SlideShare a Scribd company logo

Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault

Jeff Horwitz
Jeff Horwitz

Presented to the Philly DevOps Meetup November 29, 2016. Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.

Internet
1 of 53
Download to read offline
Chickens & Eggs Managing secrets in AWS with Hashicorp Vault Jeff Horwitz Jornaya jhorwitz@jornaya.com
Applications need secrets • Where do we store the secrets? • How do we manage the secrets? • How do servers/applications obtain the secrets?
Jornaya Environment • Applications run in AWS in Autoscaling groups • Configuration management via Chef server • No PCI, HIPAA or other compliance requirements • Secrets include passwords, private keys, API keys
Vault “Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.” https://www.vaultproject.io/
Vault ✓ Platform independent ✓ High availability ✓ User & server authentication options ✓ Fine-grained access control ✓ Good language and tooling support ✓ Under active development
Other Options • Instance userdata • Chef encrypted databags • Chef vault • Citadel • KMS
Vault Server • Responds to client requests • Interacts with backends • storage, authentication, secret, audit • Encrypts/Decrypts secrets with master key • Master key is never stored on disk
Playing with Vault ~$ vault server --dev ==> WARNING: Dev mode is enabled! In this mode, Vault is completely in-memory and unsealed. Vault is configured to only have a single unseal key. The root token has already been authenticated with the CLI, so you can immediately begin using the Vault CLI. The only step you need to take is to set the following environment variables: export VAULT_ADDR='http://127.0.0.1:8200' The unseal key and root token are reproduced below in case you want to seal/unseal the Vault or play with authentication. Unseal Key: e95cf9d02c044c67dfd5d379d3a56cee7a0209f8cc681fca1435b6c022fcf028 Root Token: 611f6670-f871-ef2d-2110-87a54261d407
Talking to Vault • Vault provides an HTTP(S) RESTful API • JSON responses • The vault command is a user-friendly wrapper • Modules available for various languages • Config management (e.g. Chef via Ruby gem)
Reading & Writing Secrets ~$ export VAULT_ADDR=http://127.0.0.1:8200 ~$ vault write secret/phillydevops/luggage-combo value=12345 Success! Data written to: secret/phillydevops/luggage-combo ~$ vault read secret/phillydevops/luggage-combo Key Value --- ----- refresh_interval 720h0m0s value 12345
HTTP API ~$ curl -X POST -d '{"value": "12345"}' 
 -H 'X-Vault-Token: 611f6670-f871-ef2d-2110-87a54261d407'
 http://127.0.0.1:8200/v1/secret/phillydevops/luggage-combo
HTTP API ~$ curl -k -H 'X-Vault-Token: 611f6670-f871-ef2d-2110-87a54261d407' 
 http://127.0.0.1:8200/v1/secret/phillydevops/luggage-combo | jq { "request_id": "ac71da58-cc11-431b-598e-7eb3fe3e37a3", "lease_id": "", "renewable": false, "lease_duration": 2592000, "data": { "value": "12345" }, "wrap_info": null, "warnings": null, "auth": null }
Shamir’s Secret Sharing • https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing • Splits a key into n shards (unseal keys) • k shards needed to derive original key (k < n) • No one person can easily obtain the original key • No need to revoke shards if people leave
Unsealing Process
Unsealing Process • Vault server does not store the master key on disk • Given the master key via the unsealing process • Need minimum number of shards to unseal • Key is only stored in memory • Restarting will lose the key and “seal” the vault.
Unsealing Demo ~$ vault read secret/phillydevops/luggage-combo Error reading secret/phillydevops/luggage-combo: Error making API request. URL: GET http://127.0.0.1:8200/v1/secret/phillydevops/luggage-combo Code: 503. Errors: * Vault is sealed ~$ vault unseal Key (will be hidden): ******** Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0
Backends Storage backends Secret backends Authentication backends Audit backends
Storage Backends • Physical storage for secrets • Only see encrypted secrets • High availability features
Storage Backends Backend Support HA? Consul Official Yes Zookeeper Community Yes etcd Community Yes DynamoDB Community Maybe S3 Community No Swift Community No Azure Community No mysql Community No postgresql Community No inmem Official No file Official No
