Vault: Unified Operational Access

Transcript

1. Vault Ringo De Smet - Skyscrapers 12 April 2017 1st

   Belgian Hashicorp User Group Meetup

2. What is Vault Vault is a tool for securely accessing

   secrets: • Passwords • API keys • Certificates • ...

3. Which problems does it solve? • Keeping secrets out of

   source control • Unified management to secrets for the multitude of systems ◦ AWS ◦ Database server ◦ ... • Short lived credentials • Full audit trail of any secret access • Revocation ◦ Per credential ◦ Per user ◦ Per system

4. What does it offer? HTTP API Secret Backend Auth Backend

   Audit Backend Auth • User/Pass • TLS certs • Okta • RADIUS • GitHub • AWS EC2 • MFA • ... Secret • AWS • MySQL / PostgreSQL • Consul • MongoDB • PKI (Certificates) • RabbitMQ • SSH • ... Audit • File • Syslog • Socket

5. What does it offer? HTTP API Secret Backend Auth Backend

   Audit Backend ACL Define which auth identity (user or service) may access which secret(s) by way of profiles

6. DEMO • Getting short lived (aka dynamic) credentials from AWS

   • Getting short lived credentials from PostgreSQL

7. Actual setup HTTP API Secret: AWS Auth: GitHub Org Audit

   Backend Give Vault just enough rights to create access secrets: • Create an IAM user manually • Assign it a role only allowing it to create IAM users or STS tokens • Configure Vault with a keypair of that user Vault CLI • Give Vault a GitHub API token • Set the GitHub org that has access • Map Github org teams to profiles

8. But... If a service needs to login to Vault to

   get access to a secret where do I store the Vault credentials?

9. The solution: the proper Auth backend Remember AWS EC2 instance

   profiles? Vault has a similar Auth backend: AWS-EC2 • Instance identity document: PKCS#7 doc signed by AWS • Public keys published by AWS per region • Vault checks the signature & the current EC2 instance running status • Using tags as roles for authorization purposes

10. Thank you. Ringo De Smet @ringods Skyscrapers @skyscrapers