VMware Tanzu, profile picture
Uploaded byVMware Tanzu
PPTX, PDF1,009 views

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

This document discusses CredHub, a tool for centralized credential management. It delivers cradle-to-grave management of credentials, including creation, access control, distribution, rotation, and logging. Credentials are encrypted at rest and include passwords, certificates, SSH keys, and arbitrary values. The document outlines CredHub's architecture, credential types, REST API, language bindings, service bindings workflow, and availability. It demonstrates how CredHub improves security when used with platforms and pipelines.

Software
Related topics:
Software Developer

Embed presentation

Downloaded 11 times
© Copyright 2018 Pivotal Software, Inc. All rights Reserved. CredHub February 2019 Sharath Sahadevan @sharath_sahadev DaShaun Carter @dashaun
CredHub Mitigates the Risk of Leaked Credentials CredHub delivers centralized management of platform and application creds. ● Credentials are the bedrock for trust in the cloud. ● CredHub’s goal: deliver cradle-to-grave management of credentials (create, access control, distribution, rotation, logging) ● Manages passwords, certificates, ssh keys, RSA keys, and arbitrary values (strings and JSON blobs). ● All credentials are encrypted w/a key that rotates (HSM support in OSS & PCF) ● CredHub Service Broker for off-platform services
Architecture CredHub CLI BOSH REST API Authentication Provider Encryption Provider (HSM) Backing SQL Database
Credential Types value - a simple string, used for configuration and other non-generated properties password - a simple string, used for generated secrets user - username and password pair json - a JSON object certificate - an object containing a root CA, certificate and private key rsa - an object containing an RSA public key and private key ssh - an object containing an SSH-formatted public key and private key http://docs.cloudfoundry.org/credhub/credential-types.html
REST API Secured via Mutual TLS, and/or OAuth2 Get/Set/Generate/Delete Credential Get/Add/Delete Permission Interpolate VCAP_SERVICES https://credhub-api.cfapps.io
Java mapping to CredHub REST API Supports all credential types and operations Spring Boot auto-configuration support Apps deployed to CF with Java Buildpack automatically negotiate mutual TLS Spring CredHub
Service Bindings $ cf create-service service-name plan service-instance- name $ cf bind-service app-name service-instance-name “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } Create Instance Details Cloud Controller Service Broker Create Binding Credentials Cloud Controller Service Broker
Service Bindings $ cf env app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] }
Where Binding Credentials Live Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Manual ssh Process Environment Application Memory
Service Bindings With CredHub $ cf bind-service app-name service-instance-name create binding credentials with credhub-ref PUT /data “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding-id]/credentials” } Cloud Controller Service Broker CredHub
Service Bindings $ cf env app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding- id]/credentials” }, }] }
Credential Interpolation CredHub “VCAP_SERVICES”: { “my-service”: [{ “credentials”: { “credhub-ref”: “/c/my-broker/1111/2222/credentials” }, }] } “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] } POST /interpolate interpolated credentials
Diego Cell Diego Assisted Credential Resolution CredHub App Cloud Controller
Application Benefits of Using CredHub Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Assisted Mode
Non-Assisted Credential Resolution Spring applications using Spring Cloud Connectors or Spring Boot ${vcap.service.} properties will have framework support to automate resolution CredHub Diego Cell Diego App Cloud Controller
Availability CredHub bits are included in cf- deployment since version v0.36.0 Deployment manifest customization required to enable secure service binding credentials workflow Starting in Pivotal CF 2.0 ● Secure service binding credentials support can be enabled or disabled in PAS tile configuration ● Assisted mode only Service brokers will be updated to support secure binding credentials on their own release schedules
Demo https://github.com/ssahadevan-pivotal/springboot-credhub-sample cf create-service credhub default mycredhub -c '{"mysecretkey":"somethingsecret"}' cf update-service mycredhub -c '{"mysecretkey":"newsecret"}' cf restage credhub-sample Note: Restage application to see the new values Click on the route for your app and you should see the secret.
Platforms and Pipelines
Build Servers
Secure Self Service How many credentials do you have access to? How are your credentials delivered? How strong is your weakest link? https://content.pivotal.io/white-papers/pivotal-cloud-foundry-the-auditors-guide
Cover w/ Image Weakest Links ■ Sticky Notes ■ Shell History ■ Database ■ Private Git Repository ■ Encrypted Values Private Git Repo ■ Pipeline Jobs / Build ■ Email / Shared Drive
Pipeline Benefits of Using CredHub Security, Change Approval, Architecture ● Public/Private Cloud Tenant IDs ● Subscription IDs ● Account IDs / Service Accounts ● kubectl credentials ● Secure Pipelines*
BOSH + UAA + CredHub + Concourse • Automated Cradle-to-grave management of credentials (platform and apps) • Manages passwords, certificates, ssh keys, RSA key, and arbitrary values (string & JSON) • All credentials are encrypted w/a key that rotates
BUCC $ source git clone https://github.com/starkandwayne/bucc.git $ cd bucc $ source .envrc $ bucc up $ bucc info $ bosh alias-env bucc $ bosh vms $ bucc uaa $ credhub api $ bucc info $ bucc fly
Before Secure Off-Platform Services with Service Instance Sharing & the CredHub Service Broker Now in PCF 2.3+ cf create-service credhub default app-db -c '{"url":...,"username":...,"password":...}' credentials: { credhub-ref: /c/prophet-db/app-db/credentials } cf cups app-db -p '{"url":...,"username":...,"password":...}' credentials: { url:OH,username:NO!,password:CLEARTEXT }
29
Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.

More Related Content

PPTX
Variable scope in php
byMUHAMMED MASHAHIL PUKKUNNUMMAL
 
PDF
LINUX : Système, administration et services réseaux
byTaoufik AIT HSAIN
 
PDF
COPA Practice Set (Previous Year Question Paper)
bySONU HEETSON
 
PPT
introduction to web technology
byvikram singh
 
PDF
Azure DevOps Tests Plan
byDenis Voituron
 
PDF
COPA ITI MS Word MCQ Most Important Questions
bySONU HEETSON
 
PDF
L'intérêt d'une page Facebook dans une stratégie de présence en ligne
byCYB@RDECHE
 
PPTX
radius
bymohamed hadrich
 
Variable scope in php
byMUHAMMED MASHAHIL PUKKUNNUMMAL
 
LINUX : Système, administration et services réseaux
byTaoufik AIT HSAIN
 
COPA Practice Set (Previous Year Question Paper)
bySONU HEETSON
 
introduction to web technology
byvikram singh
 
Azure DevOps Tests Plan
byDenis Voituron
 
COPA ITI MS Word MCQ Most Important Questions
bySONU HEETSON
 
L'intérêt d'une page Facebook dans une stratégie de présence en ligne
byCYB@RDECHE
 
radius
bymohamed hadrich
 

What's hot

PDF
Examen principal- php - correction
byInes Ouaz
 
PPTX
Flutter
byShyju Madathil
 
PDF
HTML, CSS et Javascript
byECAM Brussels Engineering School
 
PDF
Pune Flutter Presents - Flutter 101
byArif Amirani
 
PPTX
Form Validation in JavaScript
byRavi Bhadauria
 
PDF
Résumé Complet : Les Fondamentaux du PHP et Intégration avec MySQL.pdf
byPointer @Info
 
PDF
Pipeline Devops - Intégration continue : ansible, jenkins, docker, jmeter...
byXavierPestel
 
PDF
HTTP Request and Response Structure
byBhagyashreeGajera1
 
PPTX
A flight with Flutter
byAhmed Tarek
 
PPTX
ASP.NET MVC.
byNi
 
PPTX
Http Introduction
byAkshay Dhole
 
PDF
Intro to html 5
byIan Jasper Mangampo
 
PDF
CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
byTroublemaker Khunpech
 
PDF
Introduction to HTML
bySeble Nigussie
 
PDF
Applications Android - cours 11 : Boites de dialogue
byAhmed-Chawki Chaouche
 
PDF
Nodejs presentation
byArvind Devaraj
 
PDF
Programmation orientée objet : Object, classe et encapsulation
byECAM Brussels Engineering School
 
PPTX
c# programmation orientée objet (Classe & Objet)
byMahfoud EL HOUDAIGUI
 
PPTX
Bootstrap ppt
byIshtdeep Hora
 
PPTX
Flutter Intro
byVladimir Parfenov
 
Examen principal- php - correction
byInes Ouaz
 
Flutter
byShyju Madathil
 
HTML, CSS et Javascript
byECAM Brussels Engineering School
 
Pune Flutter Presents - Flutter 101
byArif Amirani
 
Form Validation in JavaScript
byRavi Bhadauria
 
Résumé Complet : Les Fondamentaux du PHP et Intégration avec MySQL.pdf
byPointer @Info
 
Pipeline Devops - Intégration continue : ansible, jenkins, docker, jmeter...
byXavierPestel
 
HTTP Request and Response Structure
byBhagyashreeGajera1
 
A flight with Flutter
byAhmed Tarek
 
ASP.NET MVC.
byNi
 
Http Introduction
byAkshay Dhole
 
Intro to html 5
byIan Jasper Mangampo
 
CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
byTroublemaker Khunpech
 
Introduction to HTML
bySeble Nigussie
 
Applications Android - cours 11 : Boites de dialogue
byAhmed-Chawki Chaouche
 
Nodejs presentation
byArvind Devaraj
 
Programmation orientée objet : Object, classe et encapsulation
byECAM Brussels Engineering School
 
c# programmation orientée objet (Classe & Objet)
byMahfoud EL HOUDAIGUI
 
Bootstrap ppt
byIshtdeep Hora
 
Flutter Intro
byVladimir Parfenov
 

Similar to Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

PDF
Secure Credential Management with CredHub - Eoghan Kelleher
byVMware Tanzu
 
PDF
CredHub and Secure Credential Management
byVMware Tanzu
 
PDF
CredHub and Secure Credential Management
byVMware Tanzu
 
PDF
Using CredHub for Kubernetes Deployments
byVMware Tanzu
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PDF
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
byVMware Tanzu
 
PDF
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
byVMware Tanzu
 
PPTX
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
byWill Tran
 
PDF
Security as a Service - Tian Wang
byVMware Tanzu
 
PPTX
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
byStenio Ferreira
 
PDF
Handling Secrets in Your Cloud Native Architecture
byVMware Tanzu
 
PDF
Pivotal Cloud Foundry 2.0: First Look
byVMware Tanzu
 
PPTX
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
byAmanda MacLeod
 
PDF
Upgrade your InfoSec, Ops and Dev teams with PCF 1.12
byVMware Tanzu
 
PDF
Cloud Foundry API for Fun and Ops
byChris DeLashmutt
 
PPTX
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
byAmanda MacLeod
 
PDF
Pivotal Cloud Foundry 2.3: A First Look
byVMware Tanzu
 
PDF
Z26167171
byIJERA Editor
 
PDF
Secure second days operations with Boundary and Vault.pdf
byBram Vogelaar
 
PPTX
PCF 2.3: A First Look
byVMware Tanzu
 
Secure Credential Management with CredHub - Eoghan Kelleher
byVMware Tanzu
 
CredHub and Secure Credential Management
byVMware Tanzu
 
CredHub and Secure Credential Management
byVMware Tanzu
 
Using CredHub for Kubernetes Deployments
byVMware Tanzu
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
byVMware Tanzu
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
byVMware Tanzu
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
byWill Tran
 
Security as a Service - Tian Wang
byVMware Tanzu
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
byStenio Ferreira
 
Handling Secrets in Your Cloud Native Architecture
byVMware Tanzu
 
Pivotal Cloud Foundry 2.0: First Look
byVMware Tanzu
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
byAmanda MacLeod
 
Upgrade your InfoSec, Ops and Dev teams with PCF 1.12
byVMware Tanzu
 
Cloud Foundry API for Fun and Ops
byChris DeLashmutt
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
byAmanda MacLeod
 
Pivotal Cloud Foundry 2.3: A First Look
byVMware Tanzu
 
Z26167171
byIJERA Editor
 
Secure second days operations with Boundary and Vault.pdf
byBram Vogelaar
 
PCF 2.3: A First Look
byVMware Tanzu
 

More from VMware Tanzu

PDF
Spring into AI presented by Dan Vega 5/14
byVMware Tanzu
 
PDF
What AI Means For Your Product Strategy And What To Do About It
byVMware Tanzu
 
PDF
Make the Right Thing the Obvious Thing at Cardinal Health 2023
byVMware Tanzu
 
PPTX
Enhancing DevEx and Simplifying Operations at Scale
byVMware Tanzu
 
PDF
Spring Update | July 2023
byVMware Tanzu
 
PPTX
Platforms, Platform Engineering, & Platform as a Product
byVMware Tanzu
 
PPTX
Building Cloud Ready Apps
byVMware Tanzu
 
PDF
Spring Boot 3 And Beyond
byVMware Tanzu
 
PDF
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
byVMware Tanzu
 
PPTX
tanzu_developer_connect.pptx
byVMware Tanzu
 
PDF
Tanzu Virtual Developer Connect Workshop - French
byVMware Tanzu
 
PDF
Tanzu Developer Connect Workshop - English
byVMware Tanzu
 
PDF
Virtual Developer Connect Workshop - English
byVMware Tanzu
 
PDF
Tanzu Developer Connect - French
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
byVMware Tanzu
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
byVMware Tanzu
 
PDF
SpringOne Tour: The Influential Software Engineer
byVMware Tanzu
 
PDF
SpringOne Tour: Domain-Driven Design: Theory vs Practice
byVMware Tanzu
 
Spring into AI presented by Dan Vega 5/14
byVMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
byVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
byVMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
byVMware Tanzu
 
Spring Update | July 2023
byVMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
byVMware Tanzu
 
Building Cloud Ready Apps
byVMware Tanzu
 
Spring Boot 3 And Beyond
byVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
byVMware Tanzu
 
tanzu_developer_connect.pptx
byVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
byVMware Tanzu
 
Tanzu Developer Connect Workshop - English
byVMware Tanzu
 
Virtual Developer Connect Workshop - English
byVMware Tanzu
 
Tanzu Developer Connect - French
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
byVMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
byVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
byVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
byVMware Tanzu
 

Recently uploaded

PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PDF
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PPTX
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
PPTX
Struggling with Pentaho Limitations How Helical Insight Solves Them.pptx
byVarsha Nayak
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PPT
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
PPTX
Managed Splunk Partner vs In-House: Cost, Risk & Value Comparison
byssuser6ab5a5
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
PPTX
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
PPTX
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
PPTX
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
PDF
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
PPTX
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
PDF
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
PPTX
GDS Integration Solution | GDS Integration Service
byyugababu033
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
Struggling with Pentaho Limitations How Helical Insight Solves Them.pptx
byVarsha Nayak
 
application security presentation 2 by harman
byharmanideapad
 
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
Managed Splunk Partner vs In-House: Cost, Risk & Value Comparison
byssuser6ab5a5
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
GDS Integration Solution | GDS Integration Service
byyugababu033
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

  • 1.
    © Copyright 2018Pivotal Software, Inc. All rights Reserved. CredHub February 2019 Sharath Sahadevan @sharath_sahadev DaShaun Carter @dashaun
  • 2.
    CredHub Mitigates theRisk of Leaked Credentials CredHub delivers centralized management of platform and application creds. ● Credentials are the bedrock for trust in the cloud. ● CredHub’s goal: deliver cradle-to-grave management of credentials (create, access control, distribution, rotation, logging) ● Manages passwords, certificates, ssh keys, RSA keys, and arbitrary values (strings and JSON blobs). ● All credentials are encrypted w/a key that rotates (HSM support in OSS & PCF) ● CredHub Service Broker for off-platform services
  • 3.
  • 4.
    Credential Types value -a simple string, used for configuration and other non-generated properties password - a simple string, used for generated secrets user - username and password pair json - a JSON object certificate - an object containing a root CA, certificate and private key rsa - an object containing an RSA public key and private key ssh - an object containing an SSH-formatted public key and private key http://docs.cloudfoundry.org/credhub/credential-types.html
  • 5.
    REST API Secured viaMutual TLS, and/or OAuth2 Get/Set/Generate/Delete Credential Get/Add/Delete Permission Interpolate VCAP_SERVICES https://credhub-api.cfapps.io
  • 6.
    Java mapping toCredHub REST API Supports all credential types and operations Spring Boot auto-configuration support Apps deployed to CF with Java Buildpack automatically negotiate mutual TLS Spring CredHub
  • 7.
    Service Bindings $ cfcreate-service service-name plan service-instance- name $ cf bind-service app-name service-instance-name “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } Create Instance Details Cloud Controller Service Broker Create Binding Credentials Cloud Controller Service Broker
  • 8.
    Service Bindings $ cfenv app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] }
  • 9.
    Where Binding CredentialsLive Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Manual ssh Process Environment Application Memory
  • 10.
    Service Bindings WithCredHub $ cf bind-service app-name service-instance-name create binding credentials with credhub-ref PUT /data “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding-id]/credentials” } Cloud Controller Service Broker CredHub
  • 11.
    Service Bindings $ cfenv app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding- id]/credentials” }, }] }
  • 12.
    Credential Interpolation CredHub “VCAP_SERVICES”: { “my-service”:[{ “credentials”: { “credhub-ref”: “/c/my-broker/1111/2222/credentials” }, }] } “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] } POST /interpolate interpolated credentials
  • 13.
    Diego Cell Diego Assisted CredentialResolution CredHub App Cloud Controller
  • 14.
    Application Benefits ofUsing CredHub Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Assisted Mode
  • 15.
    Non-Assisted Credential Resolution Springapplications using Spring Cloud Connectors or Spring Boot ${vcap.service.} properties will have framework support to automate resolution CredHub Diego Cell Diego App Cloud Controller
  • 16.
    Availability CredHub bits areincluded in cf- deployment since version v0.36.0 Deployment manifest customization required to enable secure service binding credentials workflow Starting in Pivotal CF 2.0 ● Secure service binding credentials support can be enabled or disabled in PAS tile configuration ● Assisted mode only Service brokers will be updated to support secure binding credentials on their own release schedules
  • 17.
    Demo https://github.com/ssahadevan-pivotal/springboot-credhub-sample cf create-service credhubdefault mycredhub -c '{"mysecretkey":"somethingsecret"}' cf update-service mycredhub -c '{"mysecretkey":"newsecret"}' cf restage credhub-sample Note: Restage application to see the new values Click on the route for your app and you should see the secret.
  • 18.
  • 19.
  • 20.
    Secure Self Service Howmany credentials do you have access to? How are your credentials delivered? How strong is your weakest link? https://content.pivotal.io/white-papers/pivotal-cloud-foundry-the-auditors-guide
  • 21.
    Cover w/ Image WeakestLinks ■ Sticky Notes ■ Shell History ■ Database ■ Private Git Repository ■ Encrypted Values Private Git Repo ■ Pipeline Jobs / Build ■ Email / Shared Drive
  • 22.
    Pipeline Benefits of Using CredHub Security,Change Approval, Architecture ● Public/Private Cloud Tenant IDs ● Subscription IDs ● Account IDs / Service Accounts ● kubectl credentials ● Secure Pipelines*
  • 23.
    BOSH + UAA+ CredHub + Concourse • Automated Cradle-to-grave management of credentials (platform and apps) • Manages passwords, certificates, ssh keys, RSA key, and arbitrary values (string & JSON) • All credentials are encrypted w/a key that rotates
  • 24.
    BUCC $ source gitclone https://github.com/starkandwayne/bucc.git $ cd bucc $ source .envrc $ bucc up $ bucc info $ bosh alias-env bucc $ bosh vms $ bucc uaa $ credhub api $ bucc info $ bucc fly
  • 25.
    Before Secure Off-Platform Serviceswith Service Instance Sharing & the CredHub Service Broker Now in PCF 2.3+ cf create-service credhub default app-db -c '{"url":...,"username":...,"password":...}' credentials: { credhub-ref: /c/prophet-db/app-db/credentials } cf cups app-db -p '{"url":...,"username":...,"password":...}' credentials: { url:OH,username:NO!,password:CLEARTEXT }
  • 26.
  • 27.
    Transforming How TheWorld Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.