SlideShare a Scribd company logo
Secret Management
with Hashicorp's
Vault
Daniel Bornkessel
AWS Loft 2018
2
Secret Management with Hashicorp's Vault
Secret Management
with Hashicorp's
Vault
Daniel Bornkessel
AWS Loft 2018
Focus of this talk
4
• what is secret management
• why do you need it
• what is Vault and how can it help you with secret management
• some Vault internals
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Goal of this talk
5
• think about best practices with secrets that your company could
improve on
• go and play with Vault
• improve current secret management incrementally
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Why focus on Vault
6
• unmatched (afaik) feature set
• open source (mostly … some closed sourced enterprise features)
• not vendor or framework specific
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Other solutions*
7
• AWS Secrets Manager: AWS specific, promising, dynamic’esque
secrets for certain AWS services, automatic rotation (for
supported services + extendable via Lambda functions)
• KeyWiz from Square: not as many features, no dynamic secrets,
HSM in open source version
• Cloud Foundry CredHub: tailored and specific to Cloud Foundry
• self made: a lot of complexity and work
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
* I have not personally used those solutions
8
Secret Managemant
Secret Management with Hashicorp's Vault
Secret Management
9
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• part of your security concept
• one focus: on internal threads like
• rogue employees
• unauthorized access to secrets
• long living secrets
• audit log: who requested credentials for which system at what
point of time
• high automation for changing / revoking / rolling secrets
• high entropy passwords
Secret Management: current situation
10
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• best practices are widely known
• is usually seen as (very) important
• implementation is hard
• solutions are rare
• high automation still an exception (as opposed to external thread
mitigation measures)
• often neglected in favour of business critical features
• apps and frameworks not ready for modern secret management
Question
11
Who here has production credentials on their laptop at this very
moment (e.g. AWS credentials file, DB credentials, passwordless ssh
private keys to access machines or git repos, API-keys, etc.)?
Who thinks this is a good idea?
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
12
Why am I talking about secret
management
Secret Management with Hashicorp's Vault
About me
13
Daniel Bornkessel / @kesselborn
• Senior Consultant at INNOQ (part time)
• Focus on DevOps & Continuous Delivery
INNOQ
• Consulting, reviews and development
• https://www.innoq.com/de/culture/working-at-innoq/
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Typical project
14
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• Monolith -> Micro Services / Self Contained Systems
• Language: set (mostly Java)
• Framework: set (often Spring Boot)
• Data center: set (mostly AWS or on premise)
• Container Management: set (mostly Kubernetes … EKS when
available … hint hint)
• CI: set (whatever they used before … mostly Jenkins)
• Logging / Monitoring: set (ELK & ?)
• Secret Management: sure … eh … wat?
please for god’s sake: use Gitlab CI
prometheus)
Typical project: Secret Management
15
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• we pass secrets in via env vars
• we read the values from Kubernetes secrets
• we have role based access control all figured out
• changing and updating passwords is a manual process for now
• yeah: audit log is something we are looking into
• no, we can not confidently say who has the password for DB xy
• no, we do not change all passwords if an employee leaves the
company
• revoking credentials is not something we currently support
Introducing Vault
16
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
17
Vault — executive summary
Secret Management with Hashicorp's Vault
Vault — executive summary
18
• secures, stores and tightly controls
• tokens
• passwords
• certificates
• API keys
• and other secrets
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault — executive summary
19
• handles
• leasing
• key revocation
• key rolling
• auditing
• provides an API for all operations
• is not meant as a service or token provider which gets embedded
in your request / response cycle
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
20
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
Tokens
LDAP
AWS
Kubernetes
Google Cloud
auth-n + auth-z
AppRole
GitHub
MFA
Okta
RADIUS
TLS Certificates
AWS
Consul
Cubbyhole
Databases
Identity
secrets
Nomad
PKI (Certificates)
RabbitMQ
SSH
TOTP
Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
21
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
22
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
23
Vault — secret backends
Secret Management with Hashicorp's Vault
Vault secret backends — dynamic secrets
24
Secret Management with Hashicorp's Vault
25
• on-the-fly created credentials (hence dynamic) for each instance
of an app / user who wants a secret
• usually short to medium long ttl
• fully audited
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends — dynamic secrets
What they are
26
1. provide Vault credentials for a user that has rights to create users
or tokens in a remote system (e.g. db)
2. configure Vault with settings on how to create credentials
3. configure Vault with settings on how to invalidate credentials in
the remote system
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends — dynamic secrets
How they work (in a Nutshell)
Vault secret backends — Databases
27
Secret Management with Hashicorp's Vault
28
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
db admin
config
0
Vault secret backends — Databases
29
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
db admin
config
0
Vault secret backends — Databases
vault secrets enable -path=db database
vault write db/config/clients 
plugin_name=mysql-database-plugin 
connection_url="admin:pw@tcp(db.example.com)/" 
allowed_roles=“clients-ro,clients-rw”
vault write database/roles/clients-ro 
db_name=clients 
creation_statements=“
CREATE USER '{{name}}'@'%' IDENTIFIED BY 
'{{password}}'; 
GRANT SELECT ON clients.* TO '{{name}}'@'%';" 
default_ttl="1h" 
max_ttl="240h"
30
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
db admin
config
0
Vault secret backends — Databases
vault secrets enable -path=db database
vault write db/config/clients 
plugin_name=mysql-database-plugin 
connection_url="admin:pw@tcp(db.example.com)/" 
allowed_roles=“clients-ro, clients-rw”
vault write database/roles/clients-ro 
db_name=clients 
creation_statements=“
CREATE USER '{{name}}'@'%' IDENTIFIED BY 
'{{password}}'; 
GRANT SELECT ON clients.* TO '{{name}}'@'%';" 
default_ttl="1h" 
max_ttl=“240h"
31
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
create user …2
OK3
Vault secret backends — Databases
db admin
config
0
5 delete user …
ttl
App
read
db/creds/clients-ro
1
db login /
db password
4
}
configured
role
32
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends — Databases
Available Plugins:
• Cassandra
• HanaDB
• MongoDB
• MSSQL
• MySQL/MariaDB
• PostgreSQL
• Oracle
Vault secret backends — AWS
33
Secret Management with Hashicorp's Vault
34
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
aws_access_key
aws_secret_key
0
Vault secret backends — AWS
35
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
App
read
aws/creds/dev
1
aws_access_key
aws_secret_key
0
4
TTL’ed Token /
credentials
3 TTL’ed Token /
credentials ttl
Vault secret backends — AWS
create STS /
IAM user
2
AWS
Api
}
configured
role
Vault secret backends — PKI
36
Secret Management with Hashicorp's Vault
37
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
add ca.cert &
ca.key
0
Vault secret backends — PKI
38
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
App
write
pki/issue/dev
1
add ca.cert &
ca.key
0
3 TTL’ed client
certificate
Vault secret backends — PKI
2 create client
certificate
}
configured
role
Vault secret backends — SSH
39
Secret Management with Hashicorp's Vault
Host
1.1.2.2
40
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault secret backends — SSH
1 vault write ssh/creds/dev ip=1.1.2.2
2 username / otp
3 ssh username@1.1.2.2
4
validate
otp
5 grant access
Signed SSH Certificates
• Idea: get ssh access to machines
• user configures Vault-ssh with a CA, a private and a public key
• the public key gets distributed to all system hosts
• the user asks Vault to sign one of his public ssh keys with the
provided CA and gets a new, signed public key as a response
• the user can use this new, signed key to login to machines
Vault dynamic secret backends — ssh
41
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault dynamic secret backends — Transit
42
Secret Management with Hashicorp's Vault
43
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
2
Vault secret backends — Transit
1 vault write transit/encrypt/app/app1
foo
¯:çÆ
#²^?
áV¬Î
3
4
App
vault write transit/decrypt/app/app1
foo
¯:çÆ
#²^?
áV¬Î
44
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
45
Vault — auth backends
Secret Management with Hashicorp's Vault
46
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault auth backends — tokens
47
Secret Management with Hashicorp's Vault
token auth
48
• created by Vault
• only way to authorize (auth-z) against Vault
• returned when authenticated (auth-n) successfully
• comparable to a session-id on a website
• has permissions / policies assigned to it
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
token auth
49
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
$ vault token create -ttl=5m -policy=admin
Key Value
--- -----
token d9640590-63c8-b3a6-50ac-1403c8180948
token_accessor 5a362982-f34c-3706-143a-26ada278b6cf
token_duration 5m
token_renewable true
token_policies [admin default]
Vault auth backends — external identity
providers
50
Secret Management with Hashicorp's Vault
Vault auth backends — LDAP / Radius /
Okta auth
51
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
LDAP
username/
password
1
username/
