secret management with hashicorps vault · • we pass secrets in via env vars • we read the...
TRANSCRIPT
![Page 1: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/1.jpg)
Secret Management with Hashicorp's Vault
Daniel Bornkessel
![Page 2: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/2.jpg)
�X
Secret Management with Hashicorp's Vault
![Page 3: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/3.jpg)
![Page 4: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/4.jpg)
Secret Management with Hashicorp's Vault
Daniel Bornkessel
![Page 5: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/5.jpg)
Focus of this talk
�3
• what is secret management • why do you need it • what is Vault and how can it help you with secret management
• some Vault internals
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 6: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/6.jpg)
Goal of this talk
�4
• think about best practices with secrets that your company could improve on
• go and play with Vault
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 7: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/7.jpg)
Why focus on Vault
�5
• unmatched (afaik) feature set • not vendor or framework specific • open source (mostly … some closed sourced enterprise features)
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 8: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/8.jpg)
Other solutions*
�6
• KeyWiz from Square: not as many features, no dynamic secrets, HSM in open source version
• Cloud Foundry CredHub: tailored and specific to Cloud Foundry • AWS Secrets Manager: AWS specific, promising, dynamic’esque
secrets for certain AWS services, automatic rotation (for supported services + extendable via Lambda functions)
• self made: a lot of complexity and work
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
* I have not personally used those solutions
![Page 9: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/9.jpg)
�7
Secret Managemant
Secret Management with Hashicorp's Vault
![Page 10: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/10.jpg)
Secrets
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• sensitive data != secrets • tokens • passwords
• certificates
• API keys • etc.
… but: secrets == sensitive data
![Page 11: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/11.jpg)
Secret Management
�8
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• part of your security concept • one focus: on internal threads like • rogue employees
• unauthorized access to secrets
• long living secrets • audit log: who requested credentials for which system at what
point of time • high automation for changing / revoking / rolling secrets • high entropy passwords
![Page 12: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/12.jpg)
Quelle / Max Mustermann
todo: extreme example
�9
Secret Management with Hashicorp's Vault
![Page 13: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/13.jpg)
�10
Secret Management with Hashicorp's Vault
![Page 14: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/14.jpg)
Secret Management: current situation
�11
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• best practices are widely known • is usually seen as (very) important • implementation is hard
• solutions are rare
• apps and frameworks not ready for modern secret management • high automation still an exception (as opposed to external thread
mitigation measures) • often neglected in favour of business critical features
![Page 15: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/15.jpg)
Question
�12
Who here has production credentials on their laptop at this very moment (e.g. AWS credentials file, DB credentials, passwordless ssh private keys to access machines or git repos, API-keys, etc.)?
Who thinks this is a good idea?
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 16: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/16.jpg)
�13
Why am I talking about secret management
Secret Management with Hashicorp's Vault
![Page 17: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/17.jpg)
About me
�14
Daniel Bornkessel / @kesselborn
• Senior Consultant at INNOQ (part time) • Focus on DevOps & Continuous Delivery
INNOQ
• Consulting, reviews and development • https://www.innoq.com/de/culture/working-at-innoq/
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 18: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/18.jpg)
Typical project
�15
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• Monolith -> Micro Services / Self Contained Systems • Language: set (mostly Java) • Framework: set (often Spring Boot)
• Data center: set (mostly AWS or on premise)
• Container Management: set (mostly Kubernetes) • CI: set (whatever they used before … mostly Jenkins) • Logging / Monitoring: set (ELK & ?) • Secret Management: sure … eh … wat?
prometheus)
or even better: use Concourse CI) please for god’s sake: use Gitlab CI)
![Page 19: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/19.jpg)
Typical project: Secret Management
�16
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out
• changing and updating passwords is a manual process for now
• yeah: audit log is something we are looking into • no, we can not confidently say who has the password for DB xy • no, we do not change all passwords if an employee leaves the
company • revoking credentials is not something we currently support
![Page 20: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/20.jpg)
Introducing Vault
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 21: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/21.jpg)
�17
Vault — executive summary
Secret Management with Hashicorp's Vault
![Page 22: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/22.jpg)
Vault — executive summary
�X
“A Tool for Managing Secrets”
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 23: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/23.jpg)
Vault — executive summary
�X
• not comparable to password managers like 1Password, LastPass, etc. • Vault is designed for the system side of things — password
managers “just” encrypt your static secrets and provide a nice way use them
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 24: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/24.jpg)
Vault — executive summary
�18
• secures, stores and tightly controls • tokens • passwords
• certificates
• API keys • and other secrets
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 25: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/25.jpg)
Vault — executive summary
�19
• handles • leasing • key revocation
• key rolling
• auditing • provides an API for all operations • is not meant as a service or token provider which gets embedded
in your request / response cycle
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 26: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/26.jpg)
�20
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
Tokens LDAP AWS Kubernetes Google Cloud auth-n + auth-z AppRole GitHub MFA Okta RADIUS TLS Certificates
AWS Consul Cubbyhole Databases Identity secrets Nomad PKI (Certificates) RabbitMQ SSH TOTP Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 27: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/27.jpg)
�21
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 28: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/28.jpg)
�22
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 29: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/29.jpg)
�23
Vault — secret backends
Secret Management with Hashicorp's Vault
![Page 30: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/30.jpg)
Vault secret backends — static secrets
�X
Secret Management with Hashicorp's Vault
![Page 31: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/31.jpg)
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault secret backends — static secrets
1 vault write secret/app1/api-key
1234- foo- bar
app1
vault read secret/app1/api-key 2
1234- foo- bar
3
![Page 32: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/32.jpg)
Vault secret backends — dynamic secrets
�24
Secret Management with Hashicorp's Vault
![Page 33: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/33.jpg)
�25
• on-the-fly created credentials (hence dynamic) for each instance of an app / user who wants a secret
• usually short to medium long ttl • fully audited
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends — dynamic secretsWhat they are
![Page 34: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/34.jpg)
�26
1. provide Vault credentials for a user that has rights to create users or tokens in a remote system (e.g. db)
2. configure Vault with settings on how to create credentials
3. configure Vault with settings on how to invalidate credentials in the remote system
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends — dynamic secretsHow they work (in a Nutshell)
![Page 35: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/35.jpg)
Vault secret backends — Databases
�27
Secret Management with Hashicorp's Vault
![Page 36: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/36.jpg)
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends — Databases• Idea: get access to databases • Vault gets configured with credentials for a database user that
has necessary permissions on the database • Vault gets a policy that maps users and roles to users with
configured permissions in the database
• when user requests credentials, Vault creates a new database user on the fly
• when configured (usually the case), all created users have a ttl assigned — when the ttl is reached, Vault deletes the user from the database
![Page 37: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/37.jpg)
�28
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
db admin config0
Vault secret backends — Databases
![Page 38: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/38.jpg)
�29
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
db admin config0
Vault secret backends — Databases
vault secrets enable -path=db database
vault write db/config/clients \ plugin_name=mysql-database-plugin \ connection_url="admin:pw@tcp(db.example.com)/" \ allowed_roles=“clients-ro,clients-rw”
