Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
High Availability Vault Service on AWS Environment
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Gea-Suan Lin
March 17, 2022
Technology
7.3k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
High Availability Vault Service on AWS Environment
Gea-Suan Lin
March 17, 2022
More Decks by Gea-Suan Lin
See All by Gea-Suan Lin
用 AWS CodeDeploy 解決程式佈署
gslin
0
450
MySQL to NoSQL & Search Engine
gslin
0
2.2k
用 Vagrant 與 Docker 拯救世界
gslin
1
310
Startup IT infrastructure: Developing and Working with AWS
gslin
8
3.8k
Talk about Percona XtraDB Cluster
gslin
0
210
API Design Optimized for Mobile Platform
gslin
9
8.8k
Use Facebook::Graph to write desktop application
gslin
2
520
COSCUP 2012 - MySQL System Stability
gslin
17
12k
MySQL System Stability
gslin
4
6k
Other Decks in Technology
See All in Technology
時期が悪い!それでもRaspberry Piを買って遊んで活用するには / 20260627-osc26do-rpi-jikigawarui
akkiesoft
0
800
AIが自律的に回る開発ループを設計してチーム開発に組み込む
nekorush14
0
130
5分でわかるDuckDB Quack
chanyou0311
3
250
Zenoh on Zephyr on LiteX
takasehideki
2
110
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
330
Claude Codeをどのように キャッチアップしているか
oikon48
13
8.8k
MUSUBI 田中裕一『AIと共に行う「しごとのリデザイン」- スモールバックオフィス編』AI Ops Lab #4
musubi
0
310
「軸足」は 固定しなくていい - 熱量と強みで描く、しなやかなキャリアの形
kakehashi
PRO
1
260
AIチャット検索改善の3週間
kworkdev
PRO
2
170
自分が詳しくない領域でAIを使う #プロヒス2026
konifar
20
7.4k
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
110
起点・思考・出力で分解する 〜PM業務の自動化設計〜
kazu_kichi_67
1
1.1k
Featured
See All Featured
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
287
14k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Embracing the Ebb and Flow
colly
88
5.1k
Skip the Path - Find Your Career Trail
mkilby
1
150
Ten Tips & Tricks for a 🌱 transition
stuffmc
0
140
Typedesign – Prime Four
hannesfritz
42
3.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
123
22k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
430
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.2k
WENDY [Excerpt]
tessaabrams
11
38k
Transcript
High Availability Vault Service on AWS Environment Gea-Suan Lin (DK)
Director of SW Platform and Infrastructures
Links • This slide: ◦ https://bit.ly/3igUbgh • AWS Summit Taiwan
2021: ◦ https://aws.amazon.com/tw/events/taiwan/2021summit/ • My wiki: ◦ https://wiki.gslin.org/wiki/Vault/Install (in Chinese)
Explain “Migo” • https://wiki.gslin.org/wiki/Migo
What is HashiCorp Vault? • “Manage secrets and protect sensitive
data” • Usually: ◦ Credentials ◦ Tokens ◦ … • Sometimes: ◦ Endpoint information ◦ …
Why do people need Vault? • Auditing. • Credentials/tokens versioning.
• We don’t want to put credentials into Ansible and/or GitLab…
Today’s objectives • High availability. ◦ But I don’t want
to manage HA by myself.
Technologies • Amazon EC2 (Multi-AZ) ◦ (or container-based services like
ECS/EKS) • Amazon DynamoDB • AWS KMS • AWS ELB • AWS ACM (optional)
Setup DynamoDB • Create a table called vault. ◦ Primary
key as Path. ◦ Sort key as Key.
None
Setup KMS • Create a key with SYMMETRIC_DEFAULT.
None
Setup EC2 • Create two t3a.nano or t4g.nano instances. •
We choose Ubuntu 20.04.
None
Install Vault curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -;
sudo apt-add-repository "deb https://apt.releases.hashicorp.com $(lsb_release -cs) main"; sudo apt update && sudo apt install vault
Setup Vault api_addr = "http://10.10.10.10:8200" cluster_addr = "http://10.10.10.10:8201" log_level =
"Info" ui = true listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.10.10.10:8201" tls_disable = "true" } seal "awskms" { region = "ap-southeast-1" access_key = "x" secret_key = "x" kms_key_id = "x" } storage "dynamodb" { ha_enabled = "true" region = "ap-southeast-1" table = "vault" access_key = "x" secret_key = "x" }
Setup EC2 IAM Role • Create an EC2 role. •
Attach two inline policies. • Attach to EC2 instances.
EC2 IAM Role - Policy-Vault-DynamoDB { "Version": "2012-10-17", "Statement": [
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DescribeTable", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:DescribeTimeToLive", "dynamodb:GetRecords" ], "Resource": [ "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "dynamodb:DescribeReservedCapacityOfferings", "dynamodb:ListTables", "dynamodb:DescribeReservedCapacity", "dynamodb:DescribeLimits" ], "Resource": "*" } ] }
EC2 IAM Role - Policy-Vault-KMS { "Version": "2012-10-17", "Statement": [
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/01234567-89ab-cdef-0123-456789abcdef" } ] }
None
Setup ELB • Choose ALB • /v1/sys/health as health check
path. • Backend in port 8200. • Frontend in port 80. ◦ Recommend to use ACM for HTTPS (port 443).
Start Vault sudo systemctl enable vault; sudo service vault start
Initialization # Remember to write down the root token vault
operator init \ -recovery-shares=1 \ -recovery-threshold=1 \ -address=http://127.0.0.1:8200
Now it’s working • http://vault.example.com/ ◦ https://vault.example.com/ (HTTPS)
Monitoring • Cloudwatch ◦ ELB (ALB) ◦ EC2 ◦ DynamoDB
◦ KMS
That’s it… • Q&A after sessions. • And we’re hiring!