Storage Backends Backend Support HA? Consul Official Yes Zookeeper Community Yes etcd Community Yes DynamoDB Community Maybe S3 Community No Swift Community No Azure Community No mysql Community No postgresql Community No inmem Official No file Official No
Storage Backends Backend Support HA? Consul Official Yes Zookeeper Community Yes etcd Community Yes DynamoDB Community Maybe S3 Community No Swift Community No Azure Community No mysql Community No postgresql Community No inmem Official No file Official No
Clustering • Storage backend must support high availability • Active and standby servers • State maintained by Consul (storage backend) • Use Consul DNS or API to discover active server • Standby will redirect to active by default
Cluster Status $ vault status Sealed: false Key Shares: 5 Key Threshold: 3 Unseal Progress: 0 Version: Vault v0.6.1 Cluster Name: vault-cluster-abcd0123 Cluster ID: deadbeef-beef-beef-beef-deadbeefcafe High-Availability Enabled: true Mode: active Leader: https://vault-1.example.com:8200
Secret Backends • Static or dynamic secrets • Backend configuration • Multiple backend mountpoints
Generic Backend • Default backend • Mounted at secret • Stores and retrieves static secrets as k/v pairs • Great for: • username/password • RSA private keys • API keys
Tokens • Authentication in vault is performed via tokens • UUIDs returned by authentication backends • Tokens can expire and must be renewed • Tokens can be revoked • A single “root” token never expires
Authentication Backends • Returns a token based on credentials • Tokens may have a TTL (backend-dependent) • Options to fit different workflows and platforms
Authentication Backends • AppRole (App ID) • AWS EC2 • GitHub • LDAP • TLS Certificates • Tokens • Username & Password
LDAP Backend ~$ vault auth -method ldap username=jhorwitz Password (will be hidden): Successfully authenticated! You are now logged in. The token below is already saved in the session. You do not need to "vault auth" again with the token. token: deadbeef-cafe-beef-beef-deadbeafcafe token_duration: 28799 token_policies: [admins, default]
Lookup a Token ~$ vault token-lookup deadbeef-cafe-beef-beef-deadbeafcafe Key Value --- ----- accessor 5776eb4b-05b1-3bab-98d3-08d34040a806 creation_time 1480366497 creation_ttl 28800 display_name ldap-jhorwitz explicit_max_ttl 0 id deadbeef-cafe-beef-beef-deadbeafcafe meta map[policies:admins,default username:jhorwitz] num_uses 0 orphan true path auth/ldap/login/jhorwitz policies [admins default] renewable true ttl 27379
aws-ec2 Backend • Good for server-level authentication • Fixes the chicken & egg problem on EC2 instances • Let AWS do the dirty work for you
Instance Identity $ curl http://169.254.169.254/latest/dynamic/instance-identity/document { "privateIp" : “10.0.0.1”, "devpayProductCodes" : null, "availabilityZone" : "us-east-1a", "accountId" : "1234567890", "version" : "2010-08-31", "instanceId" : "i-deadbeef", "billingProducts" : null, "instanceType" : "t2.nano", "pendingTime" : "2016-09-09T17:30:35Z", "architecture" : "x86_64", "imageId" : "ami-cafebeef", "kernelId" : null, "ramdiskId" : null, "region" : "us-east-1" }
Identity Signature $ curl http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGjewog ICJwcml2YXRlSXAiIDogIjEwLjUwLjAuNjgiLAogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVs bCwKICAiYXZhaWxhYmlsaXR5Wm9uZSIgOiAidXMtZWFzdC0xYSIsCiAgImFjY291bnRJZCIgOiAi Mjk4Nzg1NDUzNTkwIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQi IDogImktYzRkMDQwZjUiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VU …
Whitelisting • Vault maintains a whitelist of instance IDs • Cannot reauthenticate using an ID in the whitelist • You can turn this off or remove ID from whitelist • Use a nonce to prevent replay attacks
Roles • Clients specify a role with authentication requests • Roles are “bound” to instance properties • IAM role or instance profile • AMI ID • Vault cross-checks with EC2 before returning token
Creating a Role $ vault write auth/aws-ec2/role/deployer 
 bound_iam_role_arn=arn:aws:iam::1234567890:instance-profile/deployer policies=deployer
 Success! Data written to: auth/aws-ec2/role/deployer
 
 

