Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
High Availability Vault Service on AWS Environment
Gea-Suan Lin
March 17, 2022
Technology
0
6.2k
High Availability Vault Service on AWS Environment
Gea-Suan Lin
March 17, 2022
Tweet
Share
More Decks by Gea-Suan Lin
See All by Gea-Suan Lin
用 AWS CodeDeploy 解決程式佈署
gslin
0
250
MySQL to NoSQL & Search Engine
gslin
0
1.5k
用 Vagrant 與 Docker 拯救世界
gslin
1
200
Startup IT infrastructure: Developing and Working with AWS
gslin
8
3.1k
Talk about Percona XtraDB Cluster
gslin
0
160
API Design Optimized for Mobile Platform
gslin
9
7.8k
Use Facebook::Graph to write desktop application
gslin
2
420
COSCUP 2012 - MySQL System Stability
gslin
17
11k
MySQL System Stability
gslin
4
5.6k
Other Decks in Technology
See All in Technology
Cloudflare Workersで動くOG画像生成器
aiji42
1
430
Kaggleシミュレーションコンペの動向
nagiss
0
200
CEXやDEXに依存しないブロックチェーン取引について考える
sbtechnight
0
310
グローバルチームことはじめ / Bootstrapping a global team
tasshi
1
530
GraphQLスキーマ設計の勘所
yukukotani
26
5.7k
私見「UNIXの考え方」/20230124-kameda-unix-phylosophy
opelab
0
140
なぜ変化を起こすのが難しいのか? - 数年以上にわたって難しさに向き合い・考え取り組んできたこと / The reason why changing organization is so hard - What I thought and faced for more than several years
iwashi86
26
17k
それでもどうしてRecoilを使うのか / Harajuku.ts Meetup Recoil
okunokentaro
11
3.3k
プログラミング支援AI GitHub Copilot すごいの話
moyashi
0
260
Optimizing your Swift code
kateinoigakukun
0
1.3k
- Rでオブジェクト指向プログラミング- クラス設計入門の入門
kotatyamtema
1
530
成長が鈍化したチームを変えるためにやったこと / #RSGT2023
mongolyy
2
2.8k
Featured
See All Featured
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.1k
BBQ
matthewcrist
75
8.1k
Ruby is Unlike a Banana
tanoku
93
9.5k
How GitHub (no longer) Works
holman
298
140k
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k
Support Driven Design
roundedbygravity
88
8.9k
A designer walks into a library…
pauljervisheath
198
16k
Debugging Ruby Performance
tmm1
67
11k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Rails Girls Zürich Keynote
gr2m
87
12k
How to name files
jennybc
46
72k
The Pragmatic Product Professional
lauravandoore
21
3.4k
Transcript
High Availability Vault Service on AWS Environment Gea-Suan Lin (DK)
Director of SW Platform and Infrastructures
Links • This slide: ◦ https://bit.ly/3igUbgh • AWS Summit Taiwan
2021: ◦ https://aws.amazon.com/tw/events/taiwan/2021summit/ • My wiki: ◦ https://wiki.gslin.org/wiki/Vault/Install (in Chinese)
Explain “Migo” • https://wiki.gslin.org/wiki/Migo
What is HashiCorp Vault? • “Manage secrets and protect sensitive
data” • Usually: ◦ Credentials ◦ Tokens ◦ … • Sometimes: ◦ Endpoint information ◦ …
Why do people need Vault? • Auditing. • Credentials/tokens versioning.
• We don’t want to put credentials into Ansible and/or GitLab…
Today’s objectives • High availability. ◦ But I don’t want
to manage HA by myself.
Technologies • Amazon EC2 (Multi-AZ) ◦ (or container-based services like
ECS/EKS) • Amazon DynamoDB • AWS KMS • AWS ELB • AWS ACM (optional)
Setup DynamoDB • Create a table called vault. ◦ Primary
key as Path. ◦ Sort key as Key.
None
Setup KMS • Create a key with SYMMETRIC_DEFAULT.
None
Setup EC2 • Create two t3a.nano or t4g.nano instances. •
We choose Ubuntu 20.04.
None
Install Vault curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -;
sudo apt-add-repository "deb https://apt.releases.hashicorp.com $(lsb_release -cs) main"; sudo apt update && sudo apt install vault
Setup Vault api_addr = "http://10.10.10.10:8200" cluster_addr = "http://10.10.10.10:8201" log_level =
"Info" ui = true listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.10.10.10:8201" tls_disable = "true" } seal "awskms" { region = "ap-southeast-1" access_key = "x" secret_key = "x" kms_key_id = "x" } storage "dynamodb" { ha_enabled = "true" region = "ap-southeast-1" table = "vault" access_key = "x" secret_key = "x" }
Setup EC2 IAM Role • Create an EC2 role. •
Attach two inline policies. • Attach to EC2 instances.
EC2 IAM Role - Policy-Vault-DynamoDB { "Version": "2012-10-17", "Statement": [
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DescribeTable", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:DescribeTimeToLive", "dynamodb:GetRecords" ], "Resource": [ "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "dynamodb:DescribeReservedCapacityOfferings", "dynamodb:ListTables", "dynamodb:DescribeReservedCapacity", "dynamodb:DescribeLimits" ], "Resource": "*" } ] }
EC2 IAM Role - Policy-Vault-KMS { "Version": "2012-10-17", "Statement": [
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/01234567-89ab-cdef-0123-456789abcdef" } ] }
None
Setup ELB • Choose ALB • /v1/sys/health as health check
path. • Backend in port 8200. • Frontend in port 80. ◦ Recommend to use ACM for HTTPS (port 443).
Start Vault sudo systemctl enable vault; sudo service vault start
Initialization # Remember to write down the root token vault
operator init \ -recovery-shares=1 \ -recovery-threshold=1 \ -address=http://127.0.0.1:8200
Now it’s working • http://vault.example.com/ ◦ https://vault.example.com/ (HTTPS)
Monitoring • Cloudwatch ◦ ELB (ALB) ◦ EC2 ◦ DynamoDB
◦ KMS
That’s it… • Q&A after sessions. • And we’re hiring!