Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (Devoxx Morocco 2016)

C5f6e8dffbb19acf405198c8fb917337?s=47 Mark Paluch
November 02, 2016
Technology
0
200

Managing Secrets at Scale (Devoxx Morocco 2016)

Slides of the talk I gave at Devoxx Morocco, 2016.

C5f6e8dffbb19acf405198c8fb917337?s=128

Mark Paluch

November 02, 2016
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Full Steam Ahead, R2DBC!
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
2
390
Reactive Relational Database Connectivity 2020
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
3
140
Reactive Relational Database Connectivity
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
3
620
Building Event-Driven Java Applications using Redis Streams
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
1
360
What's New in CDI 2.0 at JUG HH
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
0
140
Reactive Spring Workshop
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
0
560
Under the Hood of Reactive Data Access
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
3
1.3k
Under the Hood of Reactive Data Access
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
1
310
Reactive Spring Data
C5f6e8dffbb19acf405198c8fb917337?s=48 mp911de
1
150

Other Decks in Technology

See All in Technology
0->1 フェーズで E2E 自動テストを導入した私たちの、これまでとこれから
Cf37e498a7fc8d3c589c91f56fb98e1c?s=48 yoyakoba
0
620
Nutanix_Meetup_20220511
0fca98ba59a23fc0a4a2a53701a2bae1?s=48 keigotomomatsu
0
150
Unity Package Managerで自作パッケージを配布する方法
3dfed36dc1543f0007b5fd46fcb41a47?s=48 yunoda
0
210
Steps toward self-service operations in eureka
71929a476c581dd754e4e1f355ac07d0?s=48 fukubaka0825
0
820
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
D2322aa2c45d0190205b3ed8bfdd6717?s=48 takatama
0
600
街じゅうを"駅前化"する電動マイクロモビリティのシェアサービス「LUUP」のIoTとSRE
1333e8256b0ba80c369f4bcc98a839d7?s=48 0gm
1
890
How We Foster Reliability in Diversity
Ed424b1e857828ce69b0fdf4c3291d2e?s=48 nari_ex
PRO
10
3k
Building smarter apps with machine learning, from magic to reality
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
3.1k
新規ゲームのリリース(開発)前からのSRE活動
B276b9088550bc522536ab9d471aeebe?s=48 tmkoikee
1
440
A1A会社紹介資料-2022-05-20
154d77627bc95f4eb226c722023b5168?s=48 a1a
2
1.1k
LINEスタンプの実例紹介 小さく始める障害検知・対応・振り返りの 改善プラクティス
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
3
1.8k
BFFとmicroservicesアーキテクチャ
8feecda0ab340ae974eea7f1d86b85ff?s=48 hirac1220
0
110

Featured

See All Featured
For a Future-Friendly Web
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
164
7.4k
KATA
E9221b172e78e888355fa2fe4541b595?s=48 mclloyd
7
8.6k
How STYLIGHT went responsive
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
85
3.9k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
4
450
Reflections from 52 weeks, 52 projects
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
337
17k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k
Imperfection Machines: The Place of Print at Facebook
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
11k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
61
10k
Distributed Sagas: A Protocol for Coordinating Microservices
9128d500301ae51524e887bb680f471d?s=48 caitiem20
315
19k
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k
Become a Pro
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
3
780
The MySQL Ecosystem @ GitHub 2015
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
238
11k

Transcript

  1. Managing Secrets at Scale Mark Paluch @mp911de paluch.biz spring.io #devoxxma

  2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch @mp911de github.com/mp911de paluch.biz
  3. None

  4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 4 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>

  5. https://www.flickr.com/photos/dahlstroms/4188244058

  6. None

  7. https://www.flickr.com/photos/nateone/5456129071

  8. None
  9. None

  10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project § Secure storages § Sealing/Unsealing § Multiple authentication mechanisms § Multiple secret backends § ACL/policies § HA § HTTP API 10

  11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions § Secret storage § Tokens and access control policies § Dynamic secrets with leasing and revocation § Key rolling § Audit logs 11 § HSM § 24x7x365 Phone and Email Support Community Enterprise

  12. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

  13. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo

  14. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods § Token § Username/password § LDAP § GitHub Token
 § MFA (Duo) § TLS Certificates § App ID § AppRole § AWS EC2 13

  15. https://www.flickr.com/photos/kristencavanaugh/10710047746

  16. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 15 1 Operator configures AppRole 2 Store RoleID in App configuration 3 Obtain SecretId 4 App start: Vault login with AppId and UserId AppRole

  17. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

  18. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

  19. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints § Use SSL § Use SSL § Keep unseal keys secret § Operate in High-Availability setup X

  20. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends § AWS § Cassandra § Consul § MySQL/MSSSQL/PostgreSQL § MongoDB § PKI § RabbitMQ 18

  21. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault Config Demo

  22. + 1.0.0 M1

  23. Feedback welcome

  24. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources § Vault: vaultproject.io § Code: github.com/spring-cloud-incubator/spring-cloud-vault-config § Samples: github.com/mp911de/spring-cloud-vault-config-samples § Slides: mp911.de/dmsas 22

  25. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz