Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (DevoxxPL2017)

Mark Paluch
June 22, 2017
Programming
0
390

Managing Secrets at Scale (DevoxxPL2017)

Slides of the talk I gave at DevoxxPL 2017.

Links:
* Vault: https://vaultproject.io
* Code: https://github.com/spring-cloud/spring-cloud-vault
* Samples: https://github.com/mp911de/spring-cloud-vault-config-samples

Mark Paluch

June 22, 2017
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Project Loom: Broadening Concurrency
mp911de
0
140
Full Steam Ahead, R2DBC!
mp911de
2
520
Reactive Relational Database Connectivity 2020
mp911de
3
170
Reactive Relational Database Connectivity
mp911de
3
760
Building Event-Driven Java Applications using Redis Streams
mp911de
1
410
What's New in CDI 2.0 at JUG HH
mp911de
0
210
Reactive Spring Workshop
mp911de
1
980
Under the Hood of Reactive Data Access
mp911de
3
1.7k
Under the Hood of Reactive Data Access
mp911de
1
380

Other Decks in Programming

See All in Programming
『Railsオワコン』と言われる時代に、なぜブルーモ証券はRailsを選ぶのか
free_world21
1
350
Node.js v22 で変わること
yosuke_furukawa
PRO
11
3.9k
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
200
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
900
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
680
SIMD Parallel Programming with the Vector API
josepaumard
0
220
Site Reliability Engineering for GMO
pyama86
8
1.1k
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | AndroidMakers Paris
prof18
0
140
Netty Chicago Java User Group 2024-04-17
sullis
0
200
Snowflakeで眠ったデータを起こそう!
estie
0
140
Implementing Design Systems in Swift
seyfoyun
1
440
Polars入門
daikikatsuragawa
1
160

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
12
2.4k
The Invisible Customer
myddelton
114
12k
Building Your Own Lightsaber
phodgson
100
5.7k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
33
6k
RailsConf 2023
tenderlove
8
550
Ruby is Unlike a Banana
tanoku
96
10k
Optimizing for Happiness
mojombo
370
69k
Six Lessons from altMBA
skipperchong
22
3k
Designing the Hi-DPI Web
ddemaree
276
33k
The Language of Interfaces
destraynor
151
23k
Raft: Consensus for Rubyists
vanstee
133
6.3k
BBQ
matthewcrist
80
8.8k

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale Mark Paluch • Pivotal • @mp911de
  2. None

  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 3 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>

  4. https://www.flickr.com/photos/dahlstroms/4188244058

  5. None

  6. https://www.flickr.com/photos/nateone/5456129071

  7. None
  8. None

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storages ! Sealing/Unsealing ! Multiple authentication mechanisms ! Multiple secret backends ! ACL/policies ! HA ! HTTP API 9

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions 10 Community Enterprise

  11. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

  12. HTTP API curl -HX-Vault-Token:… \ https://localhost:8200/v1/secret/devoxx-pl GET /v1/secret/my-spring-boot-app HTTP/1.0 X-Vault-Token:

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 13

  14. https://www.flickr.com/photos/kristencavanaugh/10710047746

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token
 ! MFA (Duo) ! TLS Certificates ! App ID ! AppRole ! AWS EC2 15

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ X 1 Operator configures AppRole 2 Store RoleId in App configuration 3 Obtain SecretId 4 App start: Vault login with RoleId and SecretId AppRole

  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints ! Use SSL ! Keep unseal keys secret ! Operate in High-Availability setup 18

  20. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Vault Spring Cloud Vault Demo

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Code: github.com/spring-cloud/spring-cloud-vault ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Slides: mp911.de/msas-devoxxpl 20 @mp911de

  22. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz