Upgrade to Pro — share decks privately, control downloads, hide ads and more …

High Availability Vault Service on AWS Environment

High Availability Vault Service on AWS Environment

Gea-Suan Lin

March 17, 2022
Tweet

More Decks by Gea-Suan Lin

Other Decks in Technology

Transcript

  1. High Availability Vault Service
    on AWS Environment
    Gea-Suan Lin (DK)
    Director of SW Platform and Infrastructures

    View full-size slide

  2. Links
    ● This slide:
    ○ https://bit.ly/3igUbgh
    ● AWS Summit Taiwan 2021:
    ○ https://aws.amazon.com/tw/events/taiwan/2021summit/
    ● My wiki:
    ○ https://wiki.gslin.org/wiki/Vault/Install (in Chinese)

    View full-size slide

  3. Explain “Migo”
    ● https://wiki.gslin.org/wiki/Migo

    View full-size slide

  4. What is HashiCorp Vault?
    ● “Manage secrets and protect sensitive data”
    ● Usually:
    ○ Credentials
    ○ Tokens
    ○ …
    ● Sometimes:
    ○ Endpoint information
    ○ …

    View full-size slide

  5. Why do people need Vault?
    ● Auditing.
    ● Credentials/tokens versioning.
    ● We don’t want to put credentials into Ansible and/or GitLab…

    View full-size slide

  6. Today’s objectives
    ● High availability.
    ○ But I don’t want to manage HA by myself.

    View full-size slide

  7. Technologies
    ● Amazon EC2 (Multi-AZ)
    ○ (or container-based services like ECS/EKS)
    ● Amazon DynamoDB
    ● AWS KMS
    ● AWS ELB
    ● AWS ACM (optional)

    View full-size slide

  8. Setup DynamoDB
    ● Create a table called vault.
    ○ Primary key as Path.
    ○ Sort key as Key.

    View full-size slide

  9. Setup KMS
    ● Create a key with SYMMETRIC_DEFAULT.

    View full-size slide

  10. Setup EC2
    ● Create two t3a.nano or t4g.nano instances.
    ● We choose Ubuntu 20.04.

    View full-size slide

  11. Install Vault
    curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -; sudo
    apt-add-repository "deb https://apt.releases.hashicorp.com $(lsb_release -cs)
    main"; sudo apt update && sudo apt install vault

    View full-size slide

  12. Setup Vault
    api_addr = "http://10.10.10.10:8200"
    cluster_addr = "http://10.10.10.10:8201"
    log_level = "Info"
    ui = true
    listener "tcp" {
    address = "0.0.0.0:8200"
    cluster_address = "10.10.10.10:8201"
    tls_disable = "true"
    }
    seal "awskms" {
    region = "ap-southeast-1"
    access_key = "x"
    secret_key = "x"
    kms_key_id = "x"
    }
    storage "dynamodb" {
    ha_enabled = "true"
    region = "ap-southeast-1"
    table = "vault"
    access_key = "x"
    secret_key = "x"
    }

    View full-size slide

  13. Setup EC2 IAM Role
    ● Create an EC2 role.
    ● Attach two inline policies.
    ● Attach to EC2 instances.

    View full-size slide

  14. EC2 IAM Role - Policy-Vault-DynamoDB
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
    "dynamodb:BatchGetItem",
    "dynamodb:BatchWriteItem",
    "dynamodb:PutItem",
    "dynamodb:DescribeTable",
    "dynamodb:DeleteItem",
    "dynamodb:GetItem",
    "dynamodb:Scan",
    "dynamodb:ListTagsOfResource",
    "dynamodb:Query",
    "dynamodb:UpdateItem",
    "dynamodb:DescribeTimeToLive",
    "dynamodb:GetRecords"
    ],
    "Resource": [
    "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*",
    "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*",
    "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault"
    ]
    },
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
    "dynamodb:DescribeReservedCapacityOfferings",
    "dynamodb:ListTables",
    "dynamodb:DescribeReservedCapacity",
    "dynamodb:DescribeLimits"
    ],
    "Resource": "*"
    }
    ]
    }

    View full-size slide

  15. EC2 IAM Role - Policy-Vault-KMS
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:DescribeKey"
    ],
    "Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/01234567-89ab-cdef-0123-456789abcdef"
    }
    ]
    }

    View full-size slide

  16. Setup ELB
    ● Choose ALB
    ● /v1/sys/health as health check path.
    ● Backend in port 8200.
    ● Frontend in port 80.
    ○ Recommend to use ACM for HTTPS (port 443).

    View full-size slide

  17. Start Vault
    sudo systemctl enable vault; sudo service vault start

    View full-size slide

  18. Initialization
    # Remember to write down the root token
    vault operator init \
    -recovery-shares=1 \
    -recovery-threshold=1 \
    -address=http://127.0.0.1:8200

    View full-size slide

  19. Now it’s working
    ● http://vault.example.com/
    ○ https://vault.example.com/ (HTTPS)

    View full-size slide

  20. Monitoring
    ● Cloudwatch
    ○ ELB (ALB)
    ○ EC2
    ○ DynamoDB
    ○ KMS

    View full-size slide

  21. That’s it…
    ● Q&A after sessions.
    ● And we’re hiring!

    View full-size slide