Download to read offline
![Secret Management Tools
[HashiCorp | Ansible | Chef] Vault
CyberArk - Conjur
Knox
Thycotic
KeyWhiz
AWS KMS
HSM
Etc...](https://image.slidesharecdn.com/gnqxpmjjrfaqdifuwnkc-signature-3ad600120928ba780ed5e249ce93817a063e72be920f280d8ec3289d763f8e54-poli-180228091910/85/Secret-Mgmt-using-vault-DevSecOps-sg-Meetup-28-320.jpg)
![# SETUP and Test hello world
# export VAULT_ADDR=http://54.255.140.240
# export VAULT_TOKEN=508f84ac-a239-833e-8029-6b26e7a1d834
# curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" $VAULT_ADDR/v1/secret/hello
{"request_id":"98039c27-213c-d901-98c3-
ce4803126ca3","lease_id":"","renewable":false,"lease_duration":2764800,"data":
{"value":"world"},"wrap_info":null,"warnings":null,"auth":null}
On Local Terminal [https://www.vaultproject.io/api/index.html]](https://image.slidesharecdn.com/gnqxpmjjrfaqdifuwnkc-signature-3ad600120928ba780ed5e249ce93817a063e72be920f280d8ec3289d763f8e54-poli-180228091910/85/Secret-Mgmt-using-vault-DevSecOps-sg-Meetup-35-320.jpg)
![# WRITE SECRET
# curl -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" -X
POST -d '{"value":"my name is $USER"}' $VAULT_ADDR/v1/secret/$USER
On Local Terminal [https://www.vaultproject.io/api/index.html]](https://image.slidesharecdn.com/gnqxpmjjrfaqdifuwnkc-signature-3ad600120928ba780ed5e249ce93817a063e72be920f280d8ec3289d763f8e54-poli-180228091910/85/Secret-Mgmt-using-vault-DevSecOps-sg-Meetup-36-320.jpg)
![# GET WRAP RESPONSE
# curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" -H "X-Vault-Wrap-TTL:10m"
$VAULT_ADDR/v1/secret/hello
{"request_id":"","lease_id":"","renewable":false,"lease_duration":0,"data":nul
l,"wrap_info":{"token":"c2b0d030-fcc8-8942-e659-
bd978454a9e3","ttl":600,"creation_time":"2017-06-
29T09:27:12.289819346Z"},"warnings":null,"auth":null}
On Local Terminal [https://www.vaultproject.io/api/index.html]](https://image.slidesharecdn.com/gnqxpmjjrfaqdifuwnkc-signature-3ad600120928ba780ed5e249ce93817a063e72be920f280d8ec3289d763f8e54-poli-180228091910/85/Secret-Mgmt-using-vault-DevSecOps-sg-Meetup-37-320.jpg)
![# UNWRAP RESPONSE
# curl -X POST -H "X-Vault-Token:$WRAPPED_TOKEN" -H "Content-
Type:application/json" $VAULT_ADDR/v1/sys/wrapping/unwrap
{"request_id":"b36d6da3-ed0a-63ab-b731-
16789815e2c6","lease_id":"","renewable":false,"lease_duration":2764800,"data":
{"vaule":"world"},"wrap_info":null,"warnings":null,"auth":null}
On Local Terminal [https://www.vaultproject.io/api/index.html]](https://image.slidesharecdn.com/gnqxpmjjrfaqdifuwnkc-signature-3ad600120928ba780ed5e249ce93817a063e72be920f280d8ec3289d763f8e54-poli-180228091910/85/Secret-Mgmt-using-vault-DevSecOps-sg-Meetup-38-320.jpg)
Uploaded byFab L
Secret Mgmt using vault DevSecOps sg Meetup
This document discusses using HashiCorp Vault for secret management. It provides examples of setting up and testing Vault, including writing and retrieving secrets. It notes that Vault can manage many types of secrets and offers high availability. While Vault helps with secret storage, the bigger challenge is how to integrate it into continuous delivery pipelines and establish trust so apps can securely retrieve secrets from Vault during runtime. More discussion on this topic will come in a future part.
![[Wroclaw #9] The purge - dealing with secrets in Opera Software](https://cdn.slidesharecdn.com/ss_thumbnails/presentation3-181117173825-thumbnail.jpg?width=640&height=640&fit=bounds)
![20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/20260201fosdemgomodjail-librarysandboxingforgomodules-260201225659-76609ec4-thumbnail.jpg?width=640&height=640&fit=bounds)
Secret Mgmt using vault DevSecOps sg Meetup
- 1. DevSecOps SG Meetup- Jun 29
- 2. Managing Secrets Using HashiCorpVault DevSecOps SG Meetup - Jun 29 It’s been a while!
- 3.
- 4. Great Ocean Road,Victoria, Australia
- 5. Lake Bellfield -Grampians National Park, Victoria, Australia
- 6. Sunrise at BorokaLookout, Grampians National Park, Victoria, Australia
- 7. Sunset at ReedLookout, Grampians National Park, Victoria, Australia
- 8. TimeLapse Drive -Khao Yai National Park, Thailand
- 9. Haew Suwat Waterfall- Khao Yai National Park, Thailand
- 10.
- 11.
- 12. BeeLineCrowd-sourced Bus Services MyRespond erCrowd-sourceResponders for First Aid Data.gov.sg Providing Public Data for Open-Source Projects Featured on RedHat Summ Featured on AWS Summit 2016
- 13. Interested to make an impact? Joinme @ GovTech https://tech.gov.sg
- 14. ¯_( ツ )_/¯ Whyare we here, again? ¯_( ツ )_/¯ ¯_( ツ )_/¯ ¯_( ツ )_/¯ ¯_( ツ )_/¯ ¯_( ツ )_/¯ ¯_( ツ )_/¯
- 15.
