Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Developer's Guide to Secrets Management

Rosemary Wang
December 04, 2020
Programming
0
140

A Developer's Guide to Secrets Management

How do you as a developer use a secrets manager to protect application API tokens, keys, passwords, certificates, and more? In this session, I'll walk through some patterns of storing and using secrets that never change to secrets that change all the time. By learning how to use a secrets manager as a developer, you can keep your secrets a secret and limit the blast radius for a potential attack. You'll get hands on with HashiCorp Vault and .NET Core and figure out the best way to inject your secrets into your application.

Rosemary Wang

December 04, 2020
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
From Cloud-Hosted to Cloud-Native
joatmon08
0
23
Refactoring Applications for Dynamic Secrets
joatmon08
1
18
Catching Commits to Secure Infrastructure as Code
joatmon08
1
20
Minimum Secure Pipeline
joatmon08
0
38
HashiCorp Terraform for Network Infrastructure as Code
joatmon08
0
27
Patterns to Refactor Terraform
joatmon08
1
110
Auditing Your Automation's Access... Using More Automation
joatmon08
1
2.5k
Lessons Learned from Scaling Infrastructure as Code
joatmon08
1
930
Secure Together: Consul + Vault
joatmon08
1
100

Other Decks in Programming

See All in Programming
第3回 AWSとGitHub勉強会 - GitHub Actionsを使ったCI環境の構築 -
ogiwarat
0
110
A tale of two plugins: safely extending the Kubernetes Scheduler with WebAssembly
sanposhiho
0
150
neovimで作る最新Ruby開発環境2023
joker1007
2
1.1k
RustでWasm Runtimeを書いた in UV_Study
skanehira
1
250
認知負荷で考えるフロントエンドの組織体制
shibe23
0
260
Rich UI implementation examples using Jetpack Compose (Jetpack Composeを活用した強力なUI表現の実装実例)
iimokoy
0
870
SmartHRのパフォーマンス改善が 総力戦だった話
daisukeshinoku
8
3.3k
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
620
ユニットテスト並行化の導入と運用:Goでの事例紹介
shohata
1
420
Kotlinハイパフォーマンスプログラミング
ohmae
4
2.3k
Managing State Beyond ViewModels and Hilt (Updated)
vrallev
3
610
個人開発のiOSアプリでUI/UXを標準に寄せてみた / 20230919_orochi
uhooi
0
300

Featured

See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.5k
Making the Leap to Tech Lead
cromwellryan
119
8.1k
BBQ
matthewcrist
76
8.4k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Building Adaptive Systems
keathley
29
1.6k
The Invisible Customer
myddelton
113
12k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
What the flash - Photography Introduction
edds
64
11k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
870
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.1k
WebSockets: Embracing the real-time Web
robhawkes
58
6.5k
A better future with KSS
kneath
230
16k

Transcript

  1. Copyright © 2020 HashiCorp
    A Developer’s Guide
    to Secrets
    Management
    WWCode Connect Forward
    December 2020

    View Slide

  2. Secrets
    Passwords, API tokens, SSL Certificates, or any other sensitive
    information your application needs to access something else.
    @joatmon08

    View Slide

  3. Secrets Management
    Stores and manages secrets.
    @joatmon08

    View Slide

  4. Rosemary Wang
    (She/Her)
    Developer Advocate at HashiCorp
    joatmon08.github.io
    @JOATMON08 JOATMON08
    LINKEDIN.COM/IN/
    ROSEMARYWANG

    View Slide

  5. HashiCorp Vault
    Open source secrets manager.
    @joatmon08

    View Slide

  6. ▪ Storage (retrieve via GET request)
    ▪ Revocation (expire using leases)
    ▪ Rotation (change sensitive information)
    @joatmon08

    View Slide

  7. Terms You
    Need to
    Know
    Your administrator
    likely configured
    these for you.
    Auth Methods.
    Use these to authenticate to
    Vault.
    ▪ AppRole
    ▪ GitHub
    ▪ JWT/OIDC
    Secrets Engines.
    Use these to rotate and
    retrieve secrets.
    ▪ Key-value store
    ▪ Database usernames and
    passwords
    ▪ API Token
    @joatmon08

    View Slide

  8. Patterns for Secrets
    Injection

    View Slide

  9. @joatmon08
    GET SECRETS
    AUTHENTICATE
    TO SECRETS
    MANAGER
    SECRETS INJECTION
    RUN
    APPLICATION
    Write a Client

    View Slide

  10. Summary Benefits
    ▪ Good for static secrets
    ▪ Can be unit tested
    ▪ Secure because in memory
    Problems
    ▪ Need application reload or
    separate thread for new
    secrets
    ▪ Connection failure for
    secrets manager
    ▪ Doesn’t scale for dynamic
    secrets
    @joatmon08

    View Slide

  11. @joatmon08
    GET SECRETS
    AUTHENTICATE
    TO SECRETS
    MANAGER
    SECRETS INJECTION
    VAULT AGENT
    RUN
    APPLICATION
    Read Secrets Async in Separate Process
    FILE OF
    SECRETS

    View Slide

  12. Summary Benefits
    ▪ Separation of concerns
    ▪ Handles changing secrets
    ▪ No additional code
    ▪ File caches secrets
    Problems
    ▪ Requires separate process
    ▪ Application must reload if
    file changes
    ▪ Secrets in file (less
    secure?)
    @joatmon08

    View Slide

  13. What if your application doesn’t
    have reload capability?
    @joatmon08

    View Slide

  14. @joatmon08
    GET SECRETS
    AUTHENTICATE
    TO SECRETS
    MANAGER
    SECRETS INJECTION
    RUN
    APPLICATION
    Read Secrets & Reload Application
    FILE OF
    SECRETS
    VAULT AGENT CONSUL TEMPLATE

    View Slide

  15. Prerequisites
    learn.hashicorp.com/tutorials/vault/dotnet-vault-agent
    ▪ .NET SDK 5.0
    ▪ Docker
    ▪ Docker Compose

    View Slide

  16. References
    ▪ Official tutorial:
    – learn.hashicorp.com/tutorials/vault/dotnet-httpclient
    – learn.hashicorp.com/tutorials/vault/dotnet-vault-agent
    ▪ vaultproject.io/docs/secrets/kv
    ▪ vaultproject.io/docs/secrets/databases
    ▪ github.com/hashicorp/vault-guides/pull/308
    @joatmon08

    View Slide