Managing Secrets at Scale with Spring Claud Vault

Managing Secrets at Scale with Spring Claud Vault

Share and manage secrets (certificates, passwords, keys) for your applications using Vault and Spring Vault.

B0e9230af37f3a883c88d3f11c00e174?s=128

Christoph Strobl

June 01, 2017
Tweet

Transcript

  1. 1.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale with Vault Christoph Strobl Pivotal Software, Inc. @stroblchristoph #devone
  2. 2.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 2
  3. 3.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 3 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password Passw0rd !</Resource>
  4. 4.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 4 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password xMH5uM1V9vQzVUv5LG7YLA!== PasswordCipher Static3DES !</Resource>
  5. 5.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Symmetric vs. Asymmetric 5
  6. 6.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 6 https://www.flickr.com/photos/dahlstroms/4188244058
  7. 8.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 8
  8. 9.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 9
  9. 10.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ •  Secure secret storage •  Sealing •  Revocation •  Leasing and renewal •  Multiple secret backends •  Access control policies •  HTTP endpoint 10
  10. 11.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 11 •  Secret Storage •  Tokens & ACL •  Dynamic Secrets •  Leasing and renewal •  Key Rolling •  Audit Logs •  Hardware Security Modules •  24x7 Support Community Enterprise
  11. 12.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Init Vault 12 $ vault init -key-shares=1 -key-threshold=1 Key 1: a9cbc3e47e4635ff2e8239bf43397fad3d659500cc7a0d42deea0ffd4d307244 Initial Root Token: eb5229d6-9858-d494-a1d7-820cae1ea31e $ Sealed: true Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ vault status
  12. 13.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Unseal Vault & Auth Client 13 $ vault unseal a9cbc3e47e4635ff2e8239bf43397fad3d65950… vault auth eb5229d6-9858-d494-a1d7-820cae1ea31e Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ Successfully authenticated! token: eb5229d6-9858-d494-a1d7-820cae1ea31e token_duration: 0 token_policies: [root] $
  13. 14.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Write & Read Secrets 14 $ vault write secret/devone value=awesome vault read secret/devone Success! Data written to: secret/devone $ Key Value lease_duration 2592000 value awesome $
  14. 15.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started - HTTP API 15 $ curl –H”X-Vault-Token eb5229d6-9858-d494 :49222/v1/secret/devone { lease_id : null, renewable : false, lease_duration : 2592000, data : { value : awesome }, wrap_info : null, … } $
  15. 16.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Seal Vault 16 $ vault seal vault read secret/devone Vault is now sealed. $ Error reading secret/devone: Error making API request. URL: GET :49222/v1/secret/devone Code: 503. Errors: * Vault is sealed $
  16. 18.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Use APP ID Auth maybe? 18 18 $ vault auth-enable app-id Successfully enabled 'app-id' at 'app-id'! $ vault write auth/app-id/map/app-id/devone value=admin $ vault write auth/app-id/map/user-id/awesome value=devone& cidr_block=10.0.0.0/16 $
  17. 19.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud In General 19 Service Discovery Circuit Breakers Routing & Messaging Ci Pipelines Tracing API Gateway Configuration
  18. 20.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 20 Configuration Config Server
  19. 21.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 21 Service Discovery Service Reg. Consumer Producer Connect
  20. 22.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud... •  Circuit Breakers withNetflix Hystrix. •  Messaging using RabbitMQ or Apache Kafka. •  Tracing with Spring Cloud Sleuth & Zipkin. •  Spring Cloud Bus •  Spring Cloud Stream (pre. Dataflow) •  Spring Cloud Task •  Spring Cloud AWS •  … and many more! 22
  21. 23.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault 23 Token / Auth
  22. 24.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 24 <dependency> <groupId>org.springframework.cloud!</groupId> <artifactId>spring-cloud-starter-vault-config!</artifactId> !</dependency> src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... Project Setup – Dependencies & Properties
  23. 25.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resolved environment properties $ curl :8080/env | jq { vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, … } $
  24. 26.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Profile support built in $ curl :8080/env | jq { profiles : [test, dev], vault:secret/spring-devone-app/dev : { local : “!!***!!***” }, vault:secret/spring-devone-app/test : { secret-key : “!!***!!***” }, vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, $ mvn -Dspring.profiles.active=test,dev …
  25. 27.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 27
  26. 28.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Different Backends 28 1. Configure 2. Setup 3. Auth 4. Credentials 5. Auth
  27. 29.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault with different Backends 29 29 $ vault mount mysql $ vault write & mysql/config/connection& connection_url=spring:vault@tcp(localhost:3306) $ vault read mysql/creds/readonly Lease_id mysql/creds/eb5229d6-9858 Lease_duration 2592000 Password: a9cbc3e47e4635ff2e8239b Username: token-eb5229d6-9858
  28. 30.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault with different Backends. 30 src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... spring.cloud.vault.mysql.enabled=true spring.cloud.vault.mysql.role=readonly spring.datasource.url=jdbc:mysql:!//localhost:3306
  29. 31.

    Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 31 Spring Framework 5 RC1 Spring Boot 2 M1 Check out the latest releases!