Vault Ringo De Smet - Skyscrapers 12 April 2017 1st Belgian Hashicorp User Group Meetup

What is Vault Vault is a tool for securely accessing secrets: ● Passwords ● API keys ● Certificates ● ...

Which problems does it solve? ● Keeping secrets out of source control ● Unified management to secrets for the multitude of systems ○ AWS ○ Database server ○ ... ● Short lived credentials ● Full audit trail of any secret access ● Revocation ○ Per credential ○ Per user ○ Per system

What does it offer? HTTP API Secret Backend Auth Backend Audit Backend Auth ● User/Pass ● TLS certs ● Okta ● RADIUS ● GitHub ● AWS EC2 ● MFA ● ... Secret ● AWS ● MySQL / PostgreSQL ● Consul ● MongoDB ● PKI (Certificates) ● RabbitMQ ● SSH ● ... Audit ● File ● Syslog ● Socket

What does it offer? HTTP API Secret Backend Auth Backend Audit Backend ACL Define which auth identity (user or service) may access which secret(s) by way of profiles

DEMO ● Getting short lived (aka dynamic) credentials from AWS ● Getting short lived credentials from PostgreSQL

Actual setup HTTP API Secret: AWS Auth: GitHub Org Audit Backend Give Vault just enough rights to create access secrets: ● Create an IAM user manually ● Assign it a role only allowing it to create IAM users or STS tokens ● Configure Vault with a keypair of that user Vault CLI ● Give Vault a GitHub API token ● Set the GitHub org that has access ● Map Github org teams to profiles

But... If a service needs to login to Vault to get access to a secret where do I store the Vault credentials?

The solution: the proper Auth backend Remember AWS EC2 instance profiles? Vault has a similar Auth backend: AWS-EC2 ● Instance identity document: PKCS#7 doc signed by AWS ● Public keys published by AWS per region ● Vault checks the signature & the current EC2 instance running status ● Using tags as roles for authorization purposes

Thank you. Ringo De Smet @ringods Skyscrapers @skyscrapers