Recommended
More Related Content
What's hot
What's hot (20)
Similar to Secure deployments keeping your application secrets private - condensed
Similar to Secure deployments keeping your application secrets private - condensed (20)
More from Henry Been
More from Henry Been (12)
Recently uploaded
Recently uploaded (20)
Secure deployments keeping your application secrets private - condensed
- 1. SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE Henry Been "Locks" (CC BY-NC-ND 2.0) by wolf4max
- 3. THE NEED FOR SECRET MANAGEMENT Develop Build Deploy Operate Dev Ops DevOps
- 4. Access and secret management goals No team member needs to hold production secrets Principle of least privilege Decouple authentication from authorization Secure storage of Secrets
- 6. WONDERING WHO IS THAT GUY? HENRY BEEN Independent Devops & Azure Architect E: consultancy@henrybeen.nl T: @henry_been L: linkedin.com/in/henrybeen W: henrybeen.nl
- 7. Approach 1 USING RELEASE ORCHESTRATOR VSTS Secrets Azure Web AppCode
- 8. Scenario: • As a team you do CD of your code • You do not do CD of your infrastructure USING RELEASE ORCHESTRATOR VSTS Secrets Azure Web AppCode
- 9. DEMO TIME! USING RELEASE ORCHESTRATOR
- 10. USING RELEASE ORCHESTRATOR • Secrets are pretty secure • Easy to start with • Fits existing situations • You see and copy secrets • Secrets visible in portal • Duplication of secrets • Cannot roll secrets easily Pros Cons
- 11. Prerequisite: Have primary & secondary secrets 1. Change the secret in release orchestrator to secondary secret 2. Release 3. Roll primary secret 4. Change the secret in release orchestrator to primary secret 5. Release 6. Roll secondary secret Intermezzo: Roll a secret
- 12. Approach 2 USING ARM TEMPLATES Azure Web App Key Vault VSTSCode & Infra
- 13. Scenario: • As a team you do CD of your code • You also do CD of your infrastructure USING ARM TEMPLATES Azure Web App Key Vault VSTSCode & Infra
- 14. DEMO TIME! USING ARM TEMPLATES
- 15. USING ARM TEMPLATES • No manual copying or sharing of secrets • No more manual duplication of Azure keys • Secrets visible in portal • Still cannot roll secrets easily Pros Cons
- 16. Approach 3 DIRECTLY FROM KEY VAULT VSTS Azure Web App Code & Infra Key Vault
- 17. Scenario: 1. You do CD of both infrastructure and code 2. You are allowed to provision to the AD DIRECTLY ACCESS KEY VAULT VSTS Azure Web App Code & Infra Key Vault
- 18. HOWTO: Local Development 1. Grant your developer account access to (another) Key Vault • Best alternative • Requires your machine to be in the same AD domain 2. Only use Key Vault in Azure (locally use Web.config) • You have to write code to do this (though pretty straightforward) 3. Manually create a development identity and use that • However… do not check secrets into source control
- 19. DEMO TIME! DIRECTLY ACCESS KEY VAULT
- 20. DIRECTLY ACCESS KEY VAULT • No manual copying or sharing of secrets • No more duplication of Azure keys • Secrets no longer visible in portal • Changed secrets are automatically picked up • Only available on Azure Web Apps, Azure Functions and DataFactory V2 Pros Cons
- 21. Approach 4 DIRECTLY ACCESS SERVICE VSTS Azure Web App Code & Infra AAD Other Service
- 22. Scenario: 1. You do CD of both infrastructure and code 2. You are allowed to provision to the AD 3. Service support DIRECTLY ACCESS SERVICE VSTS Azure Web App Code & Infra AAD Other Service
- 23. DEMO TIME! DIRECTLY ACCESS SERVICE
- 24. DIRECTLY ACCESS SERVICE • No more secrets • Only available on Azure Web Apps, Azure Functions and DataFactory V2 • Only on supported services Pros Cons
- 25. Supported services • Azure Resource Manager • Azure Key Vault • Azure Data Lake • Azure SQL DB • Azure Event Hubs • Azure Service Bus • Azure Storage https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi
- 26. "Sloten op de brug" (CC BY-NC-ND 2.0) by Jan Brünemann RECAP WHAT TO USE WHEN
- 27. Use your release orchestrator Let team operations deploy NEVER EVER EVUHRR When you deploy only code Keyvault and ARM templates When you also deploy infra Application identity / KeyVault When available and allowed Application identity / Oauth resource When available and allowed WHAT TO USE WHEN?
- 28. SECRET MANAGEMNT USING CONFIG BUILDERS FOR LOCAL AND CLOUD DEVELOPMENT Requires: • (.NET Framework ≥ 4.7.1 &&.NET Framework 4.7.1 Development Tools) || ASP.NET Core ≥ 2.0
- 30. "Fail #2" (CC BY-NC-ND 2.0) by zaipe
- 33. Using .NET Core
- 34. DO TRY THIS AT HOME! HENRY BEEN Independent Devops & Azure Architect E: consultancy@henrybeen.nl T: @henry_been L: linkedin.com/in/henrybeen W: henrybeen.nl
Editor's Notes
- "Locks" (CC BY-NC-ND 2.0) by wolf4max
- Some questions: Who is practicing DevOps? Just CI/CD? Or more? How do you do secrets? And uhm… do you roll them frequently? And how?
- * In the old days, we developers did not really care about secrets - ops did that * And now we're doing DevOps and we have to manage deployments (for which you need secrets) * In the old days, we didn't really care about configuring the application host / website with secrets - ops did that * And now we're doing DevOps and we create (and confgure) infrastructure from source control So there are new responsibilities coming up for us as developers Or if your team is partially dev, partially ops: you have to reconcile your fast moving pace and get your ops guys into this pipeline things
- "Sloten op de brug" (CC BY-NC-ND 2.0) by Jan Brünemann
- I spent the better part of a day to make this even work "Fail #2" (CC BY-NC-ND 2.0) by zaipe