Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Developer's Guide to Secrets Management

Rosemary Wang
December 04, 2020
Programming
0
150

A Developer's Guide to Secrets Management

How do you as a developer use a secrets manager to protect application API tokens, keys, passwords, certificates, and more? In this session, I'll walk through some patterns of storing and using secrets that never change to secrets that change all the time. By learning how to use a secrets manager as a developer, you can keep your secrets a secret and limit the blast radius for a potential attack. You'll get hands on with HashiCorp Vault and .NET Core and figure out the best way to inject your secrets into your application.

Rosemary Wang

December 04, 2020
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Can You Test Your Infrastructure as Code?
joatmon08
1
11
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
12
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
9
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
13
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
24
Building a Developer Platform? Ask these questions.
joatmon08
0
10
From Cloud-Hosted to Cloud-Native
joatmon08
0
44
Refactoring Applications for Dynamic Secrets
joatmon08
1
29
Catching Commits to Secure Infrastructure as Code
joatmon08
1
39

Other Decks in Programming

See All in Programming
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
750
Ruby GitHub Packages
bkuhlmann
0
630
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
230
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
360
Milestoner
bkuhlmann
1
410
What We Can Learn From OSS
inouehi
0
420
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
2
120
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
320
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.4k
Goのmultiple errorsについて (2024年4月版)
syumai
3
660
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
170

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Automating Front-end Workflow
addyosmani
1356
200k
BBQ
matthewcrist
80
8.8k
4 Signs Your Business is Dying
shpigford
175
21k
How to train your dragon (web standard)
notwaldorf
73
5.2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Web development in the modern age
philhawksworth
202
10k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Happy Clients
brianwarren
92
6.4k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Embracing the Ebb and Flow
colly
80
4.1k
For a Future-Friendly Web
brad_frost
172
9k

Transcript

  1. Copyright © 2020 HashiCorp A Developer’s Guide to Secrets Management

    WWCode Connect Forward December 2020

  2. Secrets Passwords, API tokens, SSL Certificates, or any other sensitive

    information your application needs to access something else. @joatmon08

  3. Secrets Management Stores and manages secrets. @joatmon08

  4. Rosemary Wang (She/Her) Developer Advocate at HashiCorp joatmon08.github.io @JOATMON08 JOATMON08

    LINKEDIN.COM/IN/ ROSEMARYWANG

  5. HashiCorp Vault Open source secrets manager. @joatmon08

  6. ▪ Storage (retrieve via GET request) ▪ Revocation (expire using

    leases) ▪ Rotation (change sensitive information) @joatmon08

  7. Terms You Need to Know Your administrator likely configured these

    for you. Auth Methods. Use these to authenticate to Vault. ▪ AppRole ▪ GitHub ▪ JWT/OIDC Secrets Engines. Use these to rotate and retrieve secrets. ▪ Key-value store ▪ Database usernames and passwords ▪ API Token @joatmon08

  8. Patterns for Secrets Injection

  9. @joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION RUN

    APPLICATION Write a Client

  10. Summary Benefits ▪ Good for static secrets ▪ Can be

    unit tested ▪ Secure because in memory Problems ▪ Need application reload or separate thread for new secrets ▪ Connection failure for secrets manager ▪ Doesn’t scale for dynamic secrets @joatmon08

  11. @joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION VAULT

    AGENT RUN APPLICATION Read Secrets Async in Separate Process FILE OF SECRETS

  12. Summary Benefits ▪ Separation of concerns ▪ Handles changing secrets

    ▪ No additional code ▪ File caches secrets Problems ▪ Requires separate process ▪ Application must reload if file changes ▪ Secrets in file (less secure?) @joatmon08

  13. What if your application doesn’t have reload capability? @joatmon08

  14. @joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION RUN

    APPLICATION Read Secrets & Reload Application FILE OF SECRETS VAULT AGENT CONSUL TEMPLATE

  15. Prerequisites learn.hashicorp.com/tutorials/vault/dotnet-vault-agent ▪ .NET SDK 5.0 ▪ Docker ▪ Docker

    Compose

  16. References ▪ Official tutorial: – learn.hashicorp.com/tutorials/vault/dotnet-httpclient – learn.hashicorp.com/tutorials/vault/dotnet-vault-agent ▪ vaultproject.io/docs/secrets/kv

    ▪ vaultproject.io/docs/secrets/databases ▪ github.com/hashicorp/vault-guides/pull/308 @joatmon08