vault write database/roles/clients-ro \ db_name=clients \ creation_statements=“\ CREATE USER '{{name}}'@'%' IDENTIFIED BY \ '{{password}}'; \ GRANT SELECT ON clients.* TO '{{name}}'@'%';" \ default_ttl="1h" \ max_ttl="240h"
![Page 39: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/39.jpg)
�30
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
db admin config0
Vault secret backends — Databases
vault secrets enable -path=db database
vault write db/config/clients \ plugin_name=mysql-database-plugin \ connection_url="admin:pw@tcp(db.example.com)/" \ allowed_roles=“clients-ro, clients-rw”
vault write database/roles/clients-ro \ db_name=clients \ creation_statements=“\ CREATE USER '{{name}}'@'%' IDENTIFIED BY \ '{{password}}'; \ GRANT SELECT ON clients.* TO '{{name}}'@'%';" \ default_ttl="1h" \ max_ttl=“240h"
![Page 40: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/40.jpg)
�31
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
create user …2
OK3
Vault secret backends — Databases
db admin config0
5 delete user …
ttl
App
read db/creds/clients-ro
1
db login / db password
4
}configured
role
![Page 41: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/41.jpg)
�32
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends — DatabasesAvailable Plugins:
• Cassandra
• HanaDB
• MongoDB • MSSQL • MySQL/MariaDB • PostgreSQL
• Oracle
![Page 42: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/42.jpg)
Vault secret backends — Google Cloud
�X
Secret Management with Hashicorp's Vault
![Page 43: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/43.jpg)
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
0
Vault secret backends — Google Cloud
define rolesets to generate oauth2 access tokens (preferred) or Service Accounts
credentials.json
…or service account
![Page 44: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/44.jpg)
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
App
read gcp/token/dev 1
0
4 oauth2 token/ service account key
3 oauth2 token / service account key
ttl
Vault secret backends — Google Cloud
create token / service account2
GCP Api
}configured
roleset
credentials.json
…or service account
![Page 45: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/45.jpg)
Vault secret backends — AWS
�33
Secret Management with Hashicorp's Vault
![Page 46: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/46.jpg)
Vault secret backends — AWS
�X
• Idea: get access to AWS resources • Vault gets configured with an AWS user that has necessary
permissions • Vault gets a policy that maps users or roles to AWS roles
• when user requests credentials, Vault creates STS tokens, assume role tokens or dynamic IAM users
• when configured (usually the case), all created secrets have a ttl assigned
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 47: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/47.jpg)
�34
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
aws_access_key aws_secret_key0
Vault secret backends — AWS
![Page 48: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/48.jpg)
�35
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
App
read aws/creds/dev 1
aws_access_key aws_secret_key0
4 TTL’ed Token / credentials
3 TTL’ed Token / credentials ttl
Vault secret backends — AWS
create STS / IAM user2
AWS Api
}configured
role
![Page 49: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/49.jpg)
Vault secret backends — PKI
�36
Secret Management with Hashicorp's Vault
![Page 50: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/50.jpg)
Vault secret backends — PKI
�X
• Idea: issue client certificates on the fly • Vault gets configured a CA Certificate and a private key • Vault gets a configuration about how certificates for this CA
should be issues (ttl, subject, etc.)
• when user requests credentials, Vault issues a certificate on the fly
• when configured (usually the case), all created certificates have a ttl assigned
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 51: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/51.jpg)
�37
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
add ca.cert & ca.key0
Vault secret backends — PKI
![Page 52: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/52.jpg)
�38
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
App
write pki/issue/dev 1
add ca.cert & ca.key0
3 TTL’ed client certificate
Vault secret backends — PKI
2 create client certificate
}configured
role
![Page 53: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/53.jpg)
Vault secret backends — SSH
�39
Secret Management with Hashicorp's Vault
![Page 54: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/54.jpg)
One-Time SSH Passwords
• Idea: get ssh access to machines
• every host in the system has a small Vault-helper process running
• user fetches a one time password from Vault • when authenticating via ssh, the Vault-helper checks, whether the
one time password is valid and deletes it
Vault dynamic secret backends — ssh
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 55: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/55.jpg)
Host 1.1.2.2
�40
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault secret backends — SSH
1 vault write ssh/creds/dev ip=1.1.2.2
2 username / otp
3 ssh [email protected] 4
validate otp
5 grant access
![Page 56: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/56.jpg)
Signed SSH Certificates
• Idea: get ssh access to machines
• user configures Vault-ssh with a CA, a private and a public key
• the public key gets distributed to all system hosts • the user asks Vault to sign one of his public ssh keys with the
provided CA and gets a new, signed public key as a response • the user can use this new, signed key to login to machines
Vault dynamic secret backends — ssh
�41
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 57: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/57.jpg)
Vault dynamic secret backends — Transit
�42
Secret Management with Hashicorp's Vault
![Page 58: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/58.jpg)
Vault dynamic secret backends — Transit
�X
• Idea: de- and encrypt data without handling private keys • User creates a new transit path in Vault • Users can encrypt data by writing the data to this transit path
(e.g. transit/encrypt/my-keys/foo)
• Users with sufficient permissions can decrypt data by writing to the respective transit path
(e.g. transit/decrypt/my-keys/foo) • the private key never leaves Vault • the data is not stored on Vault (hence the name transit)
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 59: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/59.jpg)
�43
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
2
Vault secret backends — Transit
1 vault write transit/encrypt/app/app1 foo
¯:çÆ #²^? áV¬Î
3
4
App
vault write transit/decrypt/app/app1
foo
¯:çÆ #²^? áV¬Î
![Page 60: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/60.jpg)
�44
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault secret backends
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 61: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/61.jpg)
�45
Vault — auth backends
Secret Management with Hashicorp's Vault
![Page 62: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/62.jpg)
�46
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 63: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/63.jpg)
Vault auth backends — tokens
�47
Secret Management with Hashicorp's Vault
![Page 64: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/64.jpg)
token auth
�48
• created by Vault • only way to authorize (auth-z) against Vault • returned when authenticated (auth-n) successfully
• comparable to a session-id on a website
• has permissions / policies assigned to it
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 65: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/65.jpg)
token auth
�49
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
$ vault token create -ttl=5m -policy=admin
Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 token_accessor 5a362982-f34c-3706-143a-26ada278b6cf token_duration 5m token_renewable true token_policies [admin default]
![Page 66: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/66.jpg)
Vault auth backends — userpass
�X
Secret Management with Hashicorp's Vault
![Page 67: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/67.jpg)
userpass auth
�X
• statically created by users and stored in Vault
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
$ vault auth enable userpass
$ vault write auth/userpass/users/kesselborn \ password=foo policies=admin
$ vault login -method=userpass username=kesselborn
Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 . . . token_duration 5m token_policies [admin default]
![Page 68: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/68.jpg)
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault auth backends — userpass
1 vault write /auth/userpass/users/foo
pass word 123
• setup username / password
![Page 69: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/69.jpg)
Vault auth backends — userpass
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
tokenpolicies
• authenticate with a username & password
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
1 foo / password123
2
![Page 70: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/70.jpg)
Vault auth backends — TLS certificates
�X
Secret Management with Hashicorp's Vault
![Page 71: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/71.jpg)
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault auth backends — TLS certificates
1
vault write auth/cert/certs/web \ … [email protected]
• setup TLS certificate authentication
![Page 72: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/72.jpg)
Vault auth backends — TLS certificates
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
tokenpolicies
• authenticate with a TLS client certificate
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
1 client certificate
2
![Page 73: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/73.jpg)
Vault auth backends — external identity providers
�50
Secret Management with Hashicorp's Vault
![Page 74: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/74.jpg)
Vault auth backends — LDAP / Radius / Okta auth
�51
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
LDAP
username/ password1
username/ password2
user: kesselborn groups: admin, employee3token4 policies
• $SERVICE is used as an identity provider (using LDAP here)
token5 policies
![Page 75: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/75.jpg)
LDAP auth
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
$ vault write auth/ldap/config \ url="ldaps://ldap.example.com" \
userattr="uid" \ userdn="ou=People,dc=innoq,dc=com" \ binddn="cn=vaultuser,dc=example,dc=com" \ bindpass="3cK{hrh7hi/Hj" \ groupdn="ou=Group,dc=example,dc=com" \ starttls=true
$ vault write auth/ldap/groups/employee policies=employee
$ vault write auth/ldap/users/kesselborn policies=admin
![Page 76: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/76.jpg)
Github auth
�52
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Githubtoken
user: kesselborn teams: kesselfaktur, innnoq
token4
1 2
3policies
• Github is used as an identity provider
token
![Page 77: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/77.jpg)
Vault auth backends — Kubernetes auth
�53
Secret Management with Hashicorp's Vault
![Page 78: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/78.jpg)
token5policies
Vault auth backends — Kubernetes auth
�54
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
/var └─ run └─ secrets └─ kubernetes.io └─ serviceaccount └─ token
K8s API
2auth against k8s APIK8s
container1 K8s token
token4policies
3 service_account_name: app1 service_account_namespace: default
![Page 79: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/79.jpg)
Vault auth backends — Kubernetes auth
�55
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
K8s API
2auth against k8s APIK8s
container
3 success / failure
Pod
app init 1 K8s token
token4 policies
token policies
5
![Page 80: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/80.jpg)
Vault auth backends — Kubernetes auth
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config \ kubernetes_host=“https://api.k8s.example.com" \ kubernetes_ca_cert=“@ca.crt"
$ vault write auth/kubernetes/role/demo \ bound_service_account_names=vault-auth \ bound_service_account_namespaces=default \ policies=default \ ttl=1h
![Page 81: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/81.jpg)
Vault auth backends — GCE auth
�X
Secret Management with Hashicorp's Vault
>>
![Page 82: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/82.jpg)
Vault auth backends — GCE auth
Secret Management with Hashicorp's Vault
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
OAuth2 API
GCE Instance
meta data
server
12JWT
signed
3JWT
signed
verify JWT signature using kid value
against Google public certificates
4
curl -H "Metadata-Flavor: Google" \'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]&format=[FORMAT]'
policies
token6policies
5 token
JWT: { "project_id": “…”, "project_number": …, "zone": “…”, "instance_id": …, "instance_name": “…” "instance_creation_timestamp": … }
![Page 83: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/83.jpg)
Vault auth backends — AWS auth
�56
Secret Management with Hashicorp's Vault
>>
![Page 84: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/84.jpg)
Vault auth backends — AWS auth
�X
• Vault checks passed in data was encrypted with a AWS private key
• can be limited to instances which have a specific instance role applied
• can be limited (and usually is) to allow one authentication per ec2 instance only
• after authentication, roles and policies are mapped as usual
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 85: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/85.jpg)
Vault auth backends — AWS auth
Secret Management with Hashicorp's Vault
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
EC2 API
EC2 Instance
EC2 MetaData
Services
12AWS
Instance Identity
Document
PKCS#7
3
AWS Instance Identity
Document
PKCS#7
4
verify PKCS#7 signature against AWS public keys
verify instance5
(optionally) set instance on blacklist to avoid double authentication
8
curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7
6instance_id: i-a832f734 ami_id: ami-f083709d …
policies
7 tokenpolicies
token9
![Page 86: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/86.jpg)
Vault auth backends — AWS auth
�X
$ vault write auth/aws/role/dev-role \ auth_type=ec2 \ bound_ami_id=ami-fce3c696 \ policies=prod,dev max_ttl=500h
$ vault write auth/aws/role/dev-role-iam \ auth_type=iam \ bound_ iam_instance_profile_arn =… \ policies=prod,dev max_ttl=500h
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 87: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/87.jpg)
Vault auth backends — AWS auth
�58
• alternatively: IAM auth method • client signs a GetCallerIdentity query using the AWS Signature
v4 algorithm and submits 4 pieces of information to the Vault server to recreate a valid signed request • https://www.vaultproject.io/docs/auth/aws.html#iam-auth-
method
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 88: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/88.jpg)
Vault auth backends — AppRole
�59
Secret Management with Hashicorp's Vault
>>
![Page 89: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/89.jpg)
Vault auth backends — AppRole
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• a generic approach to authenticate machines or applications • an AppRole can be created for a particular machine, a
particular user on that machine, or a service spread across machines • for authenticating, two values are needed
• RoleID: static, can live with an app or on a machine)
• SecretID: gets created on the fly before authenticating
![Page 90: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/90.jpg)
Vault auth backends — AppRole
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
RoleID + SecretID 4
• mainly used for machines or apps to authenticate against Vault
App
RoleID
Some process
(puppet, chef, etc.)
1 request SecretID
3 SecretID
policies
token5
2 SecretID
![Page 91: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/91.jpg)
Vault auth backends — AppRole
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
1
2
3
4
policies
• mainly used for machines or apps to authenticate against Vault
App
RoleID
Some process
(K8s side car, chef, etc.)
token
request SecretID
wrapped SecretID 5
wrapped SecretID
unwrap SecretID
SecretID
6
7
RoleID + SecretId
![Page 92: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/92.jpg)
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault auth backends
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 93: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/93.jpg)
Use whatever the auth you want
�60
Secret Management with Hashicorp's Vault
![Page 94: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/94.jpg)
�61
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI -> Kubernetes access • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 95: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/95.jpg)
�62
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 96: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/96.jpg)
�63
Vault — policies
Secret Management with Hashicorp's Vault
![Page 97: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/97.jpg)
�64
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault — secret representation
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
![Page 98: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/98.jpg)
�65
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-rw ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault — secret representation
![Page 99: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/99.jpg)
�66
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-rw ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault — policies• applied to “files” or
“directories” • support filesystem
wildcards • control what a user can
access
• get assigned after authentication
• policies of a token can’t be changed
![Page 100: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/100.jpg)
�67
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-ro ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault — policies
• create
• read
• update
• delete
• list
• deny
• sudo
r
c
u
d
l
d
s
![Page 101: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/101.jpg)
�68
Secret Management with Hashicorp's Vault
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients-ro │ └── clients-rw ├── pki │ └── issue │ └── broker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault — policies
path “secret/team/app1/*“ { capabilities = [“read”, “list”] }
r l
w
path “pki/issue/broker” { capabilities = [“write”] }
r
path “database/creds/clients-ro“ { capabilities = [“read”] }
$ cat app1-policy.hcl
![Page 102: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/102.jpg)
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ ├── config │ | ├── clients │ └── role │ ├── clients-ro ├── pki │ ├── config │ | ├── broker │ └── role │ └── borker ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt
�X
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
Vault — policies$ cat app1-erna-policy.hcl
c lur d
path “secret/team/app1/*“ { capabilities = [“read”, “list”, “create”, “update”, “delete”] }
c ud
path “pki/config/*” { capabilities = [“create”, “update”, “delete”] }
c ud
path “pki/role/*” { capabilities = [“create”, “update”, “delete”] }
c ud
path “database/config/clients“ { capabilities = [“create”, “update”, “delete”] }
path “database/role/clients-ro“ { capabilities = [“create”, “update”, “delete”] }
c ud
path “ssh/creds/developers“ { capabilities = [“read”] }
r
![Page 103: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/103.jpg)
�69
Vault — Audit log
Secret Management with Hashicorp's Vault
![Page 104: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/104.jpg)
Vault internals — Audit log
�70
• off by default • supported backend • file
• syslog
• socket • if audit log can not be written, Vault does not reply to requests
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 105: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/105.jpg)
Vault internals — Audit log
�71
• every operation creates a log entry with • what was done • when was it executed
• by who was it requested
• request payload • response payload
• sensitive data is hashed with a salt using HMAC-SHA256
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 106: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/106.jpg)
Vault internals — Audit log
�72
• {"time":"2018-10-10T10:59:53.557231528Z","type":"response","auth":{"client_token":"hmac-sha256:41f2474f04f6277eb43cc8eae700dbc8534c5369d9185991eed4c4f70b1a5840","accessor":"hmac-sha256:27e400da69c94fce2378f5738cbf950531d7a9513215274abfbbdaa4927e00ba","display_name":"[email protected]","policies":["default"],"token_policies":["default"],"metadata":{"username":"[email protected]"},"entity_id":"8950f5f7-fad8-3ecb-4e62-e5841815df60"},"request":{"id":"9f2b6dfa-5c18-af6a-1f66-2c78b25a875f","operation":"list","client_token":"hmac-sha256:41f2474f04f6277eb43cc8eae700dbc8534c5369d9185991eed4c4f70b1a5840","client_token_accessor":"hmac-sha256:27e400da69c94fce2378f5738cbf950531d7a9513215274abfbbdaa4927e00ba","path":"secret/","data":null,"policy_override":false,"remote_address":"100.96.0.76","wrap_ttl":0,"headers":{}},"response":{"data":{"error":"hmac-sha256:d9d7a78363fd091f1b4c12629b7c9b5d7a7ffbf904ef5d29d002d5265d5bbf33"}},"error":"1 error occurred:\n\n* permission denied"}
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 107: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/107.jpg)
�73
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Vault
• Tokens • LDAP • AWS • Kubernetes • Google Cloud • Username & Password • AppRole • GitHub • MFA • Okta • RADIUS • TLS Certificates
• AWS • Consul • Cubbyhole • Databases • Identity • Static secrets (Key /Value) • Nomad • PKI (Certificates) • RabbitMQ • SSH • TOTP • Transit
Vault
├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key
policies
policies
audit logs
![Page 108: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/108.jpg)
�74
Vault internals
Secret Management with Hashicorp's Vault
![Page 109: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/109.jpg)
Vault internals — storage
�75
Secret Management with Hashicorp's Vault
![Page 110: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/110.jpg)
Vault internals — storage
�76
• several storage backends available: Consul, Etcd, Azure, Cassandra, CockroachDB, CouchDB, DynamoDB, Filesystem, FoundationDB, Google Cloud Spanner, Google Cloud Storage, In-Memory, Manta, MySQL, PostgreSQL, S3, Swift, Zookeeper • data encrypted at rest with a symmetric key
• symmetric key is encrypted by “master key” and stored on storage backend
• master key is encrypted with “Shamir’s Secret Sharing”
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 111: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/111.jpg)
Vault internals — storage
�77
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• 1 … N keys are needed in order to decrypt the data • you can provide the decryption keys in any order • N … N+M keys can be created and distributed to different parties
Shamir’s Secret Sharing
![Page 112: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/112.jpg)
Vault internals — storage
�78
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
• by default, Vault creates 5 keys on initialization (which is a once per storage backend operation)
• 3 of the 5 keys are needed in order to unseal a Vault instance • this is configurable (e.g. 10/8, 15/5, etc.)