password
2
user: kesselborn
groups: admin, employee3token4 policies
• $SERVICE is used as an identity provider (using LDAP here)
token5 policies
Github auth
52
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Github
token
user: kesselborn
teams: kesselfaktur, innnoq
token4
1 2
3
policies
• Github is used as an identity provider
token
Vault auth backends — AWS auth
53
Secret Management with Hashicorp's Vault
Vault auth backends — AWS auth
Secret Management with Hashicorp's Vault
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
EC2
API
EC2
Instance
EC2
MetaData
Services
12
AWS
Instance
Identity
Document
PKCS#7
3
AWS
Instance
Identity
Document
PKCS#7
4
verify PKCS#7 signature
against AWS public keys
verify
instance
5
(optionally) set instance on
blacklist to avoid
double authentication
8
curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7
6
instance_id: i-a832f734
ami_id: ami-f083709d
…
policies
7 token
policies
token9
Vault auth backends — AWS auth
55
$ vault write auth/aws/role/dev-role 
auth_type=ec2 
bound_ami_id=ami-fce3c696 
policies=prod,dev max_ttl=500h
$ vault write auth/aws/role/dev-role-iam 
auth_type=iam 
bound_ iam_instance_profile_arn =… 
policies=prod,dev max_ttl=500h
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends — AWS auth
56
• alternatively: IAM auth method
• client signs a GetCallerIdentity query using the AWS Signature
v4 algorithm and submits 4 pieces of information to the Vault
server to recreate a valid signed request
• https://www.vaultproject.io/docs/auth/aws.html#iam-auth-
method
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends — Kubernetes auth
57
Secret Management with Hashicorp's Vault
token5
policies
Vault auth backends — Kubernetes auth
58
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
/var
└─ run
  └─ secrets
   └─ kubernetes.io
  └─ serviceaccount
└─ token
K8s
API
2
auth against
k8s API
K8s
container
1 K8s token
token4
policies
3 service_account_name: app1
service_account_namespace: default
Vault auth backends — Kubernetes auth
59
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
K8s
API
2
auth against
k8s API
K8s
container
3
success /
failure
Pod
app init
1 K8s token
token4
policies
token
policies
5
Vault auth backends — Kubernetes auth
60
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config 
kubernetes_host=“https://api.k8s.example.com" 
kubernetes_ca_cert=“@ca.crt"
$ vault write auth/kubernetes/role/demo 
bound_service_account_names=vault-auth 
bound_service_account_namespaces=default 
policies=default 
ttl=1h
Vault auth backends — AppRole
61
Secret Management with Hashicorp's Vault
62
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Use whatever the auth you want
63
Secret Management with Hashicorp's Vault
64
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI -> Kubernetes access
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
65
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
66
Vault — policies
Secret Management with Hashicorp's Vault
67
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault — secret
representation
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
68
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients-ro
│ └── clients-rw
├── pki
│ └── issue
│ └── broker
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── developers
│ └── admins
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault — secret
representation
69
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients-ro
│ └── clients-rw
├── pki
│ └── issue
│ └── broker
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── developers
│ └── admins
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault — policies
• applied to “files” or
“directories”
• support filesystem
wildcards
• control what a user can
access
• get assigned after
authentication
• policies of a token can’t
be changed
70
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients-ro
│ └── clients-ro
├── pki
│ └── issue
│ └── broker
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── developers
│ └── admins
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault — policies
• create
• read
• update
• delete
• list
• deny
• sudo
r
c
u
d
l
d
s
$ cat app1-policy.hcl
path “secret/team/app1/*“ {
capabilities = [“read”, “list”]
}
path “pki/issue/broker” {
capabilities = [“write”]
}
path “database/creds/clients-ro“ {
capabilities = [“read”]
}
71
Secret Management with Hashicorp's Vault
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients-ro
│ └── clients-rw
├── pki
│ └── issue
│ └── broker
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── developers
│ └── admins
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault — policies
r l
w
r
72
Vault — Audit log
Secret Management with Hashicorp's Vault
Vault internals — Audit log
73
• off by default
• supported backend
• file
• syslog
• socket
• if audit log can not be written, Vault does not reply to requests
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault internals — Audit log
74
• every operation creates a log entry with
• what was done
• when was it executed
• by who was it requested
• request payload
• response payload
• sensitive data is hashed with a salt using HMAC-SHA256
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault internals — Audit log
75
• {"time":"2018-10-10T10:59:53.557231528Z","type":"response","auth":
{"client_token":"hmac-
sha256:41f2474f04f6277eb43cc8eae700dbc8534c5369d9185991eed4c4f70b1a5840","accessor":
"hmac-
sha256:27e400da69c94fce2378f5738cbf950531d7a9513215274abfbbdaa4927e00ba","display_na
me":"ldap-daniel.bornkessel@innoq.com","policies":["default"],"token_policies":
["default"],"metadata":
{"username":"daniel.bornkessel@innoq.com"},"entity_id":"8950f5f7-fad8-3ecb-4e62-
e5841815df60"},"request":{"id":"9f2b6dfa-5c18-
af6a-1f66-2c78b25a875f","operation":"list","client_token":"hmac-
sha256:41f2474f04f6277eb43cc8eae700dbc8534c5369d9185991eed4c4f70b1a5840","client_tok
en_accessor":"hmac-
sha256:27e400da69c94fce2378f5738cbf950531d7a9513215274abfbbdaa4927e00ba","path":"sec
ret/","data":null,"policy_override":false,"remote_address":"100.96.0.76","wrap_ttl":
0,"headers":{}},"response":{"data":{"error":"hmac-
sha256:d9d7a78363fd091f1b4c12629b7c9b5d7a7ffbf904ef5d29d002d5265d5bbf33"}},"error":"
1 error occurred:nn* permission denied"}
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
76
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
• Tokens
• LDAP
• AWS
• Kubernetes
• Google Cloud
• Username & Password
• AppRole
• GitHub
• MFA
• Okta
• RADIUS
• TLS Certificates
• AWS
• Consul
• Cubbyhole
• Databases
• Identity
• Static secrets (Key /Value)
• Nomad
• PKI (Certificates)
• RabbitMQ
• SSH
• TOTP
• Transit
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
policies
policies
audit logs
77
Vault internals
Secret Management with Hashicorp's Vault
Vault internals — storage
78
Secret Management with Hashicorp's Vault
Vault internals — storage
79
• several storage backends available: Consul, DynamoDB, Etcd,
Azure, Cassandra, CockroachDB, CouchDB, Filesystem,
FoundationDB, Google Cloud Spanner, Google Cloud Storage,
In-Memory, Manta, MySQL, PostgreSQL, S3, Swift, Zookeeper
• data encrypted at rest with a symmetric key
• symmetric key is encrypted by “master key” and stored on
storage backend
• master key is encrypted with “Shamir’s Secret Sharing”
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault internals — storage
80
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• 1 … N keys are needed in order to decrypt the data
• you can provide the decryption keys in any order
• N … N+M keys can be created and distributed to different parties
Shamir’s Secret Sharing
Vault internals — storage
81
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• by default, Vault creates 5 keys on initialization (which is a once
per storage backend operation)
• 3 of the 5 keys are needed in order to unseal a Vault instance
• this is configurable (e.g. 10/8, 15/5, etc.)
Shamir’s Secret Sharing
Vault internals — storage
82
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Shamir’s Secret Sharing
• HA of key holders
• one key alone is worthless
• key holder != admins: designers, ops, devs, etc.
• new unsealing keys can be created when provided enough
unsealing keys (e.g. when employees leave the company)
• every time a Vault instance is started, the master key has to be
decrypted
Vault internals — HA
83
• some backends support Vault HA mode (currently: Consul, Etcd,
DynamoDB, Foundation DB, Google Cloud Spanner, Google Cloud
Storage, MySQL, Zookeeper)
• Active-Passive mode:
• only the active Vault instance replies to requests
• all other Vault instances reply with a HTTP 302 to the active
Vault instance (i.e. LB in front of HA Vaults does not make
sense)
• leader election done in storage backend
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
84
Vault usage
Secret Management with Hashicorp's Vault
Vault usage — integration
85
Secret Management with Hashicorp's Vault
Vault usage — integration
86
• some frameworks have integration for Vault
• when home made solution
• create config files with a helper app to avoid development pain
• prepare your app for ttl’ed credentials: react accordingly if the
(e.g.) DB password is not valid anymore:
• re-read config file with new credentials
• make sure, helper app gets new credentials in time
• re-try DB request
• when in a container managed system, exit if appropriate
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault usage — getting started
87
Secret Management with Hashicorp's Vault
Vault — getting started (1 minute invest)
88
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
https://www.vaultproject.io/#/demo/0
Vault — getting started
89
• interactive tutorial
• download it locally and start it with ‘--dev’ parameter
(investment: 20 min - a few hours)
• there is a steep learning curve
• different backends use the same words with different meanings
(ttl, tokens, etc.)
• hard to quickly test something as you need the backend
systems in place: AWS auth to get MySQL passwords?
• most tutorials only run in dev mode
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Keynote
16:9-Vorlagen
Lorem ipsum dolor sit amet
EDITION 2018

