Upgrade to Pro — share decks privately, control downloads, hide ads and more …

High Availability Vault Service on AWS Environment

High Availability Vault Service on AWS Environment

8327d09b0bd5ac97409aa10f927b3c30?s=128

Gea-Suan Lin

March 17, 2022
Tweet

More Decks by Gea-Suan Lin

Other Decks in Technology

Transcript

  1. High Availability Vault Service on AWS Environment Gea-Suan Lin (DK)

    Director of SW Platform and Infrastructures
  2. Links • This slide: ◦ https://bit.ly/3igUbgh • AWS Summit Taiwan

    2021: ◦ https://aws.amazon.com/tw/events/taiwan/2021summit/ • My wiki: ◦ https://wiki.gslin.org/wiki/Vault/Install (in Chinese)
  3. Explain “Migo” • https://wiki.gslin.org/wiki/Migo

  4. What is HashiCorp Vault? • “Manage secrets and protect sensitive

    data” • Usually: ◦ Credentials ◦ Tokens ◦ … • Sometimes: ◦ Endpoint information ◦ …
  5. Why do people need Vault? • Auditing. • Credentials/tokens versioning.

    • We don’t want to put credentials into Ansible and/or GitLab…
  6. Today’s objectives • High availability. ◦ But I don’t want

    to manage HA by myself.
  7. Technologies • Amazon EC2 (Multi-AZ) ◦ (or container-based services like

    ECS/EKS) • Amazon DynamoDB • AWS KMS • AWS ELB • AWS ACM (optional)
  8. Setup DynamoDB • Create a table called vault. ◦ Primary

    key as Path. ◦ Sort key as Key.
  9. None
  10. Setup KMS • Create a key with SYMMETRIC_DEFAULT.

  11. None
  12. Setup EC2 • Create two t3a.nano or t4g.nano instances. •

    We choose Ubuntu 20.04.
  13. None
  14. Install Vault curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -;

    sudo apt-add-repository "deb https://apt.releases.hashicorp.com $(lsb_release -cs) main"; sudo apt update && sudo apt install vault
  15. Setup Vault api_addr = "http://10.10.10.10:8200" cluster_addr = "http://10.10.10.10:8201" log_level =

    "Info" ui = true listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.10.10.10:8201" tls_disable = "true" } seal "awskms" { region = "ap-southeast-1" access_key = "x" secret_key = "x" kms_key_id = "x" } storage "dynamodb" { ha_enabled = "true" region = "ap-southeast-1" table = "vault" access_key = "x" secret_key = "x" }
  16. Setup EC2 IAM Role • Create an EC2 role. •

    Attach two inline policies. • Attach to EC2 instances.
  17. EC2 IAM Role - Policy-Vault-DynamoDB { "Version": "2012-10-17", "Statement": [

    { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DescribeTable", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:DescribeTimeToLive", "dynamodb:GetRecords" ], "Resource": [ "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "dynamodb:DescribeReservedCapacityOfferings", "dynamodb:ListTables", "dynamodb:DescribeReservedCapacity", "dynamodb:DescribeLimits" ], "Resource": "*" } ] }
  18. EC2 IAM Role - Policy-Vault-KMS { "Version": "2012-10-17", "Statement": [

    { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/01234567-89ab-cdef-0123-456789abcdef" } ] }
  19. None
  20. Setup ELB • Choose ALB • /v1/sys/health as health check

    path. • Backend in port 8200. • Frontend in port 80. ◦ Recommend to use ACM for HTTPS (port 443).
  21. Start Vault sudo systemctl enable vault; sudo service vault start

  22. Initialization # Remember to write down the root token vault

    operator init \ -recovery-shares=1 \ -recovery-threshold=1 \ -address=http://127.0.0.1:8200
  23. Now it’s working • http://vault.example.com/ ◦ https://vault.example.com/ (HTTPS)

  24. Monitoring • Cloudwatch ◦ ELB (ALB) ◦ EC2 ◦ DynamoDB

    ◦ KMS
  25. That’s it… • Q&A after sessions. • And we’re hiring!