Policies • ACLs that are applied to roles, users and groups • Applied at token creation • Tokens can have multiple policies
Sample User Policy path "secret/test/*" { policy = "write" } path "secret/*" { policy = "read" } path "secret/classified/*" { capabilities = ["deny"] }
Sample Server Policy path "secret/env/prod/*" { policy = "read" } path "secret/shared/*" { policy = "read" } path "secret/ssl/private-key" { policy = "read" }
Integration • Chef authenticates instance to aws-ec2 backend • Chef stores token • local filesystem (for scripts and apps) • node run state (for Chef recipes)
Get PKCS7 Signature def instance_identity_pkcs7 uri = URI.parse('http://169.254.169.254/latest/dynamic/instance-identity/pkcs7') resp = Net::HTTP.get_response(uri) resp.body.delete("n", '') end
Generate Nonce nonce = SecureRandom.uuid
Send Login Request def aws_ec2_login(address, role, pkcs7, nonce) # find the leader, since Net::HTTP doesn't handle redirects uri = URI.parse("#{address}/v1/sys/leader") resp = Net::HTTP.get_response(uri) leader = JSON.parse(resp.body)['leader_address'] uri = URI.parse("#{leader}/v1/auth/aws-ec2/login") data = { 'role' => role, 'pkcs7' => pkcs7, 'nonce' => nonce } req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json') req.body = data.to_json resp = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http| http.request(req) end …
Write Token to File file node['leadid_vault']['client']['token_file'] do content lazy { node.run_state['token'] || node['leadid_vault']['client']['token'] } owner node['leadid_vault']['client']['uid'] group node['leadid_vault']['client']['gid'] mode '0440' sensitive true action :create_if_missing only_if { node['leadid_vault']['client']['enabled'] } end.run_action(:create)
Using the Token • Chef recipes use the vault gem • Other apps use consul-template
Configure Vault Chef gem def configure(opts = {}) require 'vault' Vault.configure do |config| config.address = opts[:address] config.ssl_ca_cert = opts[:ssl_ca_cert] config.ssl_verify = opts[:ssl_verify] if opts[:token] config.token = opts[:token] elsif opts[:token_file] config.token = File.read(opts[:token_file]) else raise 'must specify either token or token_file' end end end
Helper to read secrets def read(path) require 'vault' Vault.logical.read(path) end
Reading secrets in Chef Chef::Recipe.send(:include, VaultHelpers) if node['leadid_vault']['client']['enabled'] # Grab the Datadog API and Application Key from vault api_key = read( "#{node['leadid_base']['datadog']['secret_path']}" + "/datadog/api-key").data node.default['datadog']['api_key'] = api_key[:value] end … include_recipe 'datadog::dd-agent' include_recipe 'datadog::dd-handler'
consul-template $ consul-template -consul consul.example.com -template "/opt/jornaya/app.yml.ctmpl:/opt/jornaya/app.yml:service nginx restart"
consul-template database: host: db.example.com dbname: myapp {{with secret "secret/leadid/env/prod/db-user"}} user: {{.Data.username}} password: {{.Data.password}} {{end}}
consul-template database: host: db.example.com dbname: myapp user: donald password: WeHaveTheBestPasswords
Learnings • Don't use a self-signed certificate. There is pain. • For SSL, name your servers or use static IP addresses. • Clustering was the easiest part. Do it. • Set up your path hierarchy ahead of time. • Be prepared to RTFM. • Different backends behave differently. • Tokens do not live forever.
Questions?

Recommended

Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 

Recommended

Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Vault
VaultVault
Vaultdawnlua
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp VaultNicolas Corrarello
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secretsExcella
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 

More Related Content

What's hot

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 

What's hot (20)

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Vault
VaultVault
Vault
 
Vault
VaultVault
Vault
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
Container security
Container securityContainer security
Container security
 
Container Security
Container SecurityContainer Security
Container Security
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
 

Viewers also liked

Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secretsExcella
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Hashicorp @ JUST EAT - Part 2
Hashicorp @ JUST EAT - Part 2Hashicorp @ JUST EAT - Part 2
Hashicorp @ JUST EAT - Part 2Andrew Brown
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureOpenCredo
 
Hashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOpsHashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOpsRamit Surana
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattOpenCredo
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current StatusSreenivas Makam
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
dome and vault
dome and vaultdome and vault
dome and vaultkaiwan1996
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Amazon Web Services
 
Like Ruby on Rails for Node - the Sails js framework
Like Ruby on Rails for Node - the Sails js frameworkLike Ruby on Rails for Node - the Sails js framework
Like Ruby on Rails for Node - the Sails js frameworkStenio Ferreira
 
インフラ自動化とHashicorp tools
インフラ自動化とHashicorp toolsインフラ自動化とHashicorp tools
インフラ自動化とHashicorp toolsUchio Kondo
 
Innovacion & Tecnología para Eventos Internacionales
Innovacion & Tecnología para Eventos Internacionales Innovacion & Tecnología para Eventos Internacionales
Innovacion & Tecnología para Eventos Internacionales alejandro saucedo
 
Primer ejercicio Introducción a la Disciplina
Primer ejercicio Introducción a la DisciplinaPrimer ejercicio Introducción a la Disciplina
Primer ejercicio Introducción a la DisciplinaMiranchezka
 
Como crear y compartir un GoogleDoc
Como crear y compartir un GoogleDocComo crear y compartir un GoogleDoc
Como crear y compartir un GoogleDocMiranchezka
 
Why SMS Marketing?
Why SMS Marketing?Why SMS Marketing?
Why SMS Marketing?Tina Goh
 

Viewers also liked (20)

Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
Hashicorp @ JUST EAT - Part 2
Hashicorp @ JUST EAT - Part 2Hashicorp @ JUST EAT - Part 2
Hashicorp @ JUST EAT - Part 2
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructure
 
Hashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOpsHashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOps
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
dome and vault
dome and vaultdome and vault
dome and vault
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
Like Ruby on Rails for Node - the Sails js framework
Like Ruby on Rails for Node - the Sails js frameworkLike Ruby on Rails for Node - the Sails js framework
Like Ruby on Rails for Node - the Sails js framework
 
インフラ自動化とHashicorp tools
インフラ自動化とHashicorp toolsインフラ自動化とHashicorp tools
インフラ自動化とHashicorp tools
 
SomnathCity
SomnathCitySomnathCity
SomnathCity
 
Innovacion & Tecnología para Eventos Internacionales
Innovacion & Tecnología para Eventos Internacionales Innovacion & Tecnología para Eventos Internacionales
Innovacion & Tecnología para Eventos Internacionales
 
Primer ejercicio Introducción a la Disciplina
Primer ejercicio Introducción a la DisciplinaPrimer ejercicio Introducción a la Disciplina
Primer ejercicio Introducción a la Disciplina
 
Como crear y compartir un GoogleDoc
Como crear y compartir un GoogleDocComo crear y compartir un GoogleDoc
Como crear y compartir un GoogleDoc
 
Why SMS Marketing?
Why SMS Marketing?Why SMS Marketing?
Why SMS Marketing?
 

Similar to Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault

Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...Andrey Devyatkin
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Barney Hanlon
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesAmazon Web Services
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Futuretcloudcomputing-tw
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application developmentNicolas Corrarello
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...Steffen Mazanek
 
AWS meets Continuous Delivery
AWS meets Continuous DeliveryAWS meets Continuous Delivery
AWS meets Continuous DeliveryAndreas Mohrhard
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...Nick Maludy
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyPuppet
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 

Similar to Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault (20)

Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWS
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
 
How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...
 
AWS meets Continuous Delivery
AWS meets Continuous DeliveryAWS meets Continuous Delivery
AWS meets Continuous Delivery
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 

Recently uploaded

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 

Recently uploaded (20)

