Slide 1

Slide 1 text

DevOpsDays Istanbul September 2021 
 
 @joatmon08 Secrets Management for Development & Operations 1

Slide 2

Slide 2 text

Secrets Passwords, API tokens, SSL Certificates, or any other sensitive information used to access something else. 2

Slide 3

Slide 3 text

We have a secrets manager! 3

Slide 4

Slide 4 text

It will help us securely access, store, revoke, and rotate secrets. 4

Slide 5

Slide 5 text

Immutability & ephemerality in security changes development and operations workflows. 5

Slide 6

Slide 6 text

How does it affect my development or operations workflows? 6

Slide 7

Slide 7 text

What do I need to know to adopt a secrets manager? 7

Slide 8

Slide 8 text

Developer Advocate at HashiCorp 
 she/her 
 joatmon08.github.io 
 @joatmon08 Rosemary Wang 8

Slide 9

Slide 9 text

What you need to know ▪ Organizing your secrets manager ▪ Comparing patterns for secrets injection ▪ Adding a secrets manager to your: – Delivery pipelines – Infrastructure – Local development – Applications

Slide 10

Slide 10 text

Organize your secrets manager 10

Slide 11

Slide 11 text

Authentication Try using protocols or built-in methods TARGET SECRETS MANAGER /BUSINESS/SECRET AUTHENTICATE OIDC/JWT KUBERNETES CLOUD PROVIDERS TOKENS (AVOID USERNAME/PASSWORD!) 11

Slide 12

Slide 12 text

Access Control Implement least- privilege access by: business domain, environment, and usage TARGET (DEV) SECRETS MANAGER /BUSINESS/SECRET ALLOW READ FROM /BUSINESS/DEV/SECRET ADMINISTRATORS ALLOW WRITE TO /BUSINESS/* TARGET (PROD) 12 ALLOW READ FROM /BUSINESS/PROD/SECRET

Slide 13

Slide 13 text

Reasonable TTLs You don’t need a database password rotated every five seconds. TARGET SECRETS MANAGER /BUSINESS/SECRET AUTHENTICATE GET SET RENEWAL INTERVAL TO BE AT LEAST HALF THE TTL OF THE SECRET. 13

Slide 14

Slide 14 text

1. Use built-in authentication protocols 2. Set up access control for secrets 3. Configure a reasonable time-to-live 14

Slide 15

Slide 15 text

Compare secrets injection patterns 15

Slide 16

Slide 16 text

Direct Use script or client library. TARGET SECRETS MANAGER /BUSINESS/SECRET AUTHENTICATE GET 16

Slide 17

Slide 17 text

Sidecar Separate async process. TARGET READ FILE SECRETS MANAGER /BUSINESS/SECRET SIDECAR WRITE AUTHENTICATE GET 17

Slide 18

Slide 18 text

Add a secrets manager 18

Slide 19

Slide 19 text

Delivery Pipelines Use secrets for deployment 19

Slide 20

Slide 20 text

UNIT TESTS INTEGRATION TESTS DEPLOY TO DEV GET SECRETS FOR DEV SECRETS MANAGER /BUSINESS/SECRET INTEGRATION TESTS DEPLOY TO PROD GET SECRETS FOR PROD SECRETS MANAGER /BUSINESS/SECRET Direct Consider… • Separate by manager versus path • Only allow certain CI runners to authenticate 20

Slide 21

Slide 21 text

Infrastructure Defining secrets “as code” 21

Slide 22

Slide 22 text

CODE EDITOR resource "aws_db_instance" "products" { allocated_storage = 1 0 engine = "postgres " engine_version = "11.6 " instance_class = "db.t3.micro " name = "products " identifier = "${var.name}-products " username = var.database_usernam e password = var.database_passwor d } 22

Slide 23

Slide 23 text

PASS TO INFRASTRUCTURE AS CODE GET “BOOTSTRAP” DATABASE PASSWORD SECRETS MANAGER /BUSINESS/SECRET CONFIGURE DATABASE ROTATE “BOOTSTRAP” DATABASE PASSWORD Consider… • Configuration drift versus security • Secret storage in infrastructure as code 23

Slide 24

Slide 24 text

Local development Retrieving secrets for testing 24

Slide 25

Slide 25 text

SECRETS MANAGER /BUSINESS/SECRET SECURE ACCESS MANAGEMENT GET CREDENTIALS FROM SECRETS MANAGER LOG INTO DATABASE Consider… • Tracking human versus service access • Evaluate TTL for development testing 25

Slide 26

Slide 26 text

Applications “Inject” secrets while running 26

Slide 27

Slide 27 text

APPLICATION USES CLIENT LIBRARY TO GET SECRET SECRETS MANAGER /BUSINESS/SECRET Direct START APPLICATION NEW SECRET? RESTART APPLICATION. You must… • Implement application reload or separate thread to get secrets • Account for connection failure to secrets manager (in your application code) 27

Slide 28

Slide 28 text

Spring Cloud Add to bootstrap.yml spring.cloud.vault : authentication: APPROL E app-role : role-id: REDACTE D secret-id: REDACTE D mysql : enabled: tru e role: readonl y backend: mysq l username-property: spring.datasource.usernam e password-property: spring.datasource.password CODE EDITOR

Slide 29

Slide 29 text

.NET Example Add configuration provider public VaultConfigurationProvider(VaultOptions config ) { _config = config ; var vaultClientSettings = new VaultClientSettings ( _config.Address , new AppRoleAuthMethodInfo(_config.Role , _config.Secret ) ) ; _client = new VaultClient(vaultClientSettings) ; } CODE EDITOR

Slide 30

Slide 30 text

.NET Example Add extension method public static class VaultExtension s { public static IConfigurationBuilder AddVault ( this IConfigurationBuilder configuration , Action options ) { var vaultOptions = new VaultConfigurationSource(options) ; configuration.Add(vaultOptions) ; return configuration ; } } CODE EDITOR

Slide 31

Slide 31 text

CONFIGURATION FILE SECRETS MANAGER /BUSINESS/SECRET SIDECAR PROCESS Sidecar APPLICATION READS CONFIGURATION FROM FILE CHANGE TO FILE? RESTART APPLICATION. START APPLICATION You must… • Configure separate process • Access control to file • Configure application reload if file changes (Spring, .NET) 31

Slide 32

Slide 32 text

What you need to know ▪ Organizing a secrets manager ▪ Comparing patterns for secrets injection ▪ Adding a secrets manager to your: – Delivery pipelines – Infrastructure – Local development – Applications

Slide 33

Slide 33 text

Learn more… ▪ Delivery pipeline: youtu.be/qgF7XquqVSA ▪ Application + secrets management deep dive: youtu.be/gO4i_s0h1uo ▪ Application Client Libraries (Tutorials & Getting Started) – learn.hashicorp.com/collections/vault/app-integration – cloud.spring.io/spring-cloud-vault/reference/html/ ▪ Kubernetes + Vault – learn.hashicorp.com/tutorials/vault/kubernetes-sidecar – learn.hashicorp.com/tutorials/vault/kubernetes-secret-store-driver 33

Slide 34

Slide 34 text

joatmon08.github.io 
 Rosemary Wang 
 @joatmon08 Thank you! 34