![Create a new consumer (Token)
$ vault policy-write patient-policy @patient-policy.json
$ vault token-create -policy=’patient-policy’
Key Value
--- -----
token a7c4e3c1-f9b3-71c0-514c-67c469b9bd3f
token_accessor 40d7fcf6-8ff1-c6c4-632f-9916935ba9a3
token_duration 768h0m0s
token_renewable true
token_policies [patient-policy default]](https://image.slidesharecdn.com/d9b7dlwdruekajobryb9-signature-85d1e6b0dcf1847d56671bf3605748c55151dd44f7098a30bcc239d2ba087306-poli-170131000423/75/vault-secret-and-key-management-20-2048.jpg?cb=1667600011)
![Create a new consumer
(AppRole)
$ vault write auth/approle/login
role_id=d4494db4-4047-90fb-30ec-18a5fa79cc19
secret_id=e01b6593-03c4-6023-cec2-24c8f3c0f2d7
Key Value
--- -----
token 50a69d9b-f5ad-21d8-386d-f6fbbbef404d
token_accessor 6a72e1af-15ae-b896-211d-4f218214db20
token_duration 20m0s
token_renewable true
token_policies [default patient-policy]](https://image.slidesharecdn.com/d9b7dlwdruekajobryb9-signature-85d1e6b0dcf1847d56671bf3605748c55151dd44f7098a30bcc239d2ba087306-poli-170131000423/75/vault-secret-and-key-management-23-2048.jpg?cb=1667600011)
Vault - Secret and Key Management
•10 gefällt mir•3,691 views
Melden
Teilen
Downloaden Sie, um offline zu lesen
Overview of HashiCorp Vault and integrating with Spring Cloud Vault
Más contenido relacionado
Was ist angesagt?
Was ist angesagt?(20)
Similar a Vault - Secret and Key Management
Similar a Vault - Secret and Key Management(20)
![[Wroclaw #9] The purge - dealing with secrets in Opera Software](https://cdn.slidesharecdn.com/ss_thumbnails/presentation3-181117173825-thumbnail.jpg?width=768&fit=bounds)
Último
Último(20)
Vault - Secret and Key Management
- 1. HashiCorp Vault Managing Secrets and Passwords
- 2. What this Brown Bag is about Quick intro to HashiCorp Vault Storing secrets/config with Vault Integrating systems using Vault
- 3. What this Brown Bag is NOT about Consul Discovery Using Vault as an oAuth service
- 4. Ever had this happen to you? **** WARNING AWS SECRET FOUND IN REPO **** **** WARNING CREDENTIALS FOUND! **** config: aws_access_key_id: AHSSKK21342KJ234LJH aws_secret_access_key_id: XXXXXXXXXXXXXXX config: jdbc.username: quickadminuser jdbc.password: G3tM30u70fH3r3!
- 5. Storing credentials in a public repo is risky! Tip Never push credentials to GitHub. GitHub uses bots to scan files on public repos to discover keys and secrets!
- 6. Vault by Hashicorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a- service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.
- 7. How many times do you change your password? Tip No one is expected to change their password every day. Though it is a good idea to change your password regularly.
- 8. Agenda Overview of Vault Vault Architecture Vault Data Storage Options Vault Authentication Options Policies Using Vault Demo
- 9. Vault by Hashicorp ● Secret storage ● Key & Password Rotation ● Audit Logs ● Object Storage
- 11. Vault Architecture Access Vault with: command line tool HTTP APIs $ vault read secret/patient-svc $ curl -X GET -H “X-Vault-Token: $VAULT_TOKEN” “http://vault:8200/v1/secret/patient-svc”
- 12. 12 Factor App Software as a Service Declarative Format Minimize Divergence Scale up without changes https://12factor.net Tip 12 Factor App helps separate the application from the environment removing the distinction of the environment and the application.
- 13. Vault Storage Options Consul (HA) etcd (HA) ZooKeeper (HA) DynamoDB (HA) S3 Google Cloud Storage Azure Swift MySQL PostgreSQL InMem File
- 14. Vault Backends (Mounts) AWS Cassandra Consul Cubbyhole Generic MongoDB MSSQL MySQL PKI Certificates PostgreSQL RabbitMQ SSH Transit Custom
- 15. Vault Authentication App Id AppRole AWS EC2 GitHub LDAP ● MFA ● TLS Certificates ● Tokens ● Username & Password
- 16. AppRole Authentication Requires a role_id (UUID) and secret (UUID) Secret is volatile lasts for a preconfigured time and number of uses Application requests a client token using role_id & secret_id Client token is used to access vault
- 18. Vault Policies Control who has access to which parts of Vault Capabilities include: Create Read Update List Sudo
- 19. Vault Policies
- 20. Create a new consumer (Token) $ vault policy-write patient-policy @patient-policy.json $ vault token-create -policy=’patient-policy’ Key Value --- ----- token a7c4e3c1-f9b3-71c0-514c-67c469b9bd3f token_accessor 40d7fcf6-8ff1-c6c4-632f-9916935ba9a3 token_duration 768h0m0s token_renewable true token_policies [patient-policy default]
- 21. Create a new consumer (AppRole) $ vault write auth/approle/role/cloud-auth-role secret_id_ttl=10m token_ttl=20m token_max_ttl=30m secret_id_num_uses=40 policies=patient- policy $ vault read auth/approle/role/cloud-auth-role/role_id Key Value --- ----- role_id d4494db4-4047-90fb-30ec-18a5fa79cc19
- 22. Create a new consumer (AppRole) $ vault write -f auth/approle/role/cloud-auth-role/secret-id Key Value --- ----- secret_id e01b6593-03c4-6023-cec2-24c8f3c0f2d7 secret_id_accessor cde853e3-f264-816f-479e-a63a15097630
- 23. Create a new consumer (AppRole) $ vault write auth/approle/login role_id=d4494db4-4047-90fb-30ec-18a5fa79cc19 secret_id=e01b6593-03c4-6023-cec2-24c8f3c0f2d7 Key Value --- ----- token 50a69d9b-f5ad-21d8-386d-f6fbbbef404d token_accessor 6a72e1af-15ae-b896-211d-4f218214db20 token_duration 20m0s token_renewable true token_policies [default patient-policy]
- 24. Storing data to Vault $ vault write secret/application app_name=”My Application” Success! Data written to secret/application $ vault read secret/application Key Value --- ----- refresh_interval 768h0m0s name My Application
- 25. Storing data to Vault $ vault write secret/application @data.json Success! Data written to secret/application $ vault read secret/application Key Value --- ----- refresh_interval 768h0m0s name My Application conn_url tcp(192.168.99.100:3306) data.json { “name” : “My Application”, “conn_url” : “tcp(192.168.99.100:3306)” }
- 26. Setting up MySQL Mount $ vault mount mysql $vault write mysql/config/connection connection_url=”user:password@tcp(database:port)/” $ vault write mysql/roles/patient-svc sql = “CREATE USER ‘{{name}}’@’%’ IDENTIFIED BY ‘{{password}}’; GRANT ALL ON patient_db.* TO ‘{{name}}’@’%’;”
- 27. Configure your application spring.cloud.vault.mysql: enabled: true role: patient-svc backend: mysql
- 29. Demo Basic Spring JDBC integration Request JDBC Username/Password Return database metadata (database name & version) Request config data from Vault Display value JPA Integration Persist data to MySQL using:
- 30. Architecture
- 31. Spring Cloud Vault http://cloud.spring.io/spring-cloud-vault-config/ Currently at 1.0.0.M1 Add-on to the Spring Cloud Suite Supports configuration and optional database config
Hinweis der Redaktion
- Only the storage backend and the HTTP API are outside, all other components are inside the barrier. The storage backend is untrusted and is used to durably store encrypted data. When the Vault server is started, it must be provided with a storage backend so that data is available across restarts. The HTTP API similarly must be started by the Vault server on start so that clients can interact with it. Once started, the Vault is in a sealed state
- https://www.vaultproject.io/docs/config/index.html#backend swift - Store data within an OpenStack Swift container Swift. This backend does not support HA. This is a community-supported backend.
- The AWS secret backend for Vault generates AWS access credentials dynamically based on IAM policies. This makes IAM much easier to use: credentials could be generated on the fly, and are automatically revoked when the Vault lease is expired. The cubbyhole secret backend is used to store arbitrary secrets within the configured physical storage for Vault. It is mounted at the cubbyhole/ prefix by default and cannot be mounted elsewhere or removed. The PKI secret backend for Vault generates X.509 certificates dynamically based on configured roles. This means services can get certificates needed for both client and server authentication without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.
- You can now use this token to access vault
- You can now use this token to access vault
- You can now use this token to access vault
- Provided the JSON is well formed, the data is loaded into the vault
- Instructs vault how to connect to the database Instructs vault how to create a user on a particular database
- Instructs vault how to connect to the database Instructs vault how to create a user on a particular database ‘backend’ specifies the mount path to the mysql you wish to use (customisable)