DIE FIRMA . EXPERIENCE DESIGN
Thank you and auf
Wiedersehen
We are hiring in Hamburg, Berlin, Munich,
Frankfurt, Monheim (between Düsseldorf
and Cologne), and remote
https://www.innoq.com/en/culture/working-at-innoq/
https://www.innoq.com/de/culture/working-at-innoq/
Vault secret backends — static secrets
91
Secret Management with Hashicorp's Vault
92
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault secret backends — static secrets
1 vault write secret/app1/api-key
1234-
foo-
bar
app1
vault read secret/app1/api-key2
1234-
foo-
bar
3
Vault auth backends — Kubernetes auth
93
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
K8s
API
2
auth against
k8s API
K8s
container
3
success /
failure
Pod
app init
1 K8s token
token4
policies
token
policies
5
Vault auth backends — userpass
94
Secret Management with Hashicorp's Vault
userpass auth
95
• statically created by users and stored in Vault
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
$ vault auth enable userpass
$ vault write auth/userpass/users/kesselborn 
password=foo policies=admin
$ vault login -method=userpass username=kesselborn
Key Value
--- -----
token d9640590-63c8-b3a6-50ac-1403c8180948
. . .
token_duration 5m
token_policies [admin default]
96
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault auth backends — userpass
1 vault write /auth/userpass/users/foo
pass
word
123
• setup username / password
Vault auth backends — userpass
97
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
token
policies
• authenticate with a username & password
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
1 foo / password123
2
Vault auth backends — TLS certificates
98
Secret Management with Hashicorp's Vault
99
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
Vault auth backends — TLS certificates
1
vault write auth/cert/certs/web 
…
certificate=@web-cert.pem
• setup TLS certificate authentication
Vault auth backends — TLS certificates
100
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
token
policies
• authenticate with a TLS client certificate
Vault
├── aws
│ └── creds
│ ├── admin
│ └── developer
├── database
│ └── creds
│ ├── clients
│ └── contracts
├── pki
│ └── issue
│ └── example-com
├── secret
│ └── team
│ ├── app1
│ │ └── api-keys
│ │ ├── google-analytics
│ │ └── paypal
│ └── app2
│ └── foo
├── ssh
│ └── creds
│ ├── erika
│ └── erna
└── transit
├── decrypt
│ └── team-1-key
└── encrypt
└── team-1-key
1 client certificate
2

More Related Content

What's hot

Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
Nicolas Corrarello
 
Vault
VaultVault
Vault
dawnlua
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
Stenio Ferreira
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Hashicorp Corporate and Product Overview
Hashicorp Corporate and Product OverviewHashicorp Corporate and Product Overview
Hashicorp Corporate and Product Overview
Stenio Ferreira
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Docker Swarm for Beginner
Docker Swarm for BeginnerDocker Swarm for Beginner
Docker Swarm for Beginner
Shahzad Masud
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp Vault
Bram Vogelaar
 
Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
Amazon Web Services
 
HashiCorp Brand Guide
HashiCorp Brand GuideHashiCorp Brand Guide
HashiCorp Brand Guide
HashiCorp
 

What's hot (20)

Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
Vault
VaultVault
Vault
 
Vault 101
Vault 101Vault 101
Vault 101
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Hashicorp Corporate and Product Overview
Hashicorp Corporate and Product OverviewHashicorp Corporate and Product Overview
Hashicorp Corporate and Product Overview
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Docker Swarm for Beginner
Docker Swarm for BeginnerDocker Swarm for Beginner
Docker Swarm for Beginner
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp Vault
 
Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
 
HashiCorp Brand Guide
HashiCorp Brand GuideHashiCorp Brand Guide
HashiCorp Brand Guide
 

Similar to Secret Management with Hashicorp’s Vault

Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
AVIO Consulting
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
Stenio Ferreira
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Facing enterprise specific challenges – utility programming in hadoop
Facing enterprise specific challenges – utility programming in hadoopFacing enterprise specific challenges – utility programming in hadoop
Facing enterprise specific challenges – utility programming in hadoop
fann wu
 
ServerlessConf: Serverless for the Enterprise - Rafal Gancarz
ServerlessConf: Serverless for the Enterprise - Rafal GancarzServerlessConf: Serverless for the Enterprise - Rafal Gancarz
ServerlessConf: Serverless for the Enterprise - Rafal Gancarz
OpenCredo
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
Alfredo García Lavilla
 
Serverless: A love hate relationship
Serverless: A love hate relationshipServerless: A love hate relationship
Serverless: A love hate relationship
Jürgen Brüder
 
“Containerizing” applications with Docker: Ecosystem and Tools
“Containerizing” applications with Docker: Ecosystem and Tools“Containerizing” applications with Docker: Ecosystem and Tools
“Containerizing” applications with Docker: Ecosystem and Tools
Francisco Javier Ramírez Urea
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and Governed
Cloudera, Inc.
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Great Wide Open
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
Rita Zhang
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 

Similar to Secret Management with Hashicorp’s Vault (20)

Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Facing enterprise specific challenges – utility programming in hadoop
Facing enterprise specific challenges – utility programming in hadoopFacing enterprise specific challenges – utility programming in hadoop
Facing enterprise specific challenges – utility programming in hadoop
 
ServerlessConf: Serverless for the Enterprise - Rafal Gancarz
ServerlessConf: Serverless for the Enterprise - Rafal GancarzServerlessConf: Serverless for the Enterprise - Rafal Gancarz
ServerlessConf: Serverless for the Enterprise - Rafal Gancarz
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
 
Serverless: A love hate relationship
Serverless: A love hate relationshipServerless: A love hate relationship
Serverless: A love hate relationship
 
“Containerizing” applications with Docker: Ecosystem and Tools
“Containerizing” applications with Docker: Ecosystem and Tools“Containerizing” applications with Docker: Ecosystem and Tools
“Containerizing” applications with Docker: Ecosystem and Tools
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and Governed
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 

More from AWS Germany

Analytics Web Day | From Theory to Practice: Big Data Stories from the Field
Analytics Web Day | From Theory to Practice: Big Data Stories from the FieldAnalytics Web Day | From Theory to Practice: Big Data Stories from the Field
Analytics Web Day | From Theory to Practice: Big Data Stories from the Field
AWS Germany
 