- 16. I think developersare storing secrets in source code. To avoid repeating the Uber Blunder I aim to remove secrets from source code repositories. Password Hunting https://fabianlim1989.github.io/devsecops-git-workshop/#/password-hunting
- 17. But WHY woulddevelopers store secrets in code repositories? Identifying the root cause is plain simple, yet implementing the solution is an uphill battle.
- 18. ¯_( ツ )_/¯¯_( ツ )_/¯ ¯_( ツ )_/¯ Note: Today is PART 1, we will be back with more... ¯_( ツ )_/¯ ¯_( ツ )_/¯ ¯_( ツ )_/¯
- 20. A Developer’s Workflow GatherFeature Requirements Code Test New Code with Integration Check In Code Drink Beer to Celebrate
- 21. Code Tokens required tointeract with other APIs Usernames and Passwords Keys and Values A Developer’s Workflow
- 22. A Developer’s Dilemma { "username":"$USERNAME", "password": "$PASSWORD" } /server.conf { "username": "admin", "password": "admin01" } /server.conf
- 23. A Developer’s Dilemma { "APItoken":"$APItoken" } /server.conf { "APItoken": "18be90ef56" } /server.conf
- 24.
- 26. Discussion Time How wouldYOU do it? Google, duh. http://lmgtfy.com/?q=secret+management+tools What options does one have?
- 27.
- 28. Secret Management Tools [HashiCorp| Ansible | Chef] Vault CyberArk - Conjur Knox Thycotic KeyWhiz AWS KMS HSM Etc...
- 29.
- 30.
- 31. FEED ME NOW! Feeding an alpacasat Primo Piazza, Khao Yai, Thailand
- 32.
- 33. Other Useful Stuffs Akinto a Swiss Army knife, its abundant features are useful in all kinds of situations. Manage almost ANY secret Certificate Authority SSH Key Management ... High Availability Cluster Everything is an API call away Open-Source! Sort of...
- 35. # SETUP andTest hello world # export VAULT_ADDR=http://54.255.140.240 # export VAULT_TOKEN=508f84ac-a239-833e-8029-6b26e7a1d834 # curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" $VAULT_ADDR/v1/secret/hello {"request_id":"98039c27-213c-d901-98c3- ce4803126ca3","lease_id":"","renewable":false,"lease_duration":2764800,"data": {"value":"world"},"wrap_info":null,"warnings":null,"auth":null} On Local Terminal [https://www.vaultproject.io/api/index.html]
- 36. # WRITE SECRET #curl -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"value":"my name is $USER"}' $VAULT_ADDR/v1/secret/$USER On Local Terminal [https://www.vaultproject.io/api/index.html]
- 37. # GET WRAPRESPONSE # curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" -H "X-Vault-Wrap-TTL:10m" $VAULT_ADDR/v1/secret/hello {"request_id":"","lease_id":"","renewable":false,"lease_duration":0,"data":nul l,"wrap_info":{"token":"c2b0d030-fcc8-8942-e659- bd978454a9e3","ttl":600,"creation_time":"2017-06- 29T09:27:12.289819346Z"},"warnings":null,"auth":null} On Local Terminal [https://www.vaultproject.io/api/index.html]
- 38. # UNWRAP RESPONSE #curl -X POST -H "X-Vault-Token:$WRAPPED_TOKEN" -H "Content- Type:application/json" $VAULT_ADDR/v1/sys/wrapping/unwrap {"request_id":"b36d6da3-ed0a-63ab-b731- 16789815e2c6","lease_id":"","renewable":false,"lease_duration":2764800,"data": {"vaule":"world"},"wrap_info":null,"warnings":null,"auth":null} On Local Terminal [https://www.vaultproject.io/api/index.html]
- 39. The Bigger Picture- WHERE is the problem?
- 40. Build Start - CODE IN Build Complete - PRODUCT OUT ArchitectingTrust in CICD Pipeline Server / App Continues To Require Secrets From Architecting Trust is not the focus for today, in
- 41. Server / App Continues To Require Secrets From Howdoes Vault trust the app? As an ephemeral docker container / VM / server?
- 43. Thanks & StayTuned for PART
Editor's Notes
- #13 You should have spent only 10 minutes.
- #15 Time, 8 minutes. Right, enough advertising for Govtech and myself
- #19 Right, enough advertising for Govtech and myself
- #21 Let’s put things into context
- #23 My goal is really simple. I just want to replace these hard coded secret strings into variables
- #25 Any one spent their nights thinking about this problem? I did. I was frustrated with the number of secrets I find EVERYWHERE. I want to make a change. So I started trying out different tools.
- #27 Timer should be at 20 minutes. End discussion at 25 minutes.
- #28 Introducing several secret management tools
- #30 Due to limited time, I cannot compare all of it with you today. I listed the top few. This evaluation is best done by the user to evaluate the use cases in order to gain the maximum benefit from limited resources.
- #33 Spend about 15 to 20 minutes here. Timer should be at 50 minutes after
- #36 https://www.vaultproject.io/intro/getting-started/apis.html
- #37 https://www.vaultproject.io/intro/getting-started/apis.html
- #38 https://www.vaultproject.io/intro/getting-started/apis.html
- #42 To go a little bit into the details and almost teasing, this is the problem. So we establish that we want to make everything into a variable, great, now what? Make an API call to replace all the variables into actual secrets using Vault, great. Then where do we store that API token to make the API calls to Vault? And if that’s not crazy enough, we want everything automated, secrets rotated, and our apps run in Docker containers so they die and revive multiple times a day.
- #43 We run into what we call, the “Secret 0 problem” where we need to seed the initial secret using a tool and some semi-automated process that involves a human’s approval. Food for thought.