SlideShare a Scribd company logo

Secrets with Ansible

D
DougBridgens

Ansible Berlin Presentation

Technology
1 of 21
Download to read offline
Managing Shared Secrets, with Ansible Doug Bridgens HeyJobs.de
— The gumption gap — Humans orchestrating shared secrets — HashiCorp Vault — Automated root-password deployment — Rotating application credentials — A brief intro to me What We’ll Talk About — Rotating application SSL certificates — Summary
Unix-OS C Developer Automated UI Testing Automated OS Builds Linux Virtualised Containers Auto-scaling architectures 1.0 Linux released Google launched Mac OS X 10.0 released AWS launched Ansible launched My first “Hello World!” ZX80 released Store-cards exploiting Big Data/ML Motorbiked across Africa Cycled Edinburgh/Istanbul The London Years (banking) Microsoft - Unix ‘Expert’ Git released 3D GPU DevOps Built Global Messaging Platform Automating/DevOps-ing App/DB architecture tuning 1991 1980 1994 1998 2001 2005 2006 2012 Walked across Norway Automating/DevOps-ing Cycled Edinburgh/Sahara Automating/DevOps-ing A little about me…
“At my new job, I am shocked to find plaintext secrets existing in documentation that is accessible from anywhere on our network” Expectation collides with reality
Security Best Practice DevOps Reality the gumption* gap * initiative or courage: you haven’t the gumption to try [C18: originally Scottish] The Gumption Gap
web proxy api1 api2 database Typical Credential Setup credentials/token
web proxy api1 api2 database Single Credential = Poor Rotate Options web proxy api1 api2 database Change DB password first Change client password firstor…
web proxy api1 api2 database Simpler Auto Deploy/Rotation web proxy api1 api2 database Separate client credentials Roll in new creds each timethen…
ansible vault web proxy api1 api2 database Demo Environment
Basics of HashiCorp Vault
Secrets stored in: AWS, PKI, SSH, RabbitMQ, Databases, etc Authentication via: AWS, LDAP, RADIUS, Github, Certs, User/Pass Audit log sent to: file, syslog, sockets Other interesting features: Signed SSH keys Dynamic AWS secrets The Cubbyhole AD auth via Ansible Tower Basics of HashiCorp Vault
# file: 01_build_vault.yml --- - hosts: vault roles: - role: hashivault - role: hashivault-init - role: hashivault-unseal - role: hashivault-pki-backend - { role: hashivault-unseal, do_it: 'again' } Hashi Vault Roles
- name: create a random password string set_fact: rand_pw_string: “{{ lookup('password', '/dev/null length=20 chars=ascii_letters,digits,_!$') }}” - name: write secret to Hashi Vault path uri: url: https://vault.ansiblefest.com:8201/v1/secret/AnsibleFest/database method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}" body: mysqlrootpw: "{{ rand_pw_string }}" - name: deploy the new mysql password mysql_user: name: root password: "{{ rand_pw_string }}" host: localhost delegate_to: database Automated Password Deploy
# creds_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Passwords
Demo
- name: request a fresh certificate from Vault uri: url: "https://vault.ansiblefest.com:8201/v1/pki/issue/fest_london" method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}” body: common_name: "{{ inventory_hostname }}.ansiblefest.com" ttl: “{{ ttl | default(’60') }}” register: cert_data Certificates From Vault
# certs_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl: "1h" } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Certificates
Demo
# 03_build_demo_env_ssl.yml —- - hosts: data-tier roles: - mysql-server - deploy-certs - mysql-server-ssl - hosts: proxy-tier roles: - nginx - nginx-proxy - hosts: api-tier roles: - httpd - api-code - deploy-certs - deploy-credentials - { role: proxy-target, state_var: present } Overview # certs_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl=“1h” } - deploy-credentials - { role: proxy-target, state_var: present }
Repeatable, codified, security: 20 chars, rotate hourly, etc. Automate the easy stuff first, build gumption. Go spend time on more interesting stuff…. No credentials created/known by people. @thisdougb/AnsibleFest2017@thisdougb Summary
EOF

Recommended

A site in 15 minutes with yii
A site in 15 minutes with yiiA site in 15 minutes with yii
A site in 15 minutes with yiiAndy Kelk
 
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and GrailsPhilip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and GrailsPhilip Stehlik
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with AnsibleRicardo Schmidt
 
GeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime WebGeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime WebBhagaban Behera
 
A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...Tom Croucher
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJSHüseyin BABAL
 
Persistent mobile JavaScript
Persistent mobile JavaScriptPersistent mobile JavaScript
Persistent mobile JavaScriptYorick Phoenix
 
20120514 nodejsdublin
20120514 nodejsdublin20120514 nodejsdublin
20120514 nodejsdublinRichard Rodger
 

Recommended

A site in 15 minutes with yii
A site in 15 minutes with yiiA site in 15 minutes with yii
A site in 15 minutes with yiiAndy Kelk
 
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and GrailsPhilip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and GrailsPhilip Stehlik
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with AnsibleRicardo Schmidt
 
GeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime WebGeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime WebBhagaban Behera
 
A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...Tom Croucher
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJSHüseyin BABAL
 
Persistent mobile JavaScript
Persistent mobile JavaScriptPersistent mobile JavaScript
Persistent mobile JavaScriptYorick Phoenix
 
20120514 nodejsdublin
20120514 nodejsdublin20120514 nodejsdublin
20120514 nodejsdublinRichard Rodger
 
Rapid dev env DevOps Warsaw July 2014
Rapid dev env DevOps Warsaw July 2014Rapid dev env DevOps Warsaw July 2014
Rapid dev env DevOps Warsaw July 2014blndrt
 
Node js quick tour v2
Node js quick tour v2Node js quick tour v2
Node js quick tour v2Wyatt Fang
 
Introduction to NodeJS with LOLCats
Introduction to NodeJS with LOLCatsIntroduction to NodeJS with LOLCats
Introduction to NodeJS with LOLCatsDerek Anderson
 
Mysqlnd uh
Mysqlnd uhMysqlnd uh
Mysqlnd uhnatmchugh
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBHengki Sihombing
 
I'm Not a Software Developer - What Can I do on AWS
I'm Not a Software Developer - What Can I do on AWSI'm Not a Software Developer - What Can I do on AWS
I'm Not a Software Developer - What Can I do on AWSAmazon Web Services
 
nodecalgary1
nodecalgary1nodecalgary1
nodecalgary1Eric Kryski
 
Infrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackInfrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackke4qqq
 
Usecase examples of Packer
Usecase examples of Packer Usecase examples of Packer
Usecase examples of Packer Hiroshi SHIBATA
 
Node.js Patterns for Discerning Developers
Node.js Patterns for Discerning DevelopersNode.js Patterns for Discerning Developers
Node.js Patterns for Discerning Developerscacois
 
Play With Theschwartz
Play With TheschwartzPlay With Theschwartz
Play With TheschwartzHideo Kimura
 
Create Rest API in Nodejs
Create Rest API in Nodejs Create Rest API in Nodejs
Create Rest API in Nodejs Irfan Maulana
 
Node.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash CourseNode.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash CourseAaron Silverman
 
Puppet and CloudStack
Puppet and CloudStackPuppet and CloudStack
Puppet and CloudStackke4qqq
 
Porting Flashblock to Jetpack Platform (draft)
Porting Flashblock to Jetpack Platform (draft)Porting Flashblock to Jetpack Platform (draft)
Porting Flashblock to Jetpack Platform (draft)Thomas Bassetto
 
Tornado my
Tornado myTornado my
Tornado myConstantine Priemski
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backendDavid Padbury
 
Java script at backend nodejs
Java script at backend nodejsJava script at backend nodejs
Java script at backend nodejsAmit Thakkar
 
Node worshop Realtime - Socket.io
Node worshop Realtime - Socket.ioNode worshop Realtime - Socket.io
Node worshop Realtime - Socket.ioCaesar Chi
 
OpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudOpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudIsaac Christoffersen
 
Just one-shade-of-openstack
Just one-shade-of-openstackJust one-shade-of-openstack
Just one-shade-of-openstackRoberto Polli
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...POSSCON
 

More Related Content

What's hot

Rapid dev env DevOps Warsaw July 2014
Rapid dev env DevOps Warsaw July 2014Rapid dev env DevOps Warsaw July 2014
Rapid dev env DevOps Warsaw July 2014blndrt
 
Node js quick tour v2
Node js quick tour v2Node js quick tour v2
Node js quick tour v2Wyatt Fang
 
Introduction to NodeJS with LOLCats
Introduction to NodeJS with LOLCatsIntroduction to NodeJS with LOLCats
Introduction to NodeJS with LOLCatsDerek Anderson
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBHengki Sihombing
 
I'm Not a Software Developer - What Can I do on AWS
I'm Not a Software Developer - What Can I do on AWSI'm Not a Software Developer - What Can I do on AWS
I'm Not a Software Developer - What Can I do on AWSAmazon Web Services
 
Infrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackInfrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackke4qqq
 
Usecase examples of Packer
Usecase examples of Packer Usecase examples of Packer
Usecase examples of Packer Hiroshi SHIBATA
 
Node.js Patterns for Discerning Developers
Node.js Patterns for Discerning DevelopersNode.js Patterns for Discerning Developers
Node.js Patterns for Discerning Developerscacois
 
Play With Theschwartz
Play With TheschwartzPlay With Theschwartz
Play With TheschwartzHideo Kimura
 
Create Rest API in Nodejs
Create Rest API in Nodejs Create Rest API in Nodejs
Create Rest API in Nodejs Irfan Maulana
 
Node.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash CourseNode.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash CourseAaron Silverman
 
Puppet and CloudStack
Puppet and CloudStackPuppet and CloudStack
Puppet and CloudStackke4qqq
 
Porting Flashblock to Jetpack Platform (draft)
Porting Flashblock to Jetpack Platform (draft)Porting Flashblock to Jetpack Platform (draft)
Porting Flashblock to Jetpack Platform (draft)Thomas Bassetto
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backendDavid Padbury
 
Java script at backend nodejs
Java script at backend nodejsJava script at backend nodejs
Java script at backend nodejsAmit Thakkar
 
Node worshop Realtime - Socket.io
Node worshop Realtime - Socket.ioNode worshop Realtime - Socket.io
Node worshop Realtime - Socket.ioCaesar Chi
 

What's hot (19)

Rapid dev env DevOps Warsaw July 2014
Rapid dev env DevOps Warsaw July 2014Rapid dev env DevOps Warsaw July 2014
Rapid dev env DevOps Warsaw July 2014
 
Node js quick tour v2
Node js quick tour v2Node js quick tour v2
Node js quick tour v2
 
Introduction to NodeJS with LOLCats
Introduction to NodeJS with LOLCatsIntroduction to NodeJS with LOLCats
Introduction to NodeJS with LOLCats
 
Mysqlnd uh
Mysqlnd uhMysqlnd uh
Mysqlnd uh
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDB
 
I'm Not a Software Developer - What Can I do on AWS
I'm Not a Software Developer - What Can I do on AWSI'm Not a Software Developer - What Can I do on AWS
I'm Not a Software Developer - What Can I do on AWS
 
nodecalgary1
nodecalgary1nodecalgary1
nodecalgary1
 
Infrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackInfrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStack
 
Usecase examples of Packer
Usecase examples of Packer Usecase examples of Packer
Usecase examples of Packer
 
Node.js Patterns for Discerning Developers
Node.js Patterns for Discerning DevelopersNode.js Patterns for Discerning Developers
Node.js Patterns for Discerning Developers
 
Play With Theschwartz
Play With TheschwartzPlay With Theschwartz
Play With Theschwartz
 
Create Rest API in Nodejs
Create Rest API in Nodejs Create Rest API in Nodejs
Create Rest API in Nodejs
 
Node.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash CourseNode.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash Course
 
Puppet and CloudStack
Puppet and CloudStackPuppet and CloudStack
Puppet and CloudStack
 
Porting Flashblock to Jetpack Platform (draft)
Porting Flashblock to Jetpack Platform (draft)Porting Flashblock to Jetpack Platform (draft)
Porting Flashblock to Jetpack Platform (draft)
 
Tornado my
Tornado myTornado my
Tornado my
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backend
 
Java script at backend nodejs
Java script at backend nodejsJava script at backend nodejs
Java script at backend nodejs
 
Node worshop Realtime - Socket.io
Node worshop Realtime - Socket.ioNode worshop Realtime - Socket.io
Node worshop Realtime - Socket.io
 

Similar to Secrets with Ansible

OpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudOpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudIsaac Christoffersen
 
Just one-shade-of-openstack
Just one-shade-of-openstackJust one-shade-of-openstack
Just one-shade-of-openstackRoberto Polli
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...POSSCON
 
Puppetpreso
PuppetpresoPuppetpreso
Puppetpresoke4qqq
 
2013 05-openstack-israel-heat
2013 05-openstack-israel-heat2013 05-openstack-israel-heat
2013 05-openstack-israel-heatAlex Heneveld
 
Puppet and Apache CloudStack
Puppet and Apache CloudStackPuppet and Apache CloudStack
Puppet and Apache CloudStackPuppet
 
Practical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsPractical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsasync_io
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker, Inc.
 
Working in the multi-cloud with libcloud
Working in the multi-cloud with libcloudWorking in the multi-cloud with libcloud
Working in the multi-cloud with libcloudGrig Gheorghiu
 
Intro to node and mongodb 1
Intro to node and mongodb 1Intro to node and mongodb 1
Intro to node and mongodb 1Mohammad Qureshi
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaAOE
 
Automating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageAutomating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageVishal Uderani
 
Automating Container Deployments on Virtualization with Ansible: OpenShift on...
Automating Container Deployments on Virtualization with Ansible: OpenShift on...Automating Container Deployments on Virtualization with Ansible: OpenShift on...
Automating Container Deployments on Virtualization with Ansible: OpenShift on...Laurent Domb
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...semanticsconference
 
Software Defined Datacenter
Software Defined DatacenterSoftware Defined Datacenter
Software Defined DatacenterNETWAYS
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionPaolo latella
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016Aad Versteden
 

Similar to Secrets with Ansible (20)

OpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudOpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid Cloud
 
Just one-shade-of-openstack
Just one-shade-of-openstackJust one-shade-of-openstack
Just one-shade-of-openstack
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
 
Puppetpreso
PuppetpresoPuppetpreso
Puppetpreso
 
Always on! Or not?
Always on! Or not?Always on! Or not?
Always on! Or not?
 
2013 05-openstack-israel-heat
2013 05-openstack-israel-heat2013 05-openstack-israel-heat
2013 05-openstack-israel-heat
 
Puppet and Apache CloudStack
Puppet and Apache CloudStackPuppet and Apache CloudStack
Puppet and Apache CloudStack
 
Practical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsPractical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.js
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in Production
 
Working in the multi-cloud with libcloud
Working in the multi-cloud with libcloudWorking in the multi-cloud with libcloud
Working in the multi-cloud with libcloud
 
Intro to node and mongodb 1
Intro to node and mongodb 1Intro to node and mongodb 1
Intro to node and mongodb 1
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS Lambda
 
Automating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageAutomating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngage
 
Automating Container Deployments on Virtualization with Ansible: OpenShift on...
Automating Container Deployments on Virtualization with Ansible: OpenShift on...Automating Container Deployments on Virtualization with Ansible: OpenShift on...
Automating Container Deployments on Virtualization with Ansible: OpenShift on...
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
 
Software Defined Datacenter
Software Defined DatacenterSoftware Defined Datacenter
Software Defined Datacenter
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to production
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Secrets with Ansible

