Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (DevoxxPL2017)

Mark Paluch
June 22, 2017
Programming
0
340

Managing Secrets at Scale (DevoxxPL2017)

Slides of the talk I gave at DevoxxPL 2017.

Links:
* Vault: https://vaultproject.io
* Code: https://github.com/spring-cloud/spring-cloud-vault
* Samples: https://github.com/mp911de/spring-cloud-vault-config-samples

Mark Paluch

June 22, 2017
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Project Loom: Broadening Concurrency
mp911de
0
110
Full Steam Ahead, R2DBC!
mp911de
2
500
Reactive Relational Database Connectivity 2020
mp911de
3
160
Reactive Relational Database Connectivity
mp911de
3
690
Building Event-Driven Java Applications using Redis Streams
mp911de
1
400
What's New in CDI 2.0 at JUG HH
mp911de
0
160
Reactive Spring Workshop
mp911de
1
780
Under the Hood of Reactive Data Access
mp911de
3
1.6k
Under the Hood of Reactive Data Access
mp911de
1
380

Other Decks in Programming

See All in Programming
KustoクエリのChatGPT Plugin!
tomokusaba
0
290
pythonで0を作ってみんなも神になろう
kdai
3
1.5k
Decoding Code Review - Elixir Conf US
elainenaomi
3
200
Astro 3.0入門
nozaki
0
190
初めましてLaravel、君のことを教えてくれ! 〜春に就職したばかりの新卒エンジニアが調べた内部仕様と、そのプロセス〜
amixedcolor
0
170
Managing State Beyond ViewModels and Hilt (Updated)
vrallev
3
620
How I used Siri, PaLM, LangChain, and Firebase to create an Exobrain
peterfriese
0
240
ブラウザで「今すぐ」gemを読み込む方法 / Load-gem-from-browser-JUST-NOW
lnit
0
320
ユニットテスト並行化の導入と運用:Goでの事例紹介
shohata
1
430
たのしいドメイン駆動設計: 序 / Enjoy domain driven design : ZYO
jpt_corp_official
8
3.8k
Kubernetesソースコードリーディング入門
bells17
15
2.8k
Lrama へのコントリビューションを通して学ぶ Ruby のパーサジェネレータ事情
junk0612
1
450

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.2k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
18k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
20k
Visualization
eitanlees
131
13k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
41
11k
GitHub's CSS Performance
jonrohan
1021
440k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k
In The Pink: A Labor of Love
frogandcode
135
21k
How to Ace a Technical Interview
jacobian
272
22k
Practical Orchestrator
shlominoach
179
9.3k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Managing Secrets at Scale
    Mark Paluch • Pivotal • @mp911de

    View Slide

  2. View Slide

  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    TomEE
    3

    UserName test
    Password xMH5uM1V9vQzVUv5LG7YLA==
    PasswordCipher Static3DES

    View Slide

  4. https://www.flickr.com/photos/dahlstroms/4188244058

    View Slide

  5. View Slide

  6. https://www.flickr.com/photos/nateone/5456129071

    View Slide

  7. View Slide

  8. View Slide

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Vault Project
    ! Secure storages
    ! Sealing/Unsealing
    ! Multiple authentication mechanisms
    ! Multiple secret backends
    ! ACL/policies
    ! HA
    ! HTTP API
    9

    View Slide

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Vault Project: Editions
    10
    Community
    Enterprise

    View Slide

  11. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Start and
    initialize Vault
    Demo

    View Slide

  12. HTTP API
    curl -HX-Vault-Token:… \
    https://localhost:8200/v1/secret/devoxx-pl
    GET /v1/secret/my-spring-boot-app HTTP/1.0
    X-Vault-Token: …

    View Slide

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Secret Backends
    13

    View Slide

  14. https://www.flickr.com/photos/kristencavanaugh/10710047746

    View Slide

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Authentication methods
    ! Token
    ! Username/password
    ! LDAP
    ! GitHub Token

    ! MFA (Duo)
    ! TLS Certificates
    ! App ID
    ! AppRole
    ! AWS EC2
    15

    View Slide

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    X
    1
    Operator
    configures AppRole
    2
    Store RoleId
    in App configuration
    3
    Obtain SecretId
    4
    App start: Vault login
    with RoleId and
    SecretId
    AppRole

    View Slide

  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    16
    1
    Retrieve PKCS#7
    identity document
    2
    Vault Login
    (PKCS#7 + nonce)
    3
    Vault: EC2 Instance
    check (EC2 API)
    AWS-EC2

    View Slide

  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    17
    1
    Create ephemeral
    and permanent
    tokens
    2
    Store ephemeral
    token in App
    configuration
    3
    App Start: Retrieve
    permanent token
    from Cubbyhole
    Cubbyhole

    View Slide

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Operation hints
    ! Use SSL
    ! Keep unseal keys secret
    ! Operate in High-Availability setup
    18

    View Slide

  20. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Spring Vault
    Spring Cloud Vault
    Demo

    View Slide

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Resources
    ! Vault: vaultproject.io
    ! Code: github.com/spring-cloud/spring-cloud-vault
    ! Samples: github.com/mp911de/spring-cloud-vault-config-samples
    ! Slides: mp911.de/msas-devoxxpl
    20
    @mp911de

    View Slide

  22. Learn More. Stay Connected.
    Twitter: @mp911de
    Github: github.com/mp911de
    Website: paluch.biz

    View Slide