Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale with Spring Claud Vault

Christoph Strobl
June 01, 2017
Programming
0
83

Managing Secrets at Scale with Spring Claud Vault

Share and manage secrets (certificates, passwords, keys) for your applications using Vault and Spring Vault.

Christoph Strobl

June 01, 2017
Tweet

More Decks by Christoph Strobl

See All by Christoph Strobl
No Offset - Pagination with the Seek Method
christophstrobl
0
69
Tech Talk - Persistence with Spring Data
christophstrobl
0
150
A Spring Data’s Guide to Persistence
christophstrobl
0
58
What's new in Spring Data MongoDB
christophstrobl
0
110
Spring Data Moore and Beyond
christophstrobl
0
570
What's new in SpringData Moore
christophstrobl
0
96
Simply Reactive - Eventually build a reactive Elasticsearch client (Technologieplauscherl)
christophstrobl
0
140
Next Generation MongoDB with Spring: Sessions, Streams, Transactions (WJax-2018)
christophstrobl
1
160
What's new in Spring Data Lovelace
christophstrobl
0
200

Other Decks in Programming

See All in Programming
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
700
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
400
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
ScalarDBを用いたマイクロサービスにおけるデータ管理 (Database Engineering Meetup #2)
scalar
0
110
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
Front-end application development, Symfony-style(s)
dunglas
2
2k
Git Lint
bkuhlmann
4
750
Hanami and htmx
bkuhlmann
0
200
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
130
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
260
Elm 0.19.0 Changes
bkuhlmann
0
490

Featured

See All Featured
Scaling GitHub
holman
457
140k
Code Review Best Practice
trishagee
55
15k
Building Applications with DynamoDB
mza
88
5.6k
Practical Orchestrator
shlominoach
182
9.7k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
How to name files
jennybc
65
93k
Atom: Resistance is Futile
akmur
259
25k
What's new in Ruby 2.0
geeforr
337
31k
Music & Morning Musume
bryan
41
5.6k
The Cult of Friendly URLs
andyhume
74
5.7k
The Mythical Team-Month
searls
216
42k
Automating Front-end Workflow
addyosmani
1356
200k

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale with Vault Christoph Strobl Pivotal Software, Inc. @stroblchristoph #devone

  2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 2

  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 3 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password Passw0rd !</Resource>

  4. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 4 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password xMH5uM1V9vQzVUv5LG7YLA!== PasswordCipher Static3DES !</Resource>

  5. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Symmetric vs. Asymmetric 5

  6. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 6 https://www.flickr.com/photos/dahlstroms/4188244058

  7. 7 Say, change that Password once again!

  8. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 8

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 9

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ •  Secure secret storage •  Sealing •  Revocation •  Leasing and renewal •  Multiple secret backends •  Access control policies •  HTTP endpoint 10

  11. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 11 •  Secret Storage •  Tokens & ACL •  Dynamic Secrets •  Leasing and renewal •  Key Rolling •  Audit Logs •  Hardware Security Modules •  24x7 Support Community Enterprise

  12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Init Vault 12 $ vault init -key-shares=1 -key-threshold=1 Key 1: a9cbc3e47e4635ff2e8239bf43397fad3d659500cc7a0d42deea0ffd4d307244 Initial Root Token: eb5229d6-9858-d494-a1d7-820cae1ea31e $ Sealed: true Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ vault status

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Unseal Vault & Auth Client 13 $ vault unseal a9cbc3e47e4635ff2e8239bf43397fad3d65950… vault auth eb5229d6-9858-d494-a1d7-820cae1ea31e Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ Successfully authenticated! token: eb5229d6-9858-d494-a1d7-820cae1ea31e token_duration: 0 token_policies: [root] $

  14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Write & Read Secrets 14 $ vault write secret/devone value=awesome vault read secret/devone Success! Data written to: secret/devone $ Key Value lease_duration 2592000 value awesome $

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started - HTTP API 15 $ curl –H”X-Vault-Token eb5229d6-9858-d494 :49222/v1/secret/devone { lease_id : null, renewable : false, lease_duration : 2592000, data : { value : awesome }, wrap_info : null, … } $

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Seal Vault 16 $ vault seal vault read secret/devone Vault is now sealed. $ Error reading secret/devone: Error making API request. URL: GET :49222/v1/secret/devone Code: 503. Errors: * Vault is sealed $

  17. 17 How is this any better? What if someone’s got

    your token?

  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Use APP ID Auth maybe? 18 18 $ vault auth-enable app-id Successfully enabled 'app-id' at 'app-id'! $ vault write auth/app-id/map/app-id/devone value=admin $ vault write auth/app-id/map/user-id/awesome value=devone& cidr_block=10.0.0.0/16 $

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud In General 19 Service Discovery Circuit Breakers Routing & Messaging Ci Pipelines Tracing API Gateway Configuration

  20. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 20 Configuration Config Server

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 21 Service Discovery Service Reg. Consumer Producer Connect

  22. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud... •  Circuit Breakers withNetflix Hystrix. •  Messaging using RabbitMQ or Apache Kafka. •  Tracing with Spring Cloud Sleuth & Zipkin. •  Spring Cloud Bus •  Spring Cloud Stream (pre. Dataflow) •  Spring Cloud Task •  Spring Cloud AWS •  … and many more! 22

  23. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault 23 Token / Auth

  24. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 24 <dependency> <groupId>org.springframework.cloud!</groupId> <artifactId>spring-cloud-starter-vault-config!</artifactId> !</dependency> src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... Project Setup – Dependencies & Properties

  25. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resolved environment properties $ curl :8080/env | jq { vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, … } $

  26. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Profile support built in $ curl :8080/env | jq { profiles : [test, dev], vault:secret/spring-devone-app/dev : { local : “!!***!!***” }, vault:secret/spring-devone-app/test : { secret-key : “!!***!!***” }, vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, $ mvn -Dspring.profiles.active=test,dev …

  27. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 27

  28. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Different Backends 28 1. Configure 2. Setup 3. Auth 4. Credentials 5. Auth

  29. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault with different Backends 29 29 $ vault mount mysql $ vault write & mysql/config/connection& connection_url=spring:vault@tcp(localhost:3306) $ vault read mysql/creds/readonly Lease_id mysql/creds/eb5229d6-9858 Lease_duration 2592000 Password: a9cbc3e47e4635ff2e8239b Username: token-eb5229d6-9858

  30. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault with different Backends. 30 src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... spring.cloud.vault.mysql.enabled=true spring.cloud.vault.mysql.role=readonly spring.datasource.url=jdbc:mysql:!//localhost:3306

  31. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 31 Spring Framework 5 RC1 Spring Boot 2 M1 Check out the latest releases!