Secure token management for Amazon InfluxDB

If you're running InfluxDB (including the the managed Amazon Timestream for InfluxDB service) there's two large challenges that many production deployments will encounter:

• How do you mitigate the risks of issuing tokens to your InfluxDB clients?
• How do you securely connect clients when they're not in the same network as the InfluxDB database?

When you've got hundreds or thousands of distributed clients using the same set of shared long-lived and overly permissive access credentials the last thing you need is a publicly accessible database. If any of those thousands of clients is compromised your system is entirely vulnerable. But secure credential distribution and scaling secure connectivity are both hard distributed systems problems!

Don't fear, I'm going to show you an easy to setup solution that solves both of these problems for you at the same time! By the end of this guide you'll have:

• The ability to connect InfluxDB clients to your private Amazon Timestream for InfluxDB service, no matter where they're running — without the need to make InfluxDB accessible from the public internet, no setting up port forwarding or IP rules.
• Automated, secure token management for InfluxDB that grants least-privilege unique access credentials to each client — no more sharing long-lived tokens among multiple clients.
• Automatic time-based revocation, renewal, and rotation of client tokens.

Introducing the Amazon InfluxDB Token Management with Ockam!

Prerequisites

Before getting started, ensure you have:

• An AWS account with appropriate permissions
• Docker and Docker Compose installed
• AWS CLI configured
• Basic familiarity with AWS services (VPC, EC2, CloudFormation)
• Approximately 45 minutes of time for complete setup (less if you have Timestream for InfluxDB already provisioned)

Amazon Timestream InfluxDB 💙 Ockam

Amazon Timestream for InfluxDB offers a managed time-series database engine that empowers application developers and DevOps teams to run InfluxDB databases on AWS. It supports real-time time-series applications using open-source APIs and delivers single-digit millisecond query response times.

The challenge of managing access at scale

Managing credentials for thousands of discrete clients challenges organizations at scale. The operational burden of issuing unique credentials often leads companies to share a single credential across their client services and devices. This approach increases risk - any compromised client could expose secrets used by the entire fleet. When credentials leak, organizations must scramble to revoke and deploy new credentials across their entire infrastructure simultaneously. Industry best practices recommend regular credential auditing and rotation to reduce business risk. However, this continuous revocation and rotation creates ongoing operational complexity that grows with the client base.

Securing your InfluxDB instance

Ockam with Amazon Timestream for InfluxDB lets you keep your InfluxDB instance private. Using Ockam's secure channels, you can restrict access to authenticated and authorized Ockam nodes only. This provides:

• Reduced Attack Surface: Keeping your InfluxDB instance off the public internet significantly limits potential attack vectors.
• Enhanced Security: Ockam's secure channels encrypt data in transit and restrict access to authorized clients only.
• Simplified Network Configuration: You eliminate the need for complex firewall rules or VPNs.

Ockam's Automated token management solution works with any InfluxDB client out of the box. Organizations can define standardized policies for uniquely identifiable, least privilege, time-limited credentials. Each client requests its own credential and uses it wherever InfluxDB credentials apply. The time-limited design automatically revokes expired credentials, prompting clients to request new ones to maintain communication.

This post shows you how to set up automated, secure token management for Amazon Timestream InfluxDB using Ockam in four steps:

• Step 1: Create a private Amazon Timestream InfluxDB instance (15 minutes)
• Step 2: Sign up for Ockam and create enrollment tickets (5 minutes)
• Step 3: Set up an Ockam outlet node with the lease manager alongside your private InfluxDB instance (15 minutes)
• Step 4: Set up an Ockam inlet node on your client device to request credentials and communicate with InfluxDB (10 minutes)

Step 1: Create a private Amazon Timestream InfluxDB instance

Let's create a private Amazon Timestream InfluxDB instance to demonstrate an end-to-end example of automated, secure token management using telegraf to send data to the database. If you already have a private InfluxDB instance, you can skip this section.

Create InfluxDB instance using CloudFormation template

For ease of use, we have prepared a CloudFormation template that deploys all the required infrastructure for you. This template simplifies the setup process by automating the creation of resources.

Open our Timestream for InfluxDB stack in a new tab, ensuring you launch it in the us-east-1 region, and then follow the instructions.

The CloudFormation template will create:

• An InfluxDB instance on the provided VPC and subnets
• A security group for InfluxDB that allows inbound traffic from the VPC CIDR block.
• An EC2 instance in one of the subnets with the InfluxDB client downloaded to use in /opt directory.

