SlideShare a Scribd company logo

Vault 1.1: Secret Caching with Vault Agent and Other New Features

Mitchell Pronschinske
Mitchell Pronschinske

Since its first release in 2015, HashiCorp Vault has grown from a place to keep secrets to a platform that provides comprehensive secrets management, encryption as a service, and identity-based security for some of the largest organizations in the world. While Vault 1.0 saw auto-unseal become open source and introduced batch tokens improved performance, feature completeness, and enterprise readiness, Vault 1.1 focuses on building workflow enablement and increasing scaling and operations.

Software
1 of 28
Download to read offline
Vault 1.1 Features Secret caching, OIDC Authentication, and Transit Auto-Unseal.
Vault 1.1 Webinar Nick Cabatoff Software Engineer at HashiCorp
OpenID Connect Use third-party OIDC providers to authenticate users via web browser. e.g. Azure AD, Auth0, Gitlab, Google, Keycloak, Okta Secret Caching Vault Agent can now run as a caching proxy. This can reduce load on Vault. It can also simplify applications by letting them delegate lease renewal. Transit Auto-Unseal Instead of a cloud provider, use another Vault cluster to auto-unseal your Vault cluster.
Links This webinar's demos: https://github.com/ncabatoff/vault-1.1-webinar Tutorial: OIDC with Auth0: https://learn.hashicorp.com/vault/operations/oidc-auth Tutorial: Vault agent caching: https://learn.hashicorp.com/vault/identity-access-management/agent-caching Tutorial: Transit Auto-unseal: https://learn.hashicorp.com/vault/operations/autounseal-transit
OIDC-based Authentication Vault 1.1 Webinar
Copyright © 2019 HashiCorp Vault Identity 6
OpenID Connect Concepts ● ID Token: a JWT token returned by OIDC provider when user authenticates successfully ● Claim: name/value pair found in ID Token
OIDC and Vault ● Vault points browser at OIDC provider, with redirect_url pointing back to itself ● User authenticates, then gets sent back to redirect_url, along with ID Token ● Vault parses ID Token claims and logs user in
Demo can be found at    https://github.com/ncabatoff/vault-1.1-webinar Auth0 OIDC Demo
Vault Agent Cache Vault 1.1 Webinar
Agent auto_auth ● Configure agent with auth method, e.g. aws ● Agent logs in to Vault at startup, renews token as needed ● Agent writes token to sink(s)
Agent cache ● Configure Agent with cache{} block, listener ● Set your app's VAULT_ADDR=agent listener ● Agent may proxy your request to Vault ● Agent may return without speaking to Vault a. Might already have secret cached b. Might decide you don't need to renew yet
Cache + auto-auth ● if a request includes a token, it will be used ● if no token in request but config has cache { use_auto_auth_token = true } then auto_auth token will be used
Cache characteristics ● Scope of cache: tokens and dynamic secrets (not KV) ● Eviction policy: Upon revocation, or on request. ● Auto-renews leases so you don't have to * only renews leases created with tokens managed by Agent
Cache, tokens, and auto-auth WARNING ● When auto_auth token expires, so will any secrets created this way ● Agent is stateless: when it exits, its auto_auth token is lost, and any leases it created will eventually expire
Security concerns ● Like Vault, secrets are kept in memory ● Unlike Vault, Agent is likely to be run in many places, including closer to the "edge" ● Agent isn't going to have any more secrets than your application would, so shouldn't increase risk
Demo can be found at https://github.com/ncabatoff/vault-1.1-webinar Agent Cache Demo
Transit Auto-Unseal Provider Vault 1.1 Webinar
Manual Unseal ● Split key into many pieces ● Give each piece to one person ● Need people to supply those keys at startup to unseal Vault
Auto-Unseal Auto-Unseal recap: store the unseal keys locally, but encrypted via some third-party key source ● Cloud: some cloud provider KMS ● HSM: hardware device ● Transit: another Vault cluster
Auto-Unseal
Transit Auto-Unseal #1a: create transit key On primary Vault cluster: ● Create a transit key unseal-key vault write -force /transit/keys/unseal-key
Transit Auto-Unseal #1b: create policy On primary Vault cluster: ● Create a transit key unseal-key ● Create a policy use-unseal-key with only "encrypt/decrypt with unseal-key" capabilities cat - > policy-file <<EOF path "/transit/encrypt/unseal-key" { capabilities = ["update"] } path "/transit/decrypt/unseal-key" { capabilities = ["update"] } EOF vault policy write use-unseal-key policy-file
Transit Auto-Unseal #1c: create token On primary Vault cluster: ● Create a transit key unseal-key ● Create a policy use-unseal-key with only "encrypt/decrypt with unseal-key" capabilities ● Create a token vault token create -policy=use-unseal-key
Transit Auto-Unseal #1d: new cluster New Vault cluster seal config: seal "transit" { address = "$VAULT_ADDR_OF_PRIMARY" disable_renewal = "false" key_name = "unseal-key" mount_path = "transit/" } Start and init cluster with $VAULT_TOKEN=token from 1c. Now you can restart it and it will unseal itself without your intervention.
Demo can be found at https://github.com/ncabatoff/vault-1.1-webinar Transit auto-unseal Demo 1
Links This webinar's demos: https://github.com/ncabatoff/vault-1.1-webinar Tutorial: OIDC with Auth0: https://learn.hashicorp.com/vault/operations/oidc-auth Tutorial: Vault agent caching: https://learn.hashicorp.com/vault/identity-access-management/agent-caching Tutorial: Transit Auto-unseal: https://learn.hashicorp.com/vault/operations/autounseal-transit
www.hashicorp.com ncabatoff@hashicorp.com Thank you