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
AWS Germany
 
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
AWS Germany
 
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
AWS Germany
 
Modern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWSModern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWS
AWS Germany
 
Modern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
Modern Applications Web Day | Continuous Delivery to Amazon EKS with SpinnakerModern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
Modern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
AWS Germany
 
Building Smart Home skills for Alexa
Building Smart Home skills for AlexaBuilding Smart Home skills for Alexa
Building Smart Home skills for Alexa
AWS Germany
 
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructureHotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
AWS Germany
 
Wild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
Wild Rydes with Big Data/Kinesis focus: AWS Serverless WorkshopWild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
Wild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
AWS Germany
 
Log Analytics with AWS
Log Analytics with AWSLog Analytics with AWS
Log Analytics with AWS
AWS Germany
 
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
AWS Germany
 
AWS Programme für Nonprofits
AWS Programme für NonprofitsAWS Programme für Nonprofits
AWS Programme für Nonprofits
AWS Germany
 
Microservices and Data Design
Microservices and Data DesignMicroservices and Data Design
Microservices and Data Design
AWS Germany
 
Serverless vs. Developers – the real crash
Serverless vs. Developers – the real crashServerless vs. Developers – the real crash
Serverless vs. Developers – the real crash
AWS Germany
 
Query your data in S3 with SQL and optimize for cost and performance
Query your data in S3 with SQL and optimize for cost and performanceQuery your data in S3 with SQL and optimize for cost and performance
Query your data in S3 with SQL and optimize for cost and performance
AWS Germany
 
EKS Workshop
 EKS Workshop EKS Workshop
EKS Workshop
AWS Germany
 
Scale to Infinity with ECS
Scale to Infinity with ECSScale to Infinity with ECS
Scale to Infinity with ECS
AWS Germany
 
Containers on AWS - State of the Union
Containers on AWS - State of the UnionContainers on AWS - State of the Union
Containers on AWS - State of the Union
AWS Germany
 
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
Deploying and Scaling Your First Cloud Application with Amazon LightsailDeploying and Scaling Your First Cloud Application with Amazon Lightsail
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
AWS Germany
 
Building Personalized Data Products - From Idea to Product
Building Personalized Data Products - From Idea to ProductBuilding Personalized Data Products - From Idea to Product
Building Personalized Data Products - From Idea to Product
AWS Germany
 

More from AWS Germany (20)

Analytics Web Day | From Theory to Practice: Big Data Stories from the Field
Analytics Web Day | From Theory to Practice: Big Data Stories from the FieldAnalytics Web Day | From Theory to Practice: Big Data Stories from the Field
Analytics Web Day | From Theory to Practice: Big Data Stories from the Field
 
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
 
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
 
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
 
Modern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWSModern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWS
 
Modern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
Modern Applications Web Day | Continuous Delivery to Amazon EKS with SpinnakerModern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
Modern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
 
Building Smart Home skills for Alexa
Building Smart Home skills for AlexaBuilding Smart Home skills for Alexa
Building Smart Home skills for Alexa
 
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructureHotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
 
Wild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
Wild Rydes with Big Data/Kinesis focus: AWS Serverless WorkshopWild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
Wild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
 
Log Analytics with AWS
Log Analytics with AWSLog Analytics with AWS
Log Analytics with AWS
 
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
 
AWS Programme für Nonprofits
AWS Programme für NonprofitsAWS Programme für Nonprofits
AWS Programme für Nonprofits
 
Microservices and Data Design
Microservices and Data DesignMicroservices and Data Design
Microservices and Data Design
 
Serverless vs. Developers – the real crash
Serverless vs. Developers – the real crashServerless vs. Developers – the real crash
Serverless vs. Developers – the real crash
 
Query your data in S3 with SQL and optimize for cost and performance
Query your data in S3 with SQL and optimize for cost and performanceQuery your data in S3 with SQL and optimize for cost and performance
Query your data in S3 with SQL and optimize for cost and performance
 
EKS Workshop
 EKS Workshop EKS Workshop
EKS Workshop
 
Scale to Infinity with ECS
Scale to Infinity with ECSScale to Infinity with ECS
Scale to Infinity with ECS
 
Containers on AWS - State of the Union
Containers on AWS - State of the UnionContainers on AWS - State of the Union
Containers on AWS - State of the Union
 
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
Deploying and Scaling Your First Cloud Application with Amazon LightsailDeploying and Scaling Your First Cloud Application with Amazon Lightsail
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
 
Building Personalized Data Products - From Idea to Product
Building Personalized Data Products - From Idea to ProductBuilding Personalized Data Products - From Idea to Product
Building Personalized Data Products - From Idea to Product
 

Recently uploaded

Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 

Recently uploaded (20)

Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 

Secret Management with Hashicorp’s Vault

  • 2. 2 Secret Management with Hashicorp's Vault
  • 4. Focus of this talk 4 • what is secret management • why do you need it • what is Vault and how can it help you with secret management • some Vault internals Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 5. Goal of this talk 5 • think about best practices with secrets that your company could improve on • go and play with Vault • improve current secret management incrementally Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 6. Why focus on Vault 6 • unmatched (afaik) feature set • open source (mostly … some closed sourced enterprise features) • not vendor or framework specific Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 7. Other solutions* 7 • AWS Secrets Manager: AWS specific, promising, dynamic’esque secrets for certain AWS services, automatic rotation (for supported services + extendable via Lambda functions) • KeyWiz from Square: not as many features, no dynamic secrets, HSM in open source version • Cloud Foundry CredHub: tailored and specific to Cloud Foundry • self made: a lot of complexity and work Secret Management with Hashicorp's Vault Quelle / Max Mustermann * I have not personally used those solutions
  • 8. 8 Secret Managemant Secret Management with Hashicorp's Vault
  • 9. Secret Management 9 Secret Management with Hashicorp's Vault Quelle / Max Mustermann • part of your security concept • one focus: on internal threads like • rogue employees • unauthorized access to secrets • long living secrets • audit log: who requested credentials for which system at what point of time • high automation for changing / revoking / rolling secrets • high entropy passwords
  • 10. Secret Management: current situation 10 Secret Management with Hashicorp's Vault Quelle / Max Mustermann • best practices are widely known • is usually seen as (very) important • implementation is hard • solutions are rare • high automation still an exception (as opposed to external thread mitigation measures) • often neglected in favour of business critical features • apps and frameworks not ready for modern secret management
  • 11. Question 11 Who here has production credentials on their laptop at this very moment (e.g. AWS credentials file, DB credentials, passwordless ssh private keys to access machines or git repos, API-keys, etc.)? Who thinks this is a good idea? Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 12. 12 Why am I talking about secret management Secret Management with Hashicorp's Vault
  • 13. About me 13 Daniel Bornkessel / @kesselborn • Senior Consultant at INNOQ (part time) • Focus on DevOps & Continuous Delivery INNOQ • Consulting, reviews and development • https://www.innoq.com/de/culture/working-at-innoq/ Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 14. Typical project 14 Secret Management with Hashicorp's Vault Quelle / Max Mustermann • Monolith -> Micro Services / Self Contained Systems • Language: set (mostly Java) • Framework: set (often Spring Boot) • Data center: set (mostly AWS or on premise) • Container Management: set (mostly Kubernetes … EKS when available … hint hint) • CI: set (whatever they used before … mostly Jenkins) • Logging / Monitoring: set (ELK & ?) • Secret Management: sure … eh … wat? please for god’s sake: use Gitlab CI prometheus)
  • 15. Typical project: Secret Management 15 Secret Management with Hashicorp's Vault Quelle / Max Mustermann • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out • changing and updating passwords is a manual process for now • yeah: audit log is something we are looking into • no, we can not confidently say who has the password for DB xy • no, we do not change all passwords if an employee leaves the company • revoking credentials is not something we currently support
  • 16. Introducing Vault 16 Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 17. 17 Vault — executive summary Secret Management with Hashicorp's Vault
  • 18. Vault — executive summary 18 • secures, stores and tightly controls • tokens • passwords • certificates • API keys • and other secrets Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 19. Vault — executive summary 19 • handles • leasing • key revocation • key rolling • auditing • provides an API for all operations • is not meant as a service or token provider which gets embedded in your request / response cycle Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 20. 20 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault Tokens LDAP AWS Kubernetes Google Cloud auth-n + auth-z AppRole GitHub MFA Okta RADIUS TLS Certificates AWS Consul Cubbyhole Databases Identity secrets Nomad PKI (Certificates) RabbitMQ SSH TOTP Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 21. 21 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault auth backends • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 22. 22 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault secret backends • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 23. 23 Vault — secret backends Secret Management with Hashicorp's Vault
  • 24. Vault secret backends — dynamic secrets 24 Secret Management with Hashicorp's Vault
  • 25. 25 • on-the-fly created credentials (hence dynamic) for each instance of an app / user who wants a secret • usually short to medium long ttl • fully audited Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault secret backends — dynamic secrets What they are
  • 26. 26 1. provide Vault credentials for a user that has rights to create users or tokens in a remote system (e.g. db) 2. configure Vault with settings on how to create credentials 3. configure Vault with settings on how to invalidate credentials in the remote system Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault secret backends — dynamic secrets How they work (in a Nutshell)
  • 27. Vault secret backends — Databases 27 Secret Management with Hashicorp's Vault
  • 28. 28 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key db admin config 0 Vault secret backends — Databases
  • 29. 29 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key db admin config 0 Vault secret backends — Databases vault secrets enable -path=db database vault write db/config/clients plugin_name=mysql-database-plugin connection_url="admin:pw@tcp(db.example.com)/" allowed_roles=“clients-ro,clients-rw” vault write database/roles/clients-ro db_name=clients creation_statements=“ CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON clients.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="240h"
  • 30. 30 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key db admin config 0 Vault secret backends — Databases vault secrets enable -path=db database vault write db/config/clients plugin_name=mysql-database-plugin connection_url="admin:pw@tcp(db.example.com)/" allowed_roles=“clients-ro, clients-rw” vault write database/roles/clients-ro db_name=clients creation_statements=“ CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON clients.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl=“240h"
  • 31. 31 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key create user …2 OK3 Vault secret backends — Databases db admin config 0 5 delete user … ttl App read db/creds/clients-ro 1 db login / db password 4 } configured role
  • 32. 32 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault secret backends — Databases Available Plugins: • Cassandra • HanaDB • MongoDB • MSSQL • MySQL/MariaDB • PostgreSQL • Oracle
  • 33. Vault secret backends — AWS 33 Secret Management with Hashicorp's Vault
  • 34. 34 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key aws_access_key aws_secret_key 0 Vault secret backends — AWS
  • 35. 35 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key App read aws/creds/dev 1 aws_access_key aws_secret_key 0 4 TTL’ed Token / credentials 3 TTL’ed Token / credentials ttl Vault secret backends — AWS create STS / IAM user 2 AWS Api } configured role
  • 36. Vault secret backends — PKI 36 Secret Management with Hashicorp's Vault
  • 37. 37 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key add ca.cert & ca.key 0 Vault secret backends — PKI
  • 38. 38 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key App write pki/issue/dev 1 add ca.cert & ca.key 0 3 TTL’ed client certificate Vault secret backends — PKI 2 create client certificate } configured role
  • 39. Vault secret backends — SSH 39 Secret Management with Hashicorp's Vault
  • 40. Host 1.1.2.2 40 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault secret backends — SSH 1 vault write ssh/creds/dev ip=1.1.2.2 2 username / otp 3 ssh username@1.1.2.2 4 validate otp 5 grant access
  • 41. Signed SSH Certificates • Idea: get ssh access to machines • user configures Vault-ssh with a CA, a private and a public key • the public key gets distributed to all system hosts • the user asks Vault to sign one of his public ssh keys with the provided CA and gets a new, signed public key as a response • the user can use this new, signed key to login to machines Vault dynamic secret backends — ssh 41 Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 42. Vault dynamic secret backends — Transit 42 Secret Management with Hashicorp's Vault
  • 43. 43 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key 2 Vault secret backends — Transit 1 vault write transit/encrypt/app/app1 foo ¯:çÆ #²^? áV¬Î 3 4 App vault write transit/decrypt/app/app1 foo ¯:çÆ #²^? áV¬Î
  • 44. 44 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault secret backends • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 45. 45 Vault — auth backends Secret Management with Hashicorp's Vault
  • 46. 46 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault auth backends • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 47. Vault auth backends — tokens 47 Secret Management with Hashicorp's Vault
  • 48. token auth 48 • created by Vault • only way to authorize (auth-z) against Vault • returned when authenticated (auth-n) successfully • comparable to a session-id on a website • has permissions / policies assigned to it Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 49. token auth 49 Secret Management with Hashicorp's Vault Quelle / Max Mustermann $ vault token create -ttl=5m -policy=admin Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 token_accessor 5a362982-f34c-3706-143a-26ada278b6cf token_duration 5m token_renewable true token_policies [admin default]
  • 50. Vault auth backends — external identity providers 50 Secret Management with Hashicorp's Vault
  • 51. Vault auth backends — LDAP / Radius / Okta auth 51 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key LDAP username/ password 1 username/ password 2 user: kesselborn groups: admin, employee3token4 policies • $SERVICE is used as an identity provider (using LDAP here) token5 policies
  • 52. Github auth 52 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Github token user: kesselborn teams: kesselfaktur, innnoq token4 1 2 3 policies • Github is used as an identity provider token
  • 53. Vault auth backends — AWS auth 53 Secret Management with Hashicorp's Vault
  • 54. Vault auth backends — AWS auth Secret Management with Hashicorp's Vault Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key EC2 API EC2 Instance EC2 MetaData Services 12 AWS Instance Identity Document PKCS#7 3 AWS Instance Identity Document PKCS#7 4 verify PKCS#7 signature against AWS public keys verify instance 5 (optionally) set instance on blacklist to avoid double authentication 8 curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 6 instance_id: i-a832f734 ami_id: ami-f083709d … policies 7 token policies token9
  • 55. Vault auth backends — AWS auth 55 $ vault write auth/aws/role/dev-role auth_type=ec2 bound_ami_id=ami-fce3c696 policies=prod,dev max_ttl=500h $ vault write auth/aws/role/dev-role-iam auth_type=iam bound_ iam_instance_profile_arn =… policies=prod,dev max_ttl=500h Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 56. Vault auth backends — AWS auth 56 • alternatively: IAM auth method • client signs a GetCallerIdentity query using the AWS Signature v4 algorithm and submits 4 pieces of information to the Vault server to recreate a valid signed request • https://www.vaultproject.io/docs/auth/aws.html#iam-auth- method Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 57. Vault auth backends — Kubernetes auth 57 Secret Management with Hashicorp's Vault
  • 58. token5 policies Vault auth backends — Kubernetes auth 58 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key /var └─ run   └─ secrets    └─ kubernetes.io   └─ serviceaccount └─ token K8s API 2 auth against k8s API K8s container 1 K8s token token4 policies 3 service_account_name: app1 service_account_namespace: default
  • 59. Vault auth backends — Kubernetes auth 59 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key K8s API 2 auth against k8s API K8s container 3 success / failure Pod app init 1 K8s token token4 policies token policies 5
  • 60. Vault auth backends — Kubernetes auth 60 Secret Management with Hashicorp's Vault Quelle / Max Mustermann $ vault auth enable kubernetes $ vault write auth/kubernetes/config kubernetes_host=“https://api.k8s.example.com" kubernetes_ca_cert=“@ca.crt" $ vault write auth/kubernetes/role/demo bound_service_account_names=vault-auth bound_service_account_namespaces=default policies=default ttl=1h
  • 61. Vault auth backends — AppRole 61 Secret Management with Hashicorp's Vault
  • 62. 62 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault auth backends • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 63. Use whatever the auth you want 63 Secret Management with Hashicorp's Vault
  • 64. 64 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI -> Kubernetes access • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 65. 65 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 66. 66 Vault — policies Secret Management with Hashicorp's Vault
  • 67. 67 Secret Management with Hashicorp's Vault Quelle / Max Mustermann • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault — secret representation Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
  • 68. 68 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-rw ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault — secret representation
  • 69. 69 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-rw ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault — policies • applied to “files” or “directories” • support filesystem wildcards • control what a user can access • get assigned after authentication • policies of a token can’t be changed
  • 70. 70 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-ro ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault — policies • create • read • update • delete • list • deny • sudo r c u d l d s
  • 71. $ cat app1-policy.hcl path “secret/team/app1/*“ { capabilities = [“read”, “list”] } path “pki/issue/broker” { capabilities = [“write”] } path “database/creds/clients-ro“ { capabilities = [“read”] } 71 Secret Management with Hashicorp's Vault Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-rw ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault — policies r l w r
  • 72. 72 Vault — Audit log Secret Management with Hashicorp's Vault
  • 73. Vault internals — Audit log 73 • off by default • supported backend • file • syslog • socket • if audit log can not be written, Vault does not reply to requests Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 74. Vault internals — Audit log 74 • every operation creates a log entry with • what was done • when was it executed • by who was it requested • request payload • response payload • sensitive data is hashed with a salt using HMAC-SHA256 Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 75. Vault internals — Audit log 75 • {"time":"2018-10-10T10:59:53.557231528Z","type":"response","auth": {"client_token":"hmac- sha256:41f2474f04f6277eb43cc8eae700dbc8534c5369d9185991eed4c4f70b1a5840","accessor": "hmac- sha256:27e400da69c94fce2378f5738cbf950531d7a9513215274abfbbdaa4927e00ba","display_na me":"ldap-daniel.bornkessel@innoq.com","policies":["default"],"token_policies": ["default"],"metadata": {"username":"daniel.bornkessel@innoq.com"},"entity_id":"8950f5f7-fad8-3ecb-4e62- e5841815df60"},"request":{"id":"9f2b6dfa-5c18- af6a-1f66-2c78b25a875f","operation":"list","client_token":"hmac- sha256:41f2474f04f6277eb43cc8eae700dbc8534c5369d9185991eed4c4f70b1a5840","client_tok en_accessor":"hmac- sha256:27e400da69c94fce2378f5738cbf950531d7a9513215274abfbbdaa4927e00ba","path":"sec ret/","data":null,"policy_override":false,"remote_address":"100.96.0.76","wrap_ttl": 0,"headers":{}},"response":{"data":{"error":"hmac- sha256:d9d7a78363fd091f1b4c12629b7c9b5d7a7ffbf904ef5d29d002d5265d5bbf33"}},"error":" 1 error occurred:nn* permission denied"} Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 76. 76 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault • Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates • AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key policies policies audit logs
  • 77. 77 Vault internals Secret Management with Hashicorp's Vault
  • 78. Vault internals — storage 78 Secret Management with Hashicorp's Vault
  • 79. Vault internals — storage 79 • several storage backends available: Consul, DynamoDB, Etcd, Azure, Cassandra, CockroachDB, CouchDB, Filesystem, FoundationDB, Google Cloud Spanner, Google Cloud Storage, In-Memory, Manta, MySQL, PostgreSQL, S3, Swift, Zookeeper • data encrypted at rest with a symmetric key • symmetric key is encrypted by “master key” and stored on storage backend • master key is encrypted with “Shamir’s Secret Sharing” Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 80. Vault internals — storage 80 Secret Management with Hashicorp's Vault Quelle / Max Mustermann • 1 … N keys are needed in order to decrypt the data • you can provide the decryption keys in any order • N … N+M keys can be created and distributed to different parties Shamir’s Secret Sharing
  • 81. Vault internals — storage 81 Secret Management with Hashicorp's Vault Quelle / Max Mustermann • by default, Vault creates 5 keys on initialization (which is a once per storage backend operation) • 3 of the 5 keys are needed in order to unseal a Vault instance • this is configurable (e.g. 10/8, 15/5, etc.) Shamir’s Secret Sharing
  • 82. Vault internals — storage 82 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Shamir’s Secret Sharing • HA of key holders • one key alone is worthless • key holder != admins: designers, ops, devs, etc. • new unsealing keys can be created when provided enough unsealing keys (e.g. when employees leave the company) • every time a Vault instance is started, the master key has to be decrypted
  • 83. Vault internals — HA 83 • some backends support Vault HA mode (currently: Consul, Etcd, DynamoDB, Foundation DB, Google Cloud Spanner, Google Cloud Storage, MySQL, Zookeeper) • Active-Passive mode: • only the active Vault instance replies to requests • all other Vault instances reply with a HTTP 302 to the active Vault instance (i.e. LB in front of HA Vaults does not make sense) • leader election done in storage backend Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 84. 84 Vault usage Secret Management with Hashicorp's Vault
  • 85. Vault usage — integration 85 Secret Management with Hashicorp's Vault
  • 86. Vault usage — integration 86 • some frameworks have integration for Vault • when home made solution • create config files with a helper app to avoid development pain • prepare your app for ttl’ed credentials: react accordingly if the (e.g.) DB password is not valid anymore: • re-read config file with new credentials • make sure, helper app gets new credentials in time • re-try DB request • when in a container managed system, exit if appropriate Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 87. Vault usage — getting started 87 Secret Management with Hashicorp's Vault
  • 88. Vault — getting started (1 minute invest) 88 Secret Management with Hashicorp's Vault Quelle / Max Mustermann https://www.vaultproject.io/#/demo/0
  • 89. Vault — getting started 89 • interactive tutorial • download it locally and start it with ‘--dev’ parameter (investment: 20 min - a few hours) • there is a steep learning curve • different backends use the same words with different meanings (ttl, tokens, etc.) • hard to quickly test something as you need the backend systems in place: AWS auth to get MySQL passwords? • most tutorials only run in dev mode Secret Management with Hashicorp's Vault Quelle / Max Mustermann
  • 90. Keynote 16:9-Vorlagen Lorem ipsum dolor sit amet EDITION 2018
 DIE FIRMA . EXPERIENCE DESIGN Thank you and auf Wiedersehen We are hiring in Hamburg, Berlin, Munich, Frankfurt, Monheim (between Düsseldorf and Cologne), and remote https://www.innoq.com/en/culture/working-at-innoq/ https://www.innoq.com/de/culture/working-at-innoq/
  • 91. Vault secret backends — static secrets 91 Secret Management with Hashicorp's Vault
  • 92. 92 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault secret backends — static secrets 1 vault write secret/app1/api-key 1234- foo- bar app1 vault read secret/app1/api-key2 1234- foo- bar 3
  • 93. Vault auth backends — Kubernetes auth 93 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key K8s API 2 auth against k8s API K8s container 3 success / failure Pod app init 1 K8s token token4 policies token policies 5
  • 94. Vault auth backends — userpass 94 Secret Management with Hashicorp's Vault
  • 95. userpass auth 95 • statically created by users and stored in Vault Secret Management with Hashicorp's Vault Quelle / Max Mustermann $ vault auth enable userpass $ vault write auth/userpass/users/kesselborn password=foo policies=admin $ vault login -method=userpass username=kesselborn Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 . . . token_duration 5m token_policies [admin default]
  • 96. 96 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault auth backends — userpass 1 vault write /auth/userpass/users/foo pass word 123 • setup username / password
  • 97. Vault auth backends — userpass 97 Secret Management with Hashicorp's Vault Quelle / Max Mustermann token policies • authenticate with a username & password Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key 1 foo / password123 2
  • 98. Vault auth backends — TLS certificates 98 Secret Management with Hashicorp's Vault
  • 99. 99 Secret Management with Hashicorp's Vault Quelle / Max Mustermann Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Vault auth backends — TLS certificates 1 vault write auth/cert/certs/web … certificate=@web-cert.pem • setup TLS certificate authentication
  • 100. Vault auth backends — TLS certificates 100 Secret Management with Hashicorp's Vault Quelle / Max Mustermann token policies • authenticate with a TLS client certificate Vault ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key 1 client certificate 2