Managing Secrets at Scale (DevoxxPL2017)

Managing Secrets at Scale (DevoxxPL2017)

C5f6e8dffbb19acf405198c8fb917337?s=128

Mark Paluch

June 22, 2017
Tweet

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale Mark Paluch • Pivotal • @mp911de
  2. None
  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 3 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>
  4. https://www.flickr.com/photos/dahlstroms/4188244058

  5. None
  6. https://www.flickr.com/photos/nateone/5456129071

  7. None
  8. None
  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storages ! Sealing/Unsealing ! Multiple authentication mechanisms ! Multiple secret backends ! ACL/policies ! HA ! HTTP API 9
  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions 10 Community Enterprise
  11. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo
  12. HTTP API curl -HX-Vault-Token:… \ https://localhost:8200/v1/secret/devoxx-pl GET /v1/secret/my-spring-boot-app HTTP/1.0 X-Vault-Token:

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 13
  14. https://www.flickr.com/photos/kristencavanaugh/10710047746

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token
 ! MFA (Duo) ! TLS Certificates ! App ID ! AppRole ! AWS EC2 15
  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ X 1 Operator configures AppRole 2 Store RoleId in App configuration 3 Obtain SecretId 4 App start: Vault login with RoleId and SecretId AppRole
  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2
  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole
  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints ! Use SSL ! Keep unseal keys secret ! Operate in High-Availability setup 18
  20. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Vault Spring Cloud Vault Demo
  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Code: github.com/spring-cloud/spring-cloud-vault ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Slides: mp911.de/msas-devoxxpl 20 @mp911de
  22. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz