Least privilege access in distributed systems
In privacy engineering, the fundamental principles you must consider when designing a system include separation of concerns and the principle of least privilege access. Each system component should be responsible for a single concern and only have access to the data it needs to perform its function.
Many distributed systems use third-party services to perform non-core functions. For example, a system may use a third-party service to send emails or SMS messages or to perform credit card transactions.
In these cases, you want to send to the third-party service only the data it needs to perform its function and don't want your system to have access to data if it is not required. The
http_call action addresses this requirement.
Piiano Vault provides an operation that enables you to send an HTTP request from Vault with the data required by a third-party service without exposing that data to the caller of the operation. The operation does this by receiving a request body that uses templates to define elements of the HTTP request. These templates use variables mapped to Vault global identifiers to define data values from a referenced object.
This enables you to limit the caller's permissions to invoke the
http_call action and not provide full read access to the underlying data.
Given the implications of sending sensitive data outside Vault, there are two mechanisms for controlling the scope of the actions activities:
- to ensure callers can only request Vault send data to trusted third parties, you define the
PVAULT_SERVICE_ALLOWED_HTTP_DESTINATIONSservices and features environment variable with a list of trusted third-party services that Vault can send data to.
- to prevent the action from accessing or processing more data than is required, you define a role for the action and set it in the
PVAULT_SERVICE_ACTIONS_HTTP_CALL_ROLEservices and features environment variable. This enables you, for example, to limit the action to only reading email addresses from the collection containing customer details.