Managing Secrets at Scale (DevoxxPL2017)

Slide 1

Slide 1 text

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 3 UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES

Slide 4

Slide 4 text

https://www.flickr.com/photos/dahlstroms/4188244058

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

https://www.flickr.com/photos/nateone/5456129071

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storages ! Sealing/Unsealing ! Multiple authentication mechanisms ! Multiple secret backends ! ACL/policies ! HA ! HTTP API 9

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

HTTP API curl -HX-Vault-Token:… \ https://localhost:8200/v1/secret/devoxx-pl GET /v1/secret/my-spring-boot-app HTTP/1.0 X-Vault-Token: …

Slide 13

Slide 13 text

Slide 14

Slide 14 text

https://www.ﬂickr.com/photos/kristencavanaugh/10710047746

Slide 15

Slide 15 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token  ! MFA (Duo) ! TLS Certiﬁcates ! App ID ! AppRole ! AWS EC2 15

Slide 16

Slide 16 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ X 1 Operator conﬁgures AppRole 2 Store RoleId in App conﬁguration 3 Obtain SecretId 4 App start: Vault login with RoleId and SecretId AppRole

Slide 17

Slide 17 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

Slide 18

Slide 18 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App conﬁguration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

Slide 19

Slide 19 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints ! Use SSL ! Keep unseal keys secret ! Operate in High-Availability setup 18

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Code: github.com/spring-cloud/spring-cloud-vault ! Samples: github.com/mp911de/spring-cloud-vault-conﬁg-samples ! Slides: mp911.de/msas-devoxxpl 20 @mp911de

Slide 22

Slide 22 text

Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz