Managing and Integrating Vault at The New York Times

Vault @ NYT
NYT’s Delivery Engineering Team
Hashicorp User Group - April ‘18
New York City
THE NEW YORK TIMES
Managing and integrating Vault at the
New York Times

1. Who are we?
2. Problems in Secretsville
3. Adopting and Managing Vault
4. Namespaces
5. Integration with other Systems

Scott
Who are we?
Shawn Prashanth

Our secrets management was
more difficult than it had to be.

Operator Keysharing
The key sharing capabilities of Vault
ensure that no single operator can
perform any “root” operations and
that when these operations must
occur, all (or most) operators are
aware.
Variety of Auth Methods
Vault supports a wide array of
authentication methods which makes
developer and automated
authentication easy.
Granular ACLs
Vault’s granular policy system
allows a single Vault cluster to be
used comfortably by multiple teams
in the organization. It also ensures
proper isolation of secrets.
Audited
The Vault audit log is invaluable for
incident response and figuring out
exactly what happened and when.
Every action must be logged so
there is always a trail to follow.
Break Glass
Benefits of Adopting Vault
And more...
- Simple secret sharing
- Leases / Revocation
- Dynamic secrets
- HTTP API
- Open source
- Public testing API
- Constantly improving
In case of emergency Vault can be
sealed and secret access can be
temporarily shut down quickly and
easily.

Image from: https://registry.terraform.io/modules/hashicorp/vault/google/0.0.3

Vault is great out of the box but
to get the isolation we wanted
we started creating
namespaces.

To manage namespaces we use
terraform and a home-grown
tool called goblin.

variable "name" {
description = "The name of the team on Github."
}
variable "org" {
description = "The name of the org the team belongs to on Github."
}
variable "ensured_policies" {
type = "list"
default = []
description = "The list of ensured policies for the team."
}
Team Namespace Module: Variables

resource "vault_mount" “secret” {
path = "${var.org}/teams/${var.name}/secret"
type = "generic"
}
resource "vault_mount" “transit” {
path = "${var.org}/teams/${var.name}/transit"
type = "transit"
}
Team Namespace Module: Mounts

# The member policy is given to all members of the team
resource "vault_policy" “member” {
name = "${var.org}/teams/${var.name}/member"
policy = <<EOT
path “{var.org}/teams/${var.name}/secret/*” {
capabilities = [“create”, “delete”, “list”, “read”, “update”]
}
… # more paths below
EOT
}
Team Namespace Module: Policies

# Ensure certain policies are always mapped onto the team
resource "null_resource" “ensure-policies” {
triggers {
policies = "${join(“,”, var.ensured_policies)}"
}
provisioner "local_exec" {
command = “goblin ensure -team=${var.name}
-policies=${join(“,”, var.ensured_policies)}”
}
}
Team Namespace Module: Ensuring Policies

module "delivery-engineering" {
source = "../modules/base_team"
org = "nytm"
name = "delivery-engineering"
ensured_policies = [
"nytm/teams/delivery-engineering/member",
"operator",
]
}
Using the Team Namespace Module

module "my-repo" {
source = "../modules/base_repo"
org = "nytm"
name = "my-repo"
}
Using the Repository Namespace Module

Syncing Repository Policies
What repositories
are active?

my-repo,a-repo,
another-repo

Which teams have
access to these
repositories?

A-Team has read
access to my-repo
and admin access
to that-repo.

Does A-Team have
any ensured
policies?

a-team-member

Map the policies
a-team-member,
my-repo-read, and
that-repo-adminto
the A-team.

Done!

Uses extensible
templates.
Creating new namespaces
and adding to existing
namespaces are both
easy and fast.
Main Benefits
Provides some
self-service policy
management.
Teams really love being
able to do things
themselves.
Enforces good Github
practices.
Part of onboarding is
reviewing Github teams,
membership, and
permissions.

Connecting GKE to Vault
● Enable GCE auth backend
● Create init container in deployment
○ Mount shared memory volume
○ Get signed JWT
○ Login to Vault
○ Write secrets to shared memory volume

initContainers:
- name: {{.app}}-init
image: {{.int_image}}
env:
- name: VAULT_ROLE
value: "{{.vault_role}}"
- name: GOOGLE_SERVICE_ACCOUNT
value: "{{.google_service_account}}"
- name: VAULT_ADDR
value: "{{.vault_addr}}"
- name: VAULT_PATH
value: "{{.vault_path}}"
volumeMounts:
- mountPath: /secrets
name: secrets
VAULT_ROLE
(required )
The Role in vault to authenticate with
GOOGLE_SERVICE_
ACCOUNT (required)
The google service account that will be used to authenticate
with vault. Typically this will be default
VAULT_ADDR
(required)
The URL of the vault server to connect to.
VAULT_PATH This is a vault path (ie nytm/goblin/secret/something). If
this variable is specified the path will be recursed and all
secrets will be written to memory.
VAULT_SECRETS This is a comma delimited list of vault secrets. Each secret
will have every key written to memory
TOKEN_ONLY This is a boolean variable. If true a short live vault token
will be written to /secrets/vaultToken.

● Secrets are no longer in our CI/CD pipeline
● Secrets only stored in memory
○ Not unencrypted in GKE
○ Not leaking in environment variables

We’re hiring
nyti.ms/technology
@NYTDevs | developers.nytimes.com

Stay updated
open.blogs.nytimes.com
@NYTDevs | developers.nytimes.com

Managing and Integrating Vault at The New York Times

Recommended

Recommended

More Related Content

What's hot

What's hot (10)

Similar to Managing and Integrating Vault at The New York Times

Similar to Managing and Integrating Vault at The New York Times (20)

More from Amanda MacLeod

More from Amanda MacLeod (7)

Recently uploaded

Recently uploaded (20)

Managing and Integrating Vault at The New York Times