Upgrade to Pro — share decks privately, control downloads, hide ads and more …

High Availability Vault Service on AWS Environment

High Availability Vault Service on AWS Environment

Gea-Suan Lin

March 17, 2022
Tweet

More Decks by Gea-Suan Lin

Other Decks in Technology

Transcript

  1. High Availability Vault Service on AWS Environment Gea-Suan Lin (DK)

    Director of SW Platform and Infrastructures
  2. Links • This slide: ◦ https://bit.ly/3igUbgh • AWS Summit Taiwan

    2021: ◦ https://aws.amazon.com/tw/events/taiwan/2021summit/ • My wiki: ◦ https://wiki.gslin.org/wiki/Vault/Install (in Chinese)
  3. What is HashiCorp Vault? • “Manage secrets and protect sensitive

    data” • Usually: ◦ Credentials ◦ Tokens ◦ … • Sometimes: ◦ Endpoint information ◦ …
  4. Why do people need Vault? • Auditing. • Credentials/tokens versioning.

    • We don’t want to put credentials into Ansible and/or GitLab…
  5. Technologies • Amazon EC2 (Multi-AZ) ◦ (or container-based services like

    ECS/EKS) • Amazon DynamoDB • AWS KMS • AWS ELB • AWS ACM (optional)
  6. Install Vault curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -;

    sudo apt-add-repository "deb https://apt.releases.hashicorp.com $(lsb_release -cs) main"; sudo apt update && sudo apt install vault
  7. Setup Vault api_addr = "http://10.10.10.10:8200" cluster_addr = "http://10.10.10.10:8201" log_level =

    "Info" ui = true listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.10.10.10:8201" tls_disable = "true" } seal "awskms" { region = "ap-southeast-1" access_key = "x" secret_key = "x" kms_key_id = "x" } storage "dynamodb" { ha_enabled = "true" region = "ap-southeast-1" table = "vault" access_key = "x" secret_key = "x" }
  8. Setup EC2 IAM Role • Create an EC2 role. •

    Attach two inline policies. • Attach to EC2 instances.
  9. EC2 IAM Role - Policy-Vault-DynamoDB { "Version": "2012-10-17", "Statement": [

    { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DescribeTable", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:DescribeTimeToLive", "dynamodb:GetRecords" ], "Resource": [ "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "dynamodb:DescribeReservedCapacityOfferings", "dynamodb:ListTables", "dynamodb:DescribeReservedCapacity", "dynamodb:DescribeLimits" ], "Resource": "*" } ] }
  10. EC2 IAM Role - Policy-Vault-KMS { "Version": "2012-10-17", "Statement": [

    { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/01234567-89ab-cdef-0123-456789abcdef" } ] }
  11. Setup ELB • Choose ALB • /v1/sys/health as health check

    path. • Backend in port 8200. • Frontend in port 80. ◦ Recommend to use ACM for HTTPS (port 443).
  12. Initialization # Remember to write down the root token vault

    operator init \ -recovery-shares=1 \ -recovery-threshold=1 \ -address=http://127.0.0.1:8200