vault - secret and key management
TRANSCRIPT
HashiCorp Vault
Managing Secrets and Passwords
What this Brown Bag is about
Quick intro to HashiCorp Vault
Storing secrets/config with Vault
Integrating systems using Vault
What this Brown Bag is NOT about
Consul Discovery
Using Vault as an oAuth service
Ever had this happen to you?
**** WARNING AWS SECRET FOUND IN REPO ****
**** WARNING CREDENTIALS FOUND! ****
config: aws_access_key_id: AHSSKK21342KJ234LJH aws_secret_access_key_id: XXXXXXXXXXXXXXX
config: jdbc.username: quickadminuser jdbc.password: G3tM30u70fH3r3!
Storing credentials in a public repo is risky!
TipNever push credentials to GitHub.GitHub uses bots to scan files on public repos to discover keys and secrets!
Vault by HashicorpVault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.
How many times do you change yourpassword?
TipNo one is expected to change their password every day. Though it is a good idea to change your password regularly.
Agenda
Overview of Vault
Vault ArchitectureVault Data Storage Options
Vault Authentication Options
Policies
Using Vault
Demo
Vault by Hashicorp● Secret storage
● Key & Password Rotation
● Audit Logs
● Object Storage
Vault Architecture
Vault Architecture
Access Vault with:command line tool
HTTP APIs
$ vault read secret/patient-svc
$ curl -X GET -H “X-Vault-Token: $VAULT_TOKEN”
“http://vault:8200/v1/secret/patient-svc”
12 Factor AppSoftware as a ServiceDeclarative FormatMinimize DivergenceScale up without changeshttps://12factor.net
Tip12 Factor App helps separate the application from the environment removing the distinction of the environment and the application.
Vault Storage Options
Consul (HA)
etcd (HA)
ZooKeeper (HA)
DynamoDB (HA)
S3
Google Cloud Storage
Azure
Swift
MySQL
PostgreSQL
InMem
File
Vault Backends (Mounts)
AWS
Cassandra
Consul
Cubbyhole
Generic
MongoDB
MSSQL
MySQL
PKI Certificates
PostgreSQL
RabbitMQ
SSH
Transit
Custom
Vault Authentication
App Id
AppRole
AWS EC2
GitHub
LDAP
● MFA● TLS Certificates● Tokens● Username & Password
AppRole Authentication
Requires a role_id (UUID) and secret (UUID)
Secret is volatilelasts for a preconfigured time and number of uses
Application requests a client token using role_id & secret_id
Client token is used to access vault
AppRole Authentication
Vault Policies
Control who has access to which parts of Vault
Capabilities include:Create
Read
Update
List
Sudo
Deny
Vault Policies
Create a new consumer (Token)$ vault policy-write patient-policy @patient-policy.json
$ vault token-create -policy=’patient-policy’
Key Value--- -----token a7c4e3c1-f9b3-71c0-514c-67c469b9bd3ftoken_accessor 40d7fcf6-8ff1-c6c4-632f-9916935ba9a3token_duration 768h0m0stoken_renewable truetoken_policies [patient-policy default]
Create a new consumer (AppRole)$ vault write auth/approle/role/cloud-auth-role secret_id_ttl=10m token_ttl=20m token_max_ttl=30m secret_id_num_uses=40 policies=patient-policy
$ vault read auth/approle/role/cloud-auth-role/role_id
Key Value--- -----role_id d4494db4-4047-90fb-30ec-18a5fa79cc19
Create a new consumer (AppRole)$ vault write -f auth/approle/role/cloud-auth-role/secret-id
Key Value--- -----secret_id e01b6593-03c4-6023-cec2-24c8f3c0f2d7secret_id_accessor cde853e3-f264-816f-479e-a63a15097630
Create a new consumer (AppRole)$ vault write auth/approle/login \
role_id=d4494db4-4047-90fb-30ec-18a5fa79cc19
secret_id=e01b6593-03c4-6023-cec2-24c8f3c0f2d7
Key Value--- -----token 50a69d9b-f5ad-21d8-386d-f6fbbbef404dtoken_accessor 6a72e1af-15ae-b896-211d-4f218214db20token_duration 20m0stoken_renewable truetoken_policies [default patient-policy]
Storing data to Vault
$ vault write secret/application app_name=”My Application”
Success! Data written to secret/application
$ vault read secret/application
Key Value--- -----refresh_interval 768h0m0sname My Application
Storing data to Vault
$ vault write secret/application @data.json
Success! Data written to secret/application
$ vault read secret/application
Key Value--- -----refresh_interval 768h0m0sname My Applicationconn_url tcp(192.168.99.100:3306)
data.json{ “name” : “My Application”, “conn_url” : “tcp(192.168.99.100:3306)”}
Setting up MySQL Mount
$ vault mount mysql
$vault write mysql/config/connection
connection_url=”user:password@tcp(database:port)/”
$ vault write mysql/roles/patient-svc
sql = “CREATE USER ‘{{name}}’@’%’ IDENTIFIED BY ‘{{password}}’;
GRANT ALL ON patient_db.* TO ‘{{name}}’@’%’;”
Configure your application
spring.cloud.vault.mysql:
enabled: true
role: patient-svc
backend: mysql
DEMOSpring Cloud Vault
Demo
Basic Spring JDBC integrationRequest JDBC Username/Password
Return database metadata (database name & version)
Request config data from Vault
Display value
JPA IntegrationPersist data to MySQL using:
JPA for persistence
Vault for rotating database credentials
Architecture
Spring Cloud Vault
http://cloud.spring.io/spring-cloud-vault-config/
Currently at 1.0.0.M1
Add-on to the Spring Cloud Suite
Supports configuration and optional database config