  • 2. — The gumption gap — Humans orchestrating shared secrets — HashiCorp Vault — Automated root-password deployment — Rotating application credentials — A brief intro to me What We’ll Talk About — Rotating application SSL certificates — Summary
  • 3. Unix-OS C Developer Automated UI Testing Automated OS Builds Linux Virtualised Containers Auto-scaling architectures 1.0 Linux released Google launched Mac OS X 10.0 released AWS launched Ansible launched My first “Hello World!” ZX80 released Store-cards exploiting Big Data/ML Motorbiked across Africa Cycled Edinburgh/Istanbul The London Years (banking) Microsoft - Unix ‘Expert’ Git released 3D GPU DevOps Built Global Messaging Platform Automating/DevOps-ing App/DB architecture tuning 1991 1980 1994 1998 2001 2005 2006 2012 Walked across Norway Automating/DevOps-ing Cycled Edinburgh/Sahara Automating/DevOps-ing A little about me…
  • 4. “At my new job, I am shocked to find plaintext secrets existing in documentation that is accessible from anywhere on our network” Expectation collides with reality
  • 5. Security Best Practice DevOps Reality the gumption* gap * initiative or courage: you haven’t the gumption to try [C18: originally Scottish] The Gumption Gap
  • 6. web proxy api1 api2 database Typical Credential Setup credentials/token
  • 7. web proxy api1 api2 database Single Credential = Poor Rotate Options web proxy api1 api2 database Change DB password first Change client password firstor…
  • 8. web proxy api1 api2 database Simpler Auto Deploy/Rotation web proxy api1 api2 database Separate client credentials Roll in new creds each timethen…
  • 11. Secrets stored in: AWS, PKI, SSH, RabbitMQ, Databases, etc Authentication via: AWS, LDAP, RADIUS, Github, Certs, User/Pass Audit log sent to: file, syslog, sockets Other interesting features: Signed SSH keys Dynamic AWS secrets The Cubbyhole AD auth via Ansible Tower Basics of HashiCorp Vault
  • 12. # file: 01_build_vault.yml --- - hosts: vault roles: - role: hashivault - role: hashivault-init - role: hashivault-unseal - role: hashivault-pki-backend - { role: hashivault-unseal, do_it: 'again' } Hashi Vault Roles
  • 13. - name: create a random password string set_fact: rand_pw_string: “{{ lookup('password', '/dev/null length=20 chars=ascii_letters,digits,_!$') }}” - name: write secret to Hashi Vault path uri: url: https://vault.ansiblefest.com:8201/v1/secret/AnsibleFest/database method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}" body: mysqlrootpw: "{{ rand_pw_string }}" - name: deploy the new mysql password mysql_user: name: root password: "{{ rand_pw_string }}" host: localhost delegate_to: database Automated Password Deploy
  • 14. # creds_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Passwords
  • 15. Demo
  • 16. - name: request a fresh certificate from Vault uri: url: "https://vault.ansiblefest.com:8201/v1/pki/issue/fest_london" method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}” body: common_name: "{{ inventory_hostname }}.ansiblefest.com" ttl: “{{ ttl | default(’60') }}” register: cert_data Certificates From Vault
  • 17. # certs_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl: "1h" } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Certificates
  • 18. Demo
  • 19. # 03_build_demo_env_ssl.yml —- - hosts: data-tier roles: - mysql-server - deploy-certs - mysql-server-ssl - hosts: proxy-tier roles: - nginx - nginx-proxy - hosts: api-tier roles: - httpd - api-code - deploy-certs - deploy-credentials - { role: proxy-target, state_var: present } Overview # certs_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl=“1h” } - deploy-credentials - { role: proxy-target, state_var: present }
  • 20. Repeatable, codified, security: 20 chars, rotate hourly, etc. Automate the easy stuff first, build gumption. Go spend time on more interesting stuff…. No credentials created/known by people. @thisdougb/AnsibleFest2017@thisdougb Summary
  • 21. EOF