Managing Secrets at Scale with Spring Claud Vault

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Managing Secrets at Scale
with Vault
Christoph Strobl
Pivotal Software, Inc.
@stroblchristoph
#devone

View Slide

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 2

View Slide

Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Apache TomEE
Encryption to the Rescue
3

JdbcDriver com.mysql.jdbc.Driver
JdbcUrl jdbc:mysql:!//localhost/test
UserName test
Password Passw0rd
!

View Slide

Apache TomEE
Encryption to the Rescue
4

JdbcDriver com.mysql.jdbc.Driver
JdbcUrl jdbc:mysql:!//localhost/test
UserName test
Password xMH5uM1V9vQzVUv5LG7YLA!==
PasswordCipher Static3DES
!

View Slide

Symmetric vs. Asymmetric
5

View Slide

https://www.flickr.com/photos/dahlstroms/4188244058

View Slide

7
Say,
change that Password once again!

View Slide


View Slide

•  Secure secret storage
•  Sealing
•  Revocation
•  Leasing and renewal
•  Multiple secret backends
•  Access control policies
•  HTTP endpoint
10

View Slide

•  Secret Storage
•  Tokens & ACL
•  Dynamic Secrets
•  Leasing and renewal
•  Key Rolling
•  Audit Logs
•  Hardware Security Modules
•  24x7 Support
Community Enterprise

View Slide

Getting Started – Init Vault
12
$ vault init -key-shares=1 -key-threshold=1
Key 1: a9cbc3e47e4635ff2e8239bf43397fad3d659500cc7a0d42deea0ffd4d307244
Initial Root Token: eb5229d6-9858-d494-a1d7-820cae1ea31e
$
Sealed: true
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0
$
vault status

View Slide

Getting Started – Unseal Vault & Auth Client
13
$ vault unseal a9cbc3e47e4635ff2e8239bf43397fad3d65950…
vault auth eb5229d6-9858-d494-a1d7-820cae1ea31e
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0
$
Successfully authenticated!
token: eb5229d6-9858-d494-a1d7-820cae1ea31e
token_duration: 0
token_policies: [root]
$

View Slide

Getting Started – Write & Read Secrets
14
$ vault write secret/devone value=awesome
vault read secret/devone
Success! Data written to: secret/devone
$
Key Value
lease_duration 2592000
value awesome
$

View Slide

Getting Started - HTTP API
15
$ curl –H”X-Vault-Token eb5229d6-9858-d494 :49222/v1/secret/devone
{
lease_id : null,
renewable : false,
lease_duration : 2592000,
data : {
value : awesome
},
wrap_info : null,
…
}
$

View Slide

Getting Started – Seal Vault
16
$ vault seal
vault read secret/devone
Vault is now sealed.
$
Error reading secret/devone: Error making
API request.
URL: GET :49222/v1/secret/devone
Code: 503. Errors:
* Vault is sealed
$

View Slide

17
How is this any better?
What if someone’s got your token?

View Slide

Use APP ID Auth maybe?
18
18
$ vault auth-enable app-id
Successfully enabled 'app-id' at 'app-id'!
$ vault write auth/app-id/map/app-id/devone value=admin
$ vault write auth/app-id/map/user-id/awesome value=devone&
cidr_block=10.0.0.0/16
$

View Slide

Spring Cloud In General
19
Service Discovery Circuit Breakers Routing & Messaging
Ci Pipelines
Tracing
API Gateway
Conﬁguration

View Slide

Spring Cloud
20
Conﬁguration
Conﬁg Server

View Slide

Spring Cloud
21
Service Discovery
Service Reg.
Consumer
Producer
Connect

View Slide

Spring Cloud...
•  Circuit Breakers withNetﬂix Hystrix.
•  Messaging using RabbitMQ or Apache Kafka.
•  Tracing with Spring Cloud Sleuth & Zipkin.
•  Spring Cloud Bus
•  Spring Cloud Stream (pre. Dataﬂow)
•  Spring Cloud Task
•  Spring Cloud AWS
•  … and many more!
22

View Slide

Spring Cloud Vault
23
Token / Auth

View Slide


org.springframework.cloud!
spring-cloud-starter-vault-config!
!
src/main/resources/bootstrap.properties
spring.application.name=spring-devone-app
spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!...
Project Setup – Dependencies & Properties

View Slide

Resolved environment properties
$ curl :8080/env | jq
{
vault:secret/spring-devone-app : {
secret-key : “!!***!!***”
},
vault:secret/applicaton : {
message: “Hello #devone!”
},
…
}
$

View Slide

Spring Proﬁle support built in
$ curl :8080/env | jq
{
profiles : [test, dev],
vault:secret/spring-devone-app/dev : {
local : “!!***!!***”
},
vault:secret/spring-devone-app/test : {
secret-key : “!!***!!***”
},
vault:secret/spring-devone-app : {
secret-key : “!!***!!***”
},
vault:secret/applicaton : {
message: “Hello #devone!”
},
$ mvn -Dspring.profiles.active=test,dev
…

View Slide

Secret Backends
27

View Slide

Diﬀerent Backends
28
1. Conﬁgure
2. Setup
3. Auth
4. Credentials
5. Auth

View Slide

Vault with diﬀerent Backends
29
29
$ vault mount mysql
$ vault write &
mysql/config/connection&
connection_url=spring:[email protected](localhost:3306)
$ vault read mysql/creds/readonly
Lease_id mysql/creds/eb5229d6-9858
Lease_duration 2592000
Password: a9cbc3e47e4635ff2e8239b
Username: token-eb5229d6-9858

View Slide

Spring Cloud Vault with diﬀerent Backends.
30
src/main/resources/bootstrap.properties
spring.application.name=spring-devone-app
spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!...
spring.cloud.vault.mysql.enabled=true
spring.cloud.vault.mysql.role=readonly
spring.datasource.url=jdbc:mysql:!//localhost:3306

View Slide

Spring Framework 5 RC1
Spring Boot 2 M1
Check out the latest releases!

View Slide

Managing Secrets at Scale with Spring Claud Vault

Managing Secrets at Scale with Spring Claud Vault

Christoph Strobl

More Decks by Christoph Strobl

Other Decks in Programming

Featured

Transcript