Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale with Vault Christoph Strobl Pivotal Software, Inc. @stroblchristoph #devone

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 2

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 3 JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password Passw0rd !

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 4 JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password xMH5uM1V9vQzVUv5LG7YLA!== PasswordCipher Static3DES !

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Symmetric vs. Asymmetric 5

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 6 https://www.flickr.com/photos/dahlstroms/4188244058

7 Say, change that Password once again!

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 8

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 9

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ •  Secure secret storage •  Sealing •  Revocation •  Leasing and renewal •  Multiple secret backends •  Access control policies •  HTTP endpoint 10

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 11 •  Secret Storage •  Tokens & ACL •  Dynamic Secrets •  Leasing and renewal •  Key Rolling •  Audit Logs •  Hardware Security Modules •  24x7 Support Community Enterprise

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Init Vault 12 $ vault init -key-shares=1 -key-threshold=1 Key 1: a9cbc3e47e4635ff2e8239bf43397fad3d659500cc7a0d42deea0ffd4d307244 Initial Root Token: eb5229d6-9858-d494-a1d7-820cae1ea31e $ Sealed: true Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ vault status

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Unseal Vault & Auth Client 13 $ vault unseal a9cbc3e47e4635ff2e8239bf43397fad3d65950… vault auth eb5229d6-9858-d494-a1d7-820cae1ea31e Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ Successfully authenticated! token: eb5229d6-9858-d494-a1d7-820cae1ea31e token_duration: 0 token_policies: [root] $

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Write & Read Secrets 14 $ vault write secret/devone value=awesome vault read secret/devone Success! Data written to: secret/devone $ Key Value lease_duration 2592000 value awesome $

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started - HTTP API 15 $ curl –H”X-Vault-Token eb5229d6-9858-d494 :49222/v1/secret/devone { lease_id : null, renewable : false, lease_duration : 2592000, data : { value : awesome }, wrap_info : null, … } $

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Seal Vault 16 $ vault seal vault read secret/devone Vault is now sealed. $ Error reading secret/devone: Error making API request. URL: GET :49222/v1/secret/devone Code: 503. Errors: * Vault is sealed $

17 How is this any better? What if someone’s got your token?

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Use APP ID Auth maybe? 18 18 $ vault auth-enable app-id Successfully enabled 'app-id' at 'app-id'! $ vault write auth/app-id/map/app-id/devone value=admin $ vault write auth/app-id/map/user-id/awesome value=devone& cidr_block=10.0.0.0/16 $

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud In General 19 Service Discovery Circuit Breakers Routing & Messaging Ci Pipelines Tracing API Gateway Configuration

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 20 Configuration Config Server

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 21 Service Discovery Service Reg. Consumer Producer Connect

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud... •  Circuit Breakers withNetflix Hystrix. •  Messaging using RabbitMQ or Apache Kafka. •  Tracing with Spring Cloud Sleuth & Zipkin. •  Spring Cloud Bus •  Spring Cloud Stream (pre. Dataflow) •  Spring Cloud Task •  Spring Cloud AWS •  … and many more! 22

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault 23 Token / Auth

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 24 org.springframework.cloud! spring-cloud-starter-vault-config! ! src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... Project Setup – Dependencies & Properties

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resolved environment properties $ curl :8080/env | jq { vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, … } $

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Profile support built in $ curl :8080/env | jq { profiles : [test, dev], vault:secret/spring-devone-app/dev : { local : “!!***!!***” }, vault:secret/spring-devone-app/test : { secret-key : “!!***!!***” }, vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, $ mvn -Dspring.profiles.active=test,dev …

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 27

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Different Backends 28 1. Configure 2. Setup 3. Auth 4. Credentials 5. Auth

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault with different Backends 29 29 $ vault mount mysql $ vault write & mysql/config/connection& connection_url=spring:vault@tcp(localhost:3306) $ vault read mysql/creds/readonly Lease_id mysql/creds/eb5229d6-9858 Lease_duration 2592000 Password: a9cbc3e47e4635ff2e8239b Username: token-eb5229d6-9858

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault with different Backends. 30 src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... spring.cloud.vault.mysql.enabled=true spring.cloud.vault.mysql.role=readonly spring.datasource.url=jdbc:mysql:!//localhost:3306

Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 31 Spring Framework 5 RC1 Spring Boot 2 M1 Check out the latest releases!