifiers.* WITH REDACTION = DEFAULT
    
    ALLOW READ ON contacts.* WITH REDACTION = DEFAULT
    
    ALLOW READ ON organizations.* WITH REDACTION = DEFAULT

Note: The out of the box data access policies for system roles can be modified by altering the policies.

Custom Roles

In addition to the System roles, Skyflow also provides you the ability to define your own custom role for accessing data in vaults. This capability is only granted to Vault Owners.

After you create a custom role, you can use Skyflow’s policy editor to author fine-grained column level and row level redaction and tokenization policies.

Create a custom role

Only Vault Owners have the permission to access the Governance and Settings tabs and Create Custom Roles. Skyflow supports custom role creation for Vault roles.

To create a custom role:

  • Go to the Settings tab
  • Navigate to the right vault context from the drop down list on the left
  • Under IAM, select Roles and then ‘Add New Role’.
  • Enter a role name and a description and then click ‘Create’.

You have now created a custom role.

Author and Attach policies to a role

Once you create a custom role, you can attach some policies to it. Policies grant your custom role permissions to access data contained in the vault. You can author policies for any role from the Governance tab or the Settings tab

To attach policies from the settings tab, navigate to Roles under IAM. Click on ‘Attach Policies’ / ‘View Policies’. This opens up the policy code editor in a modal window from where you can author policies.

To attach policies from the governance tab, navigate to Roles and then click on the specific Role you want to author a policy for and then click on ‘Add Policy’.

To learn more about the policy authoring, check out the policy expression language and policy code editor sections.

Assign role to members

Only Vault Owners can assign roles to a member or share a vault with a user. Members can be users who login to the UI or service accounts which are machine identities for API access.

To assign a role to members, navigate to Roles under Settings -> IAM and click on the specific role from the list of roles that needs to be assigned to a member.

  • Under the user role assignment section, search for the specific user by email and then click on Assign.
  • Under the service account role assignment section, search for the specific service account by name and then click on Assign.

You can also assign members to roles from the Share vault button in the Vault browser. This is reserved only for Users and not Service Accounts.

You can view a list of users and service accounts that have been assigned a role through the IAM section under Settings.

Users

View a list of users who have any level of access to your vault. You can assign/unassign roles to a user. You may also share a vault with an existing user through this interface.

Service Accounts

How To: Generate an access token for a Service Account

Prerequisites
  • You must be a Vault Owner on a vault to create a service account
  • Install Python 3.5 or later.
  • Install PyJWT, requests and cryptography libraries
Step 1 : Create an API Service Account and assign a role to it.
  • Navigate to the settings tab and select a vault for which you would like to create a service account from the drop down list on the left.
  • Select ‘Service Accounts’ under the IAM section, and then click on ‘New Service Account’
  • Enter a name and description.
  • Assign the service account a Vault Owner role from the drop down menu and click ‘Create.’ You can also assign any other role instead of the Vault Owner role in this step.
  • Upon clicking Create, a credentials.json file will be downloaded to your local machine. Store this file securely as it contains a private key that will be used to sign your JWT bearer token.
  • Here is an example of the credentials.json file:

    {
    "clientID": "y4b0fb0991b211eb9a5e9a757ffcc4b0",
    "clientName": "Customer support agent web  app",
    "tokenURI": "https://manage.skyflowapis.dev/v1/auth/sa/oauth/token",
    "keyID": "y4c9577c91b211eb9a5e9a757ffcc4b0",
    "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCihOlTU61VztBu\nDhQtEb.....oGBAMFEvPAM0arx3qn7C067\nMLVrW2H6PwGpiWNU86rHBMkuzriwzagtit130XN8KrHfYfSRUmOOw6h6T4aC85g0\nwC8SQXRntfoise0UWcSxfnyhfqlaUeN3BqhHl0zjRQjE8W9th9k16N0rTPBRmPGo\nrWELwcVHR6izoGgGBAdWAGVn\n-----END PRIVATE KEY-----\n"
    }

Note: The Workspace URL and the Vault ID mentioned in the service account page will be required as URL paths when integrating with vault APIs.

Step 2 : Prepare your environment
  • You now need to generate a bearer token (access token).
  • We have created a python script for you that takes the credentials.json file that was downloaded in step 1, and uses the private key to sign a JWT token. This JWT token is then used to make an authentication request to the Skyflow authorization server and subsequently get a bearer token in return.
  • To run this script, you need to ensure that you have a compatible environment:

    • This step assumes you have homebrew installed.
    • Install python version 3.5 or above. To install the latest python version for your run the following command in your terminal:

      brew install python
  • Install the following libraries by running these commands in your terminal:

    pip3 install PyJWT
    
    pip3 install requests
    
    pip3 install cryptography
  • Copy paste the python script from this link to a code editor.

Note: You can request short lived access tokens in this step by adjusting the exp field. You can request an access token that is valid for no more than 60 minutes.

  • On line 45 of the code, enter the full path to the credentials.json file in your local machine:

    jwtToken, creds = getSignedJWT('/Users/aj/Downloads/credentials.json')
  • Save this file as: ‘getBearerToken.py’
Step 3: Run the script and generate an access token
  • Open your terminal and run the following command:

    python3 getBearerToken.py     
  • If you have performed all previous steps correctly you should see the bearer token printed out in the terminal as follows:

    {
    "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL21hbmFnZS5za3lmbG93YXBpcy5kZXYiLCJjbGkiOiJ5NGIwZm....pOqmlI_CWY2V6MEBTqnVHuAo1-9MBSW8REp-mv_-mJqOe8TMb9dOImcXzM7jEpW79Fqs3-HCo-cUikWwy6tjjvVqHW-4pqG005pGzxrAt275Q2LU1pXwUfUM6idH9o2ydlpTp0-ujPQgVQXh8w9LsqE58Qtm4lRU8Sr8FMdx72qnuahD5Xoh1KL7D-DFZaYMrof9aTfUFUctUBzOUbL4_z2bEf2wkHouSPOZGI3uHIM54mjX013NkNXzMltP8GiP5GimC3PX-jA",
    "tokenType": "Bearer"
    }
  • You may use this bearer token to call skyflow APIs

Note: You will only be authorized to make API calls allowed by the role assigned to the service account.

Here is a breakdown of what happens in the Python script:

  1. Create a signed JWT token

    • Use the downloaded credentials.json file for your service account to create a ‘claims’ object as shown below.
    • Sign the ‘claims’ object with the private key, which is also contained in the credentials file.
    • Refer to the Python code snippet and the comments below:

      def  getSignedJWT(credsFile):
      # credsFile is the file path to your credentials.json file
      # load the credentials.json file into an object called creds
      fd = open(credsFile)
      creds = json.load(fd)
      fd.close()
      # Create the claims object with the data in the creds object
      claims = {
      "iss": creds["clientID"],
      "key": creds["keyID"],
      "aud": creds["tokenURI"],
      "exp": int(time.time()) + (3600), # JWT expires in Now + 60 minutes
      "sub": creds["clientID"],
      }
      
      # Sign the claims object with the private key contained in the creds object
      signedJWT = jwt.encode(claims, creds["privateKey"], algorithm='RS256')
      
      return  str(signedJWT, "utf-8"), creds

    Note: You can request short lived access tokens in this step by adjusting the exp field. Currently , you can request an access token that is valid for no more than 60 minutes.


  1. Request a Bearer Token

    • Send your signed JWT token for a Bearer token by making a POST request to https://api.skyflow.com/v1/auth/sa/oauth/token

      def  getBearerToken(signedJWT, creds):
      # Request body parameters
      body = {
      'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
      'assertion': signedJWT,
      }
      
      # Request URI ( https://api.skylfow.dev/v1/auth/sa/oauth/token)
      tokenURI = creds["tokenURI"]
      
      # Send the POST request using your favorite Python HTTP request lib
      r = requests.post(tokenURI, json=body)
      return r.text

  1. Receive the bearer token in response

    • Skyflow’s authorization server validates the signature of the JWT token sent along with the token request using the corresponding public key associated with the service account.
    • On successful authentication, you’ll receive a bearer token that has the right permissions to access a vault as specified by role associated with the service account.
    • Now that you have the bearer access token, you can use any of the Skyflow Vault APIs to make a call, provided you have assigned the right role to the service account.

Overview

Service accounts are machine identities that Skyflow provides for service to service calls. There are two types of service accounts:

  • API Service Accounts

    • API Service Accounts are machine identities that use JWT based authentication to integrate with Skyflow REST APIs.
    • Skyflow adheres to the JWT profile OAuth2 IETF specification.
    • Currently, Skyflow generated keys are valid for a year, you will have to rekey your service account before the keys expire.
    • You can adjust the token expiration duration by modifying the expiration field in the JWT token. You cannot request a token that expires longer than 60 minutes.

      "exp": int(time.time()) + (3600), # JWT expires in Now + 60 minutes
    • Clients sign the JWT token with the private encryption key which is part of the credentials.json file. They use this signed JWT to request an access token.
    • Skyflow’s authorization server validates the JWT signature using the service account’s public key, authenticates the request and returns an access token.
    • This access token is used as a bearer token when making REST API calls to Skyflow.
  • SQL service accounts

    • SQL service accounts are machine identities that use cert based authentication with database drivers to connect directly to Skyflow vaults.
    • SQL service account is an on-demand feature and is turned off by default for all accounts. Please contact your Skyflow account manager if you want to enable the SQL service accounts feature
    • To create a SQL service account, select SQL for the type field in the create service account flow.
    • This generates an id, password. certificate and a PostgreSQL driver connection string.
    • Use the connection string and input all parameters to directly connect to the Skyflow database.