Policy: Turbot > Workspace > osquery > Secrets
The JWT token is signed by Turbot using a secret from osquery > Secrets
, as set by this policy. This ensures that fake tokens cannot be generated or used.
Turbot sets this policy on installation to complex password unique to your workspace. This is a secure, effective default.
To ensure secrets work, even during rotation, this policy is defined as an array. The first item is the current secret and is used to sign all newly issued tokens. Other secrets in the array are used for verifying existing tokens only.
osquery Secrets are generally either distributed manually, making them difficult to rotate, or managed by Turbot (e.g. with Stacks) and automatically rotated per the Turbot > Workspace > osquery Secrets > Rotation
policy.
If you wish or need to rotate this secret manually, you should: 1. Add a new secret as the first item in the array, leaving existing secrets below. 2. Update the policy to remove old secrets that are no longer valid.
This policy defines a list of objects, including creation, expiration and active information for each secret. For example: [ { "secret": "E!TJ8x4!P15ic=DN", "created": "2020-07-28T21:32:27.537Z", "expiration": "2021-03-31T00:00:00.000Z", "isActive": true } ]
Resource Types
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Related Policies
Controls
Policy Specification
Schema Type |
|
---|---|
Default |
|
Category
In Your Workspace
Developers
- tmod:@turbot/turbot#/control/categories/turbot
- tmod:@turbot/osquery#/policy/types/workspaceOsquerySecrets
- turbot graphql policy-type --id "tmod:@turbot/osquery#/policy/types/workspaceOsquerySecrets"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/osquery#/policy/types/workspaceOsquerySecrets"
Get Policy TypeGet Policy Settings