Credentials store

Many container environments utilize multiple cloud providers and third party services. To improve accessibility and reusability, Prisma Cloud manages all credentials in a central store. Credentials are used when setting up the following integrations:
  • Cloud provider scanning
  • Registry scanning
  • Serverless function scanning
  • Alerting
  • Secret stores
The credential store can be found under
Manage > Authentication > Credentials Store
.
Credentials cannot be deleted if they are currently in use. To see all the places where a credentials is being used, go to
Manage > Authentication > Credentials Store
, click on an entry in the table, and review the
Usages
list.
If a credential is already being used in an integration, and you edit its parameters (e.g. username, password, etc), the new values are automatically propagated to the right places in the product. You don’t need to delete and set up the integration again to refresh the credential’s values.

AWS

Prisma Cloud lets you authenticate with AWS three different ways:
  • IAM users
  • IAM roles
  • Security Token Service (STS)

IAM users

IAM users are entities that represent persons or applications. The Prisma Cloud credentials store lets you save credentials for IAM users. When creating a new credential, select the AWS type, and enter an access key ID and secret access key.

IAM roles

IAM roles are identities, associated with permissions policies, that can be assumed by the resources that need them. Setting up Prisma Cloud to authenticate with IAM roles is handled in the subsystem-specific configuration dialogs.
For example, when you configure Prisma Cloud to scan an ECR repository, go to
Defend > Vulnerabilities > Registry
, and click
Add registry
. In the
Version
drop-down list, select
Amazon EC2 Container Registry
, and set
Use IAM role
to
On
. No other credentials need to be provided.

How Prisma Cloud accesses IAM role credentials

Roles provide a way to grant credentials to applications that run on EC2 instances to access other AWS services, such as ECR. IAM dynamically provides temporary credentials to the EC2 instances, and these credentials are automatically rotated for you.
When you create an EC2 instance, you can assign it a role. When the instance is started, the AWS instance metadata service (IMDS) attaches your credentials to the running EC2 instance. You can access this metadata from within the instance using the following command:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<POLICY_NAME> { "Code" : "Success", "LastUpdated" : "2017-06-29T06:12:29Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIAJANJXN6NVY5LFSHA", "SecretAccessKey" : "4T6dsOOxTEKnPxVINzoJskRHocdF6o58fAQBtMD4", "Token" : "FQoDYXdzEG8aDHPwjRWx8XFwQozCmCK3A7LvzRg0slss7EPaz/zSG8BCVQ7UoL94G799jDqLk5FncqUQNRsDphgCB5fb6DkHWSycCpHKmYwFDkqQ9n/Mn/LzyQ9UscQfdNIkZw5FWlllEgZ/VJwsYywejM0HBEOX2mlR5EAr4S5ue5pqLC+D+mUGYnKE09eVFOhe283HucDA3RLpC/+W8Lhmx2AWIDFRmNKss4iUgFDsdiB3TfS3tQ9JpO6ulsy1W32L1vPeDieWaaCm0du0J4G2VAc50hakZQQ6Tzd/9HKp/qiJxoE17JMwvBAdVpG4UsDXJjGm2TocVQFKl8jynUvwRNxAkOLQCaI2uUFjLMGHaEm4JYGIVwzGt9fm6IkhQxtqA738v8DdDi15IqHlMFPfG4YfoV4mrqFFeedkFkCLZXzS2EMqq3I02HzUa1LM6hUlVpg15e78mNcF/3E0cHTNsFIAn8/SyBAYiBJKUIx+h9I7hDYXF8df1vlOd8jysMntpl+vF/lo4WQYJOs/d55Bsgwsv6Be2MlEZyYqjf0isVSqODM8iDGR3rfeW0tY+3J4N4e9350F9ksZyAp784CMhvFaxt+jE7AoC90ri2UorLTSygU=", "Expiration" : "2017-06-29T12:16:54Z" }
Where
<POLICY_NAME>
is assigned to the EC2 instance when it is created or at some point during its life.
The following diagram shows all the pieces. Defender retrieves the credentials from the metadata service, then uses those credentials to retrieve and scan the container images in ECR.

AWS Security Token Service (STS)

AWS Security Token Service (STS) lets you request temporary, limited-privilege credentials for AWS IAM users or users that you authenticate (federated users). Like IAM roles, setting up Prisma Cloud to use STS is handled in the subsystem-specific configuration dialogs, such as registry scanning and serverless function scanning.
When you configure integration with an AWS resource, you can pick an AWS credential from the central store, then use STS to change the role of the account. AWS STS lets you have a few number of IAM identities that can be used across many AWS accounts. For example, if you were setting up Prisma Cloud to scan an AWS ECR registry, you would select the AWS credentials from the central store. Then you would enable
Use AWS STS
, and enter the name of the STS role to assume in the target account.