Create InfluxDB instance manually

Create an All Access InfluxDB Token and Obtain Org ID

If you used the Cloudformation template to create your InfluxDB instance, you will also have an ec2 machine <STACK_NAME>-ec2-instance created that has the Influx CLI pre-installed so you can run the below. Connect to the machine using Session Manager and run sudo su to switch to the root user.

Note: As part of InfluxDB creation, a secret will be created in AWS Secrets Manager (READONLY-InfluxDB-auth-parameters-<DBIDENTIFIER>). This secret will contain the bucket, password, organization name and username.

Step 2: Sign up for Ockam and create enrollment tickets

Enrollment tickets provision Ockam nodes. We'll create two enrollment tickets:

1. One for the Ockam Outlet node that runs alongside the private InfluxDB instance containing the lease manager.
2. One for the Ockam Inlet node that runs on your client devices to communicate with the Ockam Outlet node.

Step 3: Deploy the Ockam Outlet Node

The Ockam Node for Amazon Timestream InfluxDB streamlines deploying a managed Ockam Node in your AWS VPC.

Step 4: Deploy the Ockam Inlet Node

You can set up an Ockam InfluxDB Inlet Node locally using Docker or command line.

Setup an Ockam Inlet Node along with telegraf client in Docker

To set up an Inlet Node locally and interact with it outside of AWS, use Docker Compose.

Seeing the results

You have now successfully setup end-to-end encrypted connection between your InfluxDB instance running in AWS and your local machine running the telegraf client. Final setup looks like this:

Keep in mind what the setup looked like on the client side though, we provided some JSON configuration (which would likely be identical for all of your clients) and a single-use enrollment ticket. Any additional clients would get their own single-use enrollment ticket and everything else would remain the same. Consider the things we did not have to do:

• Update firewall rules or security groups in our VPC to allow the client access to InfluxDB.
• Specify the hostname or IP address of our InfluxDB server.
• Provide any form of API token or access credential to authorize against the InfluxDB server.

The enrollment ticket combined with our portal automagically establishes a secure point-to-point connection with the Ockam node running next to InfluxDB. The lease manager assigns a unique and short-lived InfluxDB access InfluxDB token to every single client that is successfully authenticated and authorized to connect. The Ockam client node then transparently inserts that authorization token into all future requests (which is why we didn't need to provide any authentication in the Telegraf config). The lease manager will automatically revoke the access token when the time comes, and the Ockam client node and lease manager will then negotiate to receive a new one and inserts it into authorization header. All of this happened automatically, and will continue to happen regularly and automatically, to ensure your systems are secure.

Querying with Influx CLI

Accessing the Admin Dashboard

You can access the InfluxDB UI at https://influxdb-inlet.YOUR_PROJECT_ID.ockam.network:8086

Adding more clients

You can issue additional inlet enrollment tickets to any number of machines and they'll all be able to securely connect to your InfluxDB instance. Each inlet node will request a leased token from the outlet node and use it to authenticate with the InfluxDB instance. The outlet node will rotate the leased token based on the expiry time set in the configuration to ensure the security of the connection.

What did we just achieve?

Let's quickly recap everything we've just implemented, because it can happen so quickly it can be easy to miss:

• We're able to establish private & secure point-to-point connections to our Amazon Timestream for InfluxDB instance from any number of clients, from any network.
• Each client has a unique identity, and can additionally have cryptographically attestable attributes applied to it by an administrator. Those attributes can then be used to define Attribute Based Access Control policies that control which nodes can establish a connection to our private InfluxDB server.
• Each connection is mutually authenticated and end-to-end encrypted.
• The nodes generate and share encryption keys themselves to establish a secure connection — so there's no centralised handling or storage of keys by third-party.
• The Ockam protocol also automatically and regularly rotates the encryption keys.
• Combined with the lease manager, each uniquely identifiable InfluxDB client will now receive its own unique time-limited InfluxDB access token. The token will be securely distributed to clients over mutually authenticated Ockam secure channel.
• There's was no need to make our InfluxDB service accessible from the public internet.
• There's no more sharing of long-lived InfluxDB access tokens across multiple clients.
• There's no more risk and complications associated distributing sensitive access tokens to clients.
• … and we can access the InfluxDB Admin Dashboard!

Ockam is able to set all of this up in minutes, and replaces the riskiest parts of connecting private systems with an approach that is almost impossible to get wrong. And while this guide emphasises setting this up with Amazon Timestream, the approach works exactly the same with any self-hosted InfluxDB server. You'll need to start the outlet node manually using Ockam Command, though I'm happy to help explain how to do get that running. If you need some help drop me a note.