Shamir’s Secret Sharing
![Page 113: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/113.jpg)
Vault internals — storage
�79
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
Shamir’s Secret Sharing
• HA of key holders • one key alone is worthless • key holder != admins: designers, ops, devs, etc.
• new unsealing keys can be created when provided enough unsealing keys (e.g. when employees leave the company)
• every time a Vault instance is started, the master key has to be decrypted
![Page 114: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/114.jpg)
Vault internals — HA
�80
Secret Management with Hashicorp's Vault
![Page 115: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/115.jpg)
Vault internals — HA
�X
• some backends support Vault HA mode (currently: Consul, Etcd, DynamoDB, Foundation DB, Google Cloud Spanner, Google Cloud Storage, MySQL, Zookeeper)
• Active-Passive mode:
• only the active Vault instance replies to requests
• all other Vault instances reply with a HTTP 302 to the active Vault instance (i.e. LB in front of HA Vaults does not make sense) • leader election done in storage backend
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 116: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/116.jpg)
�81
Vault usage
Secret Management with Hashicorp's Vault
![Page 117: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/117.jpg)
Vault usage — integration
�82
Secret Management with Hashicorp's Vault
![Page 118: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/118.jpg)
Vault usage — integration
�83
• some frameworks have integration for Vault • when home made solution • create config files with a helper app to avoid development pain
• prepare your app for ttl’ed credentials: react accordingly if the (e.g.) DB password is not valid anymore:
• re-read config file with new credentials • make sure, helper app gets new credentials in time • re-try DB request • when in a container managed system, exit if appropriate
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 119: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/119.jpg)
Vault usage — getting started
�84
Secret Management with Hashicorp's Vault
![Page 120: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/120.jpg)
Vault — getting started (1 minute invest)
�85
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
https://www.vaultproject.io/#/demo/0
![Page 121: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/121.jpg)
Vault — getting started
�86
• interactive tutorial • download it locally and start it with ‘--dev’ parameter
(investment: 20 min - a few hours) • there is a steep learning curve
• different backends use the same words with different meanings (ttl, tokens, etc.)
• hard to quickly test something as you need the backend systems in place: AWS auth to get MySQL passwords? • most tutorials only run in dev mode
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 122: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/122.jpg)
Vault — recap
�X
You authenticate somehow, get a token with some policy attached to it, which again allows you to read some secrets.
Secret Management with Hashicorp's Vault
Quelle / Max Mustermann
![Page 123: secret management with hashicorps vault · • we pass secrets in via env vars • we read the values from Kubernetes secrets • we have role based access control all figured out](https://reader033.vdocuments.us/reader033/viewer/2022042112/5e8e377a825ddd6dc159e37f/html5/thumbnails/123.jpg)
Keynote 16:9-Vorlagen
Lorem ipsum dolor sit amet
EDITION 2018
DIE FIRMA . EXPERIENCE DESIGN
Thank you and auf Wiedersehen
We are hiring in Hamburg, Berlin, Munich, Frankfurt, Monheim (between Düsseldorf and Cologne), and remote
https://www.innoq.com/en/culture/working-at-innoq/ https://www.innoq.com/de/culture/working-at-innoq/