Azure

This section discusses Azure credentials.

Creating an Azure Service Principal

Create an Azure Service Principal so that Prisma Cloud Console can scan your Azure tenant for microservices. To get a service key:
  1. Download and install the Azure CLI.
  2. Create a service principal and configure its access to Azure resources.
    $ az ad sp create-for-rbac \ --name <user>.twistlock-azure-cloud-discovery-<contributor|reader> \ --role <reader|contributor> \ --sdk-auth
    The
    --role
    value depends upon the type of scanning:
    • contributor = Cloud Discovery + Azure Container Registry Scanning + Azure Function Apps Scanning
    • reader = Cloud Discovery + Azure Container Registry Scanning
  3. Copy the output of the command and set it aside. It will be used as the
    Service Key
    when creating an Azure credential.
    { "clientId": "bc968c1e-67g3-4ba5-8d05-f807abb54a57", "clientSecret": "5ce0f4ec-5291-42f8-gbe3-90bb3f42ba14", "subscriptionId": "ae01981e-e1bf-49ec-ad81-80rf157a944e", "tenantId": "d189c61b-6c27-41d3-9749-ca5c9cc4a622", "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", "resourceManagerEndpointUrl": "https://management.azure.com/", "activeDirectoryGraphResourceId": "https://graph.windows.net/", "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", "galleryEndpointUrl": "https://gallery.azure.com/", "managementEndpointUrl": "https://management.core.windows.net/" }

Storing the credential in Prisma Cloud

Store the service principal’s credentials in Console so that Prisma Cloud can authenticate with Azure for scanning.
  1. Open Console, and go to
    Manage > Authentication > Credentials Store
    .
  2. Click
    Add credential
    , and enter the following values:
    1. In the
      Name
      field, enter a label to identify the credential.
    2. In the
      Type
      field, select
      Azure
      .
    3. In the
      Service Key
      field, enter the value returned by the Azure CLI tool when you created the service principal.
    4. Click
      Save
      .

Google Cloud Platform (GCP)

Accessing GCP to scan resources can be done in one of two ways. You can make use of a service account and create a key for that account or you can use an API Key. Google recommends that you use a service account with a key and we document that here. More information is available here https://cloud.google.com/docs/authentication/api-keys

Creating a service account

Create a service account that Prisma Cloud can use to scan your resources in GCP.
  1. Google provide a comprehensive guide for creating a service account - https://cloud.google.com/iam/docs/creating-managing-service-accounts
  2. Create a key for this service account. The format of this key should be JSON. Google have a guide for this - https://cloud.google.com/iam/docs/creating-managing-service-account-keys
  3. Copy the contents of the downloaded key, here is an example:
    { "type": "service_account", "project_id": "mycompany-project", "private_key_id": "abe29475a09fb22e709fdc622306a714e17cqd1c", "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFBBSCBKgwggSkAgEAAoIBAQCyBJgPechqsXAK\nTaz1y77AGqei47IbgWegRq8JqqoQGERhBX8X41otaRNUIn7fpTdH/JjRfJ0wyduz\nn6TLmeMz+d/yIZBtztujJ4KoGTS0yTybtcKWKg254upri6RIcMS3ArNXsNtSwLQx\nicVDCI3uDKLuNyawmLf1BiHLwWZK8bOUe5thd3J9UXc+B+dL9JRYyz1Iq+X/Nz1w\n7D3TPXfy54Hg39rDRrx0bK0E+AIRMA5vPFmGrWlYn6HyltOxCU/D5NUrExRo3aug\nsIvQgGE3QYLU4a5n9jsWPbjSGI+EH/+zZ1fze5pk6rprlvKtbvygJSFGpdsjS4EX\nbFgPVYGJAgMBAAECggEABu9fIaY1yLNIKTyYrvwsnpUDQBkk/oWSbQfn6IVfqfAa\nFNoHFx4GLLP12u6bmPiZoFoutWWIhaatgpBG9iAU/fi/cNI+K0r2W0MuJ8CQoTTg\nQbQpZBp4Daxxg7ZNVH2hKjyGklVbW/xSIMZsWwXNqq8PF17qaNGQRBFEtoh+pM94\nJ23ZKIW5muF+5Svz4wLLS7VMtbl/XrM9eCepVQNzQ701A67VQa1Z8KIot5IeQ0d2\njnHJn6XgaDe/IKuP8ClXnCUwo/GbChCtctP0BpTeaTSOUrc1O7ntgFBGYxiSmgZ0\n13x43XkuYaycyZEycKEOaa9U+k1KrcFZ/CDQdv+AUQKBgQD25mVWFxQdhFqF12vu\nEhz0jRjLbre+V3UgOYJObmKMdM6iH+NQ9CNeFIn8qgHgOK7pHEgjcLvAv4ZgECin\n1XtMNAFGRREGuzovvzQKwBGAEz8PovI2gkITqmcSQ7xzcGyY1Xm1mthpqkoWFe5c\nk253fYhMjuITTXisYv8LBl5XGQKBgQC4lER2AmTSvLe+4sulTeDEocMsP+G4j/A1\neS1mG5e5YGUtuWgIdfNKUn1YG5uX3ERZVeCdRO7B/osQ4uAeJ1SIS3Zvw5QVtS/s\nFOJa1UJ/nxGAA8vApjRgJkLyRbf/yoxsRlCQkQJcRd1SO9DRlCSWdSW1CpIpauiN\nfZZW3iD78QKBgQCWW7Lk3cMjQqH6FjmlTySRDYhHA1MkuI1fFga0Cuc7EDtyYicF\n+te7CJkL5OClkv95+P45jwLYHAsSX2TDE3o16wnHqHH4/nYt86wWy+ccbxwdQqds\n6KCi50hDyDpwtst7u62WGgmnN8xMbOivOh2w6SLjNyQ0ix5tJRCavzMeqQKBgQCu\nYvajf/N93urDIEdC8Gcxn5tkTR6XXvaVrt0joWIhtF8jag5OIBIx3+m55rywJ100\nAhzquVvSUQlWdONF2ebVtmY5hdB9Cegy5jBNnTrslH7WMb/pTZ4iUUPi3dfPhbBS\nA8TOMRLH1wIZVYYe3BYNSLTNbSVWmDkKpOLLQ6ZqIQKBgA0rkqfzz0MIij58OugB\nFyv8UWvy+hYR15EvIFOl5jXomVl199x+XHQGiwV6cXGmGcii7eC7vXSmnjxILMEA\nD4Odwi9vmyJXOtIT1WlVj/faLrpKfunZEphYnrtRASuDzzU4cTbeElhfLOqkJEA4\nK4CCBhjL3UX8Z9FbJJz7mYoX\n-----END PRIVATE KEY-----\n", "client_email": "mycompany-service-svc@mycompany-project.iam.gserviceaccount.com", "client_id": "120957099362691824155", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/mycompany-service-svc%40mycompany-project.iam.gserviceaccount.com" }

Storing the credential in Prisma Cloud

Store your GCP credential in Prisma Cloud.
  1. Open Console, and go to
    Manage > Authentication > Credentials Store
    .
  2. Click
    Add credential
    , and enter the following values:
    1. In the
      Name
      field, enter a label to identify the credential.
    2. In the
      Type
      field, select
      GCP
      .
    3. In the
      Service Account
      field, copy and paste the entire JSON key that you downloaded.
    4. Leave the
      API token
      blank
    5. Click
      Save
      .

IBM Cloud

Prisma Cloud integrates with IBM Cloud Security Advisor. To enable the integration, you must provide credentials, which consist of an Account GUID and API Key.

Kubeconfig

Kubernetes stores cluster authentication information in a YAML file known as kubeconfig. The kubeconfig file grants access to clients, such as kubectl, to run commands against the cluster. By default, kubeconfig is stored in
$HOME/.kube/config
.
Prisma Cloud uses the kubeconfig credential to deploy and upgrade Defender DaemonSets directly from the Console UI. If you plan to manage DaemonSets from the command line with kubectl, you don’t need to create this credential type.
The user or service account in your kubeconfig must have permissions to create and delete the following resources:
  • ClusterRole
  • ClusterRoleBinding
  • DaemonSet
  • Secret
  • ServiceAccount
Prisma Cloud doesn’t currently support kubeconfig credentials for Google Kubernetes Engine (GKE) or AWS Elastic Kubernetes Service(EKS) clusters. The kubeconfig for these requires an external binary (specifically the Google Cloud SDK and aws-iam-authenticator, respectively) for authentication, and the Prisma Cloud Console doesn’t ship with this binary.
  1. Open Console, and go to
    Manage > Authentication > Credentials Store
    .
  2. Click
    Add credential
    , and enter the following values:
    1. In
      Name
      , enter a label to identify the credential.
    2. In
      Type
      , select
      Kubeconfig
      .
    3. In
      Kubeconfig
      , paste the contents of your
      kubeconfig
      file.

Recommended For You