Recommended

How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
Mitchell Pronschinske
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Amanda MacLeod
 
Vault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New FeaturesVault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New Features
Mitchell Pronschinske
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
Mitchell Pronschinske
 

Recommended

How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
Mitchell Pronschinske
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Amanda MacLeod
 
Vault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New FeaturesVault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New Features
Mitchell Pronschinske
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
Mitchell Pronschinske
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
Ken Johnson
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
Nicolas Corrarello
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
Teri Radichel
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 

More Related Content

What's hot

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
Ken Johnson
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
Nicolas Corrarello
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
Teri Radichel
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 

What's hot (20)

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Vault
VaultVault
Vault
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Vault 101
Vault 101Vault 101
Vault 101
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
 

Similar to Vault 1.1: Secret Caching with Vault Agent and Other New Features

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...
Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...
Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...
CertsGrade
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hamzaaqqa7
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Tom Kerkhove
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
Frans Lytzen
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
CloudOps2005
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
Opsta
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021
Suresh Rathore
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
Miguel Zuniga
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
Velocidex Enterprises
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 

Similar to Vault 1.1: Secret Caching with Vault Agent and Other New Features (20)

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...
Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...
Mastering Vault Operations: A Comprehensive Guide to HashiCorp Certifications...
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 

More from Mitchell Pronschinske

Getting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulGetting Started with Kubernetes and Consul
Getting Started with Kubernetes and Consul
Mitchell Pronschinske
 
Multi-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul ConnectMulti-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul Connect
Mitchell Pronschinske
 
Code quality for Terraform
Code quality for TerraformCode quality for Terraform
Code quality for Terraform
Mitchell Pronschinske
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Mitchell Pronschinske
 
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on AzureMigrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Mitchell Pronschinske
 
Empowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorpEmpowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorp
Mitchell Pronschinske
 
Automate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corpAutomate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corp
Mitchell Pronschinske
 
Vault 1.5 Overview
Vault 1.5 OverviewVault 1.5 Overview
Vault 1.5 Overview
Mitchell Pronschinske
 
Using new sentinel features in terraform cloud
Using new sentinel features in terraform cloudUsing new sentinel features in terraform cloud
Using new sentinel features in terraform cloud
Mitchell Pronschinske
 
Military Edge Computing with Vault and Consul
Military Edge Computing with Vault and ConsulMilitary Edge Computing with Vault and Consul
Military Edge Computing with Vault and Consul
Mitchell Pronschinske
 
Unlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub ActionsUnlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub Actions
Mitchell Pronschinske
 
Vault 1.4 integrated storage overview
Vault 1.4 integrated storage overviewVault 1.4 integrated storage overview
Vault 1.4 integrated storage overview
Mitchell Pronschinske
 
Unlocking the Cloud Operating Model
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
Mitchell Pronschinske
 
Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)
Mitchell Pronschinske
 
Governance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad ClusterGovernance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad Cluster
Mitchell Pronschinske
 
Integrating Terraform and Consul
Integrating Terraform and ConsulIntegrating Terraform and Consul
Integrating Terraform and Consul
Mitchell Pronschinske
 
Unlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: DeploymentUnlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: Deployment
Mitchell Pronschinske
 
Modern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with NomadModern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with Nomad
Mitchell Pronschinske
 
Moving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on AzureMoving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on Azure
Mitchell Pronschinske
 
Remote Culture at HashiCorp
Remote Culture at HashiCorpRemote Culture at HashiCorp
Remote Culture at HashiCorp
Mitchell Pronschinske
 

More from Mitchell Pronschinske (20)

Getting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulGetting Started with Kubernetes and Consul
Getting Started with Kubernetes and Consul
 
Multi-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul ConnectMulti-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul Connect
 
Code quality for Terraform
Code quality for TerraformCode quality for Terraform
Code quality for Terraform
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
 
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on AzureMigrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
 
Empowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorpEmpowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorp
 
Automate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corpAutomate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corp
 
Vault 1.5 Overview
Vault 1.5 OverviewVault 1.5 Overview
Vault 1.5 Overview
 
Using new sentinel features in terraform cloud
Using new sentinel features in terraform cloudUsing new sentinel features in terraform cloud
Using new sentinel features in terraform cloud
 
Military Edge Computing with Vault and Consul
Military Edge Computing with Vault and ConsulMilitary Edge Computing with Vault and Consul
Military Edge Computing with Vault and Consul
 
Unlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub ActionsUnlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub Actions
 
Vault 1.4 integrated storage overview
Vault 1.4 integrated storage overviewVault 1.4 integrated storage overview
Vault 1.4 integrated storage overview
 
Unlocking the Cloud Operating Model
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
 
Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)
 
Governance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad ClusterGovernance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad Cluster
 
Integrating Terraform and Consul
Integrating Terraform and ConsulIntegrating Terraform and Consul
Integrating Terraform and Consul
 
Unlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: DeploymentUnlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: Deployment
 
Modern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with NomadModern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with Nomad
 
Moving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on AzureMoving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on Azure
 
Remote Culture at HashiCorp
Remote Culture at HashiCorpRemote Culture at HashiCorp
Remote Culture at HashiCorp
 

Recently uploaded

Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 

Recently uploaded (20)

Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 

Vault 1.1: Secret Caching with Vault Agent and Other New Features

  • 1. Vault 1.1 Features Secret caching, OIDC Authentication, and Transit Auto-Unseal.
  • 2. Vault 1.1 Webinar Nick Cabatoff Software Engineer at HashiCorp
  • 3. OpenID Connect Use third-party OIDC providers to authenticate users via web browser. e.g. Azure AD, Auth0, Gitlab, Google, Keycloak, Okta Secret Caching Vault Agent can now run as a caching proxy. This can reduce load on Vault. It can also simplify applications by letting them delegate lease renewal. Transit Auto-Unseal Instead of a cloud provider, use another Vault cluster to auto-unseal your Vault cluster.
  • 4. Links This webinar's demos: https://github.com/ncabatoff/vault-1.1-webinar Tutorial: OIDC with Auth0: https://learn.hashicorp.com/vault/operations/oidc-auth Tutorial: Vault agent caching: https://learn.hashicorp.com/vault/identity-access-management/agent-caching Tutorial: Transit Auto-unseal: https://learn.hashicorp.com/vault/operations/autounseal-transit
  • 6. Copyright © 2019 HashiCorp Vault Identity 6
  • 7. OpenID Connect Concepts ● ID Token: a JWT token returned by OIDC provider when user authenticates successfully ● Claim: name/value pair found in ID Token
  • 8. OIDC and Vault ● Vault points browser at OIDC provider, with redirect_url pointing back to itself ● User authenticates, then gets sent back to redirect_url, along with ID Token ● Vault parses ID Token claims and logs user in
  • 9. Demo can be found at    https://github.com/ncabatoff/vault-1.1-webinar Auth0 OIDC Demo
  • 10. Vault Agent Cache Vault 1.1 Webinar
  • 11. Agent auto_auth ● Configure agent with auth method, e.g. aws ● Agent logs in to Vault at startup, renews token as needed ● Agent writes token to sink(s)
  • 12. Agent cache ● Configure Agent with cache{} block, listener ● Set your app's VAULT_ADDR=agent listener ● Agent may proxy your request to Vault ● Agent may return without speaking to Vault a. Might already have secret cached b. Might decide you don't need to renew yet
  • 13. Cache + auto-auth ● if a request includes a token, it will be used ● if no token in request but config has cache { use_auto_auth_token = true } then auto_auth token will be used
  • 14. Cache characteristics ● Scope of cache: tokens and dynamic secrets (not KV) ● Eviction policy: Upon revocation, or on request. ● Auto-renews leases so you don't have to * only renews leases created with tokens managed by Agent
  • 15. Cache, tokens, and auto-auth WARNING ● When auto_auth token expires, so will any secrets created this way ● Agent is stateless: when it exits, its auto_auth token is lost, and any leases it created will eventually expire
  • 16. Security concerns ● Like Vault, secrets are kept in memory ● Unlike Vault, Agent is likely to be run in many places, including closer to the "edge" ● Agent isn't going to have any more secrets than your application would, so shouldn't increase risk
  • 17. Demo can be found at https://github.com/ncabatoff/vault-1.1-webinar Agent Cache Demo
  • 19. Manual Unseal ● Split key into many pieces ● Give each piece to one person ● Need people to supply those keys at startup to unseal Vault
  • 20. Auto-Unseal Auto-Unseal recap: store the unseal keys locally, but encrypted via some third-party key source ● Cloud: some cloud provider KMS ● HSM: hardware device ● Transit: another Vault cluster
  • 22. Transit Auto-Unseal #1a: create transit key On primary Vault cluster: ● Create a transit key unseal-key vault write -force /transit/keys/unseal-key
  • 23. Transit Auto-Unseal #1b: create policy On primary Vault cluster: ● Create a transit key unseal-key ● Create a policy use-unseal-key with only "encrypt/decrypt with unseal-key" capabilities cat - > policy-file <<EOF path "/transit/encrypt/unseal-key" { capabilities = ["update"] } path "/transit/decrypt/unseal-key" { capabilities = ["update"] } EOF vault policy write use-unseal-key policy-file
  • 24. Transit Auto-Unseal #1c: create token On primary Vault cluster: ● Create a transit key unseal-key ● Create a policy use-unseal-key with only "encrypt/decrypt with unseal-key" capabilities ● Create a token vault token create -policy=use-unseal-key
  • 25. Transit Auto-Unseal #1d: new cluster New Vault cluster seal config: seal "transit" { address = "$VAULT_ADDR_OF_PRIMARY" disable_renewal = "false" key_name = "unseal-key" mount_path = "transit/" } Start and init cluster with $VAULT_TOKEN=token from 1c. Now you can restart it and it will unseal itself without your intervention.
  • 26. Demo can be found at https://github.com/ncabatoff/vault-1.1-webinar Transit auto-unseal Demo 1
  • 27. Links This webinar's demos: https://github.com/ncabatoff/vault-1.1-webinar Tutorial: OIDC with Auth0: https://learn.hashicorp.com/vault/operations/oidc-auth Tutorial: Vault agent caching: https://learn.hashicorp.com/vault/identity-access-management/agent-caching Tutorial: Transit Auto-unseal: https://learn.hashicorp.com/vault/operations/autounseal-transit