Tweet
Tweet

Slide 1

Slide 1 text

Copyright © 2020 HashiCorp A Developer’s Guide to Secrets Management WWCode Connect Forward December 2020

Slide 2

Slide 2 text

Secrets Passwords, API tokens, SSL Certificates, or any other sensitive information your application needs to access something else. @joatmon08

Slide 3

Slide 3 text

Secrets Management Stores and manages secrets. @joatmon08

Slide 4

Slide 4 text

Rosemary Wang (She/Her) Developer Advocate at HashiCorp joatmon08.github.io @JOATMON08 JOATMON08 LINKEDIN.COM/IN/ ROSEMARYWANG

Slide 5

Slide 5 text

HashiCorp Vault Open source secrets manager. @joatmon08

Slide 6

Slide 6 text

▪ Storage (retrieve via GET request) ▪ Revocation (expire using leases) ▪ Rotation (change sensitive information) @joatmon08

Slide 7

Slide 7 text

Terms You Need to Know Your administrator likely configured these for you. Auth Methods. Use these to authenticate to Vault. ▪ AppRole ▪ GitHub ▪ JWT/OIDC Secrets Engines. Use these to rotate and retrieve secrets. ▪ Key-value store ▪ Database usernames and passwords ▪ API Token @joatmon08

Slide 8

Slide 8 text

Patterns for Secrets Injection

Slide 9

Slide 9 text

@joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION RUN APPLICATION Write a Client

Slide 10

Slide 10 text

Summary Benefits ▪ Good for static secrets ▪ Can be unit tested ▪ Secure because in memory Problems ▪ Need application reload or separate thread for new secrets ▪ Connection failure for secrets manager ▪ Doesn’t scale for dynamic secrets @joatmon08

Slide 11

Slide 11 text

@joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION VAULT AGENT RUN APPLICATION Read Secrets Async in Separate Process FILE OF SECRETS

Slide 12

Slide 12 text

Summary Benefits ▪ Separation of concerns ▪ Handles changing secrets ▪ No additional code ▪ File caches secrets Problems ▪ Requires separate process ▪ Application must reload if file changes ▪ Secrets in file (less secure?) @joatmon08

Slide 13

Slide 13 text

What if your application doesn’t have reload capability? @joatmon08

Slide 14

Slide 14 text

@joatmon08 GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION RUN APPLICATION Read Secrets & Reload Application FILE OF SECRETS VAULT AGENT CONSUL TEMPLATE

Slide 15

Slide 15 text

Prerequisites learn.hashicorp.com/tutorials/vault/dotnet-vault-agent ▪ .NET SDK 5.0 ▪ Docker ▪ Docker Compose

Slide 16

Slide 16 text

References ▪ Official tutorial: – learn.hashicorp.com/tutorials/vault/dotnet-httpclient – learn.hashicorp.com/tutorials/vault/dotnet-vault-agent ▪ vaultproject.io/docs/secrets/kv ▪ vaultproject.io/docs/secrets/databases ▪ github.com/hashicorp/vault-guides/pull/308 @joatmon08