Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (Devoxx Morocco 2016)

Mark Paluch
November 02, 2016
Technology
0
220

Managing Secrets at Scale (Devoxx Morocco 2016)

Slides of the talk I gave at Devoxx Morocco, 2016.

Mark Paluch

November 02, 2016
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Data Access with Sping Data
mp911de
1
37
Project Loom: Broadening Concurrency
mp911de
0
150
Full Steam Ahead, R2DBC!
mp911de
2
530
Reactive Relational Database Connectivity 2020
mp911de
3
170
Reactive Relational Database Connectivity
mp911de
3
840
Building Event-Driven Java Applications using Redis Streams
mp911de
1
460
What's New in CDI 2.0 at JUG HH
mp911de
0
300
Reactive Spring Workshop
mp911de
1
1.2k
Under the Hood of Reactive Data Access
mp911de
3
1.8k

Other Decks in Technology

See All in Technology
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
AGIについてChatGPTに聞いてみた
blueb
0
130
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
190
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
強いチームと開発生産性
onk
PRO
34
11k
Taming you application's environments
salaboy
0
190

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
The Pragmatic Product Professional
lauravandoore
31
6.3k
The Invisible Side of Design
smashingmag
298
50k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
The Cult of Friendly URLs
andyhume
78
6k
Teambox: Starting and Learning
jrom
133
8.8k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
A Philosophy of Restraint
colly
203
16k
Statistics for Hackers
jakevdp
796
220k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Navigating Team Friction
lara
183
14k
The Language of Interfaces
destraynor
154
24k

Transcript

  1. Managing Secrets at Scale Mark Paluch @mp911de paluch.biz spring.io #devoxxma

  2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch @mp911de github.com/mp911de paluch.biz
  3. None

  4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 4 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>

  5. https://www.flickr.com/photos/dahlstroms/4188244058

  6. None

  7. https://www.flickr.com/photos/nateone/5456129071

  8. None
  9. None

  10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project § Secure storages § Sealing/Unsealing § Multiple authentication mechanisms § Multiple secret backends § ACL/policies § HA § HTTP API 10

  11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions § Secret storage § Tokens and access control policies § Dynamic secrets with leasing and revocation § Key rolling § Audit logs 11 § HSM § 24x7x365 Phone and Email Support Community Enterprise

  12. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

  13. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo

  14. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods § Token § Username/password § LDAP § GitHub Token
 § MFA (Duo) § TLS Certificates § App ID § AppRole § AWS EC2 13

  15. https://www.flickr.com/photos/kristencavanaugh/10710047746

  16. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 15 1 Operator configures AppRole 2 Store RoleID in App configuration 3 Obtain SecretId 4 App start: Vault login with AppId and UserId AppRole

  17. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

  18. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

  19. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints § Use SSL § Use SSL § Keep unseal keys secret § Operate in High-Availability setup X

  20. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends § AWS § Cassandra § Consul § MySQL/MSSSQL/PostgreSQL § MongoDB § PKI § RabbitMQ 18

  21. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault Config Demo

  22. + 1.0.0 M1

  23. Feedback welcome

  24. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources § Vault: vaultproject.io § Code: github.com/spring-cloud-incubator/spring-cloud-vault-config § Samples: github.com/mp911de/spring-cloud-vault-config-samples § Slides: mp911.de/dmsas 22

  25. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz