Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Developer's Guide to Secrets Management

Avatar for Rosemary Wang Rosemary Wang
December 04, 2020
Programming
0
180

A Developer's Guide to Secrets Management

How do you as a developer use a secrets manager to protect application API tokens, keys, passwords, certificates, and more? In this session, I'll walk through some patterns of storing and using secrets that never change to secrets that change all the time. By learning how to use a secrets manager as a developer, you can keep your secrets a secret and limit the blast radius for a potential attack. You'll get hands on with HashiCorp Vault and .NET Core and figure out the best way to inject your secrets into your application.
Avatar for Rosemary Wang

Rosemary Wang

December 04, 2020
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
Avatar for Rosemary Wang joatmon08
0
29
People, process, and technology for ILM and SLM adoption
Avatar for Rosemary Wang joatmon08
0
17
Secure Day 2 operations with Boundary and Vault
Avatar for Rosemary Wang joatmon08
0
43
Can You Test Your Infrastructure as Code?
Avatar for Rosemary Wang joatmon08
1
81
Multi-Account, Multi-Region, Multi-Runtime
Avatar for Rosemary Wang joatmon08
1
45
Building a multi-account, multi-runtime service-oriented architecture
Avatar for Rosemary Wang joatmon08
0
59
Choose Your Own Abstraction: Iterating on Developer Experience
Avatar for Rosemary Wang joatmon08
0
58
Break Glass, Repair Fast, Reconcile Automation
Avatar for Rosemary Wang joatmon08
2
49
Building a Developer Platform? Ask these questions.
Avatar for Rosemary Wang joatmon08
0
56

Other Decks in Programming

See All in Programming
The Nature of Complexity in John Ousterhout’s Philosophy of Software Design
Avatar for Philip Schwarz philipschwarz
PRO
0
160
プロダクト横断分析に役立つ、事前集計しないサマリーテーブル設計
Avatar for Uchide Hiroki(ucchi-) hanon52_
3
520
Making TCPSocket.new "Happy"!
Avatar for Misaki Shioi(塩井美咲/しおい) coe401_
1
2.8k
「理解」を重視したAI活用開発
Avatar for FastDOCTOR fast_doctor
0
260
Thank you <💅>, What's the Next?
Avatar for Hayashibara Yuto ahoxa
1
590
音声プラットフォームのアーキテクチャ変遷から学ぶ、クラウドネイティブなバッチ処理 (20250422_CNDS2025_Batch_Architecture)
Avatar for Koki Senda thousanda
0
370
読書シェア会 vol.4 『ダイナミックリチーミング 第2版』
Avatar for Kotaro Kamashima kotaro666
0
110
Memory API : Patterns, Performance et Cas d'Utilisation
Avatar for José josepaumard
1
160
Road to RubyKaigi: Making Tinny Chiptunes with Ruby
Avatar for makicamel makicamel
4
530
KANNA Android の技術的課題と取り組み
Avatar for Yosuke Watanabe watabee
0
170
Flutterでllama.cppをつかってローカルLLMを試してみた
Avatar for sakuraidayo sakuraidayo
0
120
Contribute to Comunities | React Tokyo Meetup #4 LT
Avatar for SASAGAWA, Kiyoshi sasagar
0
590

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
21k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
41
2.3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
34
2.2k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Side Projects
Avatar for Sacha Greif sachag
453
42k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
177
9.7k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
119
51k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
29
920
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
233
140k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
178
53k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
129
19k

Transcript

  1. Copyright © 2020 HashiCorp A Developer’s Guide to Secrets Management

    WWCode Connect Forward December 2020

  2. Secrets Passwords, API tokens, SSL Certificates, or any other sensitive

    information your application needs to access something else. @joatmon08

  3. Secrets Management Stores and manages secrets. @joatmon08

  4. Rosemary Wang (She/Her) Developer Advocate at HashiCorp joatmon08.github.io @JOATMON08 JOATMON08

    LINKEDIN.COM/IN/ ROSEMARYWANG

  5. HashiCorp Vault Open source secrets manager. @joatmon08

  6. ▪ Storage (retrieve via GET request) ▪ Revocation (expire using

    leases) ▪ Rotation (change sensitive information) @joatmon08

  7. Terms You Need to Know Your administrator likely configured these

    for you. Auth Methods. Use these to authenticate to Vault. ▪ AppRole ▪ GitHub ▪ JWT/OIDC Secrets Engines. Use these to rotate and retrieve secrets. ▪ Key-value store ▪ Database usernames and passwords ▪ API Token @joatmon08

  8. Patterns for Secrets Injection

  9. @joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION RUN

    APPLICATION Write a Client

  10. Summary Benefits ▪ Good for static secrets ▪ Can be

    unit tested ▪ Secure because in memory Problems ▪ Need application reload or separate thread for new secrets ▪ Connection failure for secrets manager ▪ Doesn’t scale for dynamic secrets @joatmon08

  11. @joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION VAULT

    AGENT RUN APPLICATION Read Secrets Async in Separate Process FILE OF SECRETS

  12. Summary Benefits ▪ Separation of concerns ▪ Handles changing secrets

    ▪ No additional code ▪ File caches secrets Problems ▪ Requires separate process ▪ Application must reload if file changes ▪ Secrets in file (less secure?) @joatmon08

  13. What if your application doesn’t have reload capability? @joatmon08

  14. @joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION RUN

    APPLICATION Read Secrets & Reload Application FILE OF SECRETS VAULT AGENT CONSUL TEMPLATE

  15. Prerequisites learn.hashicorp.com/tutorials/vault/dotnet-vault-agent ▪ .NET SDK 5.0 ▪ Docker ▪ Docker

    Compose

  16. References ▪ Official tutorial: – learn.hashicorp.com/tutorials/vault/dotnet-httpclient – learn.hashicorp.com/tutorials/vault/dotnet-vault-agent ▪ vaultproject.io/docs/secrets/kv

    ▪ vaultproject.io/docs/secrets/databases ▪ github.com/hashicorp/vault-guides/pull/308 @joatmon08