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 

Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault

  • 1. Chickens & Eggs Managing secrets in AWS with Hashicorp Vault Jeff Horwitz Jornaya jhorwitz@jornaya.com
  • 2. Applications need secrets • Where do we store the secrets? • How do we manage the secrets? • How do servers/applications obtain the secrets?
  • 3. Jornaya Environment • Applications run in AWS in Autoscaling groups • Configuration management via Chef server • No PCI, HIPAA or other compliance requirements • Secrets include passwords, private keys, API keys
  • 4. Vault “Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.” https://www.vaultproject.io/
  • 5. Vault ✓ Platform independent ✓ High availability ✓ User & server authentication options ✓ Fine-grained access control ✓ Good language and tooling support ✓ Under active development
  • 6. Other Options • Instance userdata • Chef encrypted databags • Chef vault • Citadel • KMS
  • 7. Vault Server • Responds to client requests • Interacts with backends • storage, authentication, secret, audit • Encrypts/Decrypts secrets with master key • Master key is never stored on disk
  • 8. Playing with Vault ~$ vault server --dev ==> WARNING: Dev mode is enabled! In this mode, Vault is completely in-memory and unsealed. Vault is configured to only have a single unseal key. The root token has already been authenticated with the CLI, so you can immediately begin using the Vault CLI. The only step you need to take is to set the following environment variables: export VAULT_ADDR='http://127.0.0.1:8200' The unseal key and root token are reproduced below in case you want to seal/unseal the Vault or play with authentication. Unseal Key: e95cf9d02c044c67dfd5d379d3a56cee7a0209f8cc681fca1435b6c022fcf028 Root Token: 611f6670-f871-ef2d-2110-87a54261d407
  • 9. Talking to Vault • Vault provides an HTTP(S) RESTful API • JSON responses • The vault command is a user-friendly wrapper • Modules available for various languages • Config management (e.g. Chef via Ruby gem)
  • 10. Reading & Writing Secrets ~$ export VAULT_ADDR=http://127.0.0.1:8200 ~$ vault write secret/phillydevops/luggage-combo value=12345 Success! Data written to: secret/phillydevops/luggage-combo ~$ vault read secret/phillydevops/luggage-combo Key Value --- ----- refresh_interval 720h0m0s value 12345
  • 11. HTTP API ~$ curl -X POST -d '{"value": "12345"}' 
 -H 'X-Vault-Token: 611f6670-f871-ef2d-2110-87a54261d407'
 http://127.0.0.1:8200/v1/secret/phillydevops/luggage-combo
  • 12. HTTP API ~$ curl -k -H 'X-Vault-Token: 611f6670-f871-ef2d-2110-87a54261d407' 
 http://127.0.0.1:8200/v1/secret/phillydevops/luggage-combo | jq { "request_id": "ac71da58-cc11-431b-598e-7eb3fe3e37a3", "lease_id": "", "renewable": false, "lease_duration": 2592000, "data": { "value": "12345" }, "wrap_info": null, "warnings": null, "auth": null }
  • 13. Shamir’s Secret Sharing • https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing • Splits a key into n shards (unseal keys) • k shards needed to derive original key (k < n) • No one person can easily obtain the original key • No need to revoke shards if people leave
  • 15. Unsealing Process • Vault server does not store the master key on disk • Given the master key via the unsealing process • Need minimum number of shards to unseal • Key is only stored in memory • Restarting will lose the key and “seal” the vault.
  • 16. Unsealing Demo ~$ vault read secret/phillydevops/luggage-combo Error reading secret/phillydevops/luggage-combo: Error making API request. URL: GET http://127.0.0.1:8200/v1/secret/phillydevops/luggage-combo Code: 503. Errors: * Vault is sealed ~$ vault unseal Key (will be hidden): ******** Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0
  • 18. Storage Backends • Physical storage for secrets • Only see encrypted secrets • High availability features
  • 19. Storage Backends Backend Support HA? Consul Official Yes Zookeeper Community Yes etcd Community Yes DynamoDB Community Maybe S3 Community No Swift Community No Azure Community No mysql Community No postgresql Community No inmem Official No file Official No
  • 20. Storage Backends Backend Support HA? Consul Official Yes Zookeeper Community Yes etcd Community Yes DynamoDB Community Maybe S3 Community No Swift Community No Azure Community No mysql Community No postgresql Community No inmem Official No file Official No
  • 21. Storage Backends Backend Support HA? Consul Official Yes Zookeeper Community Yes etcd Community Yes DynamoDB Community Maybe S3 Community No Swift Community No Azure Community No mysql Community No postgresql Community No inmem Official No file Official No
  • 22. Clustering • Storage backend must support high availability • Active and standby servers • State maintained by Consul (storage backend) • Use Consul DNS or API to discover active server • Standby will redirect to active by default
  • 23. Cluster Status $ vault status Sealed: false Key Shares: 5 Key Threshold: 3 Unseal Progress: 0 Version: Vault v0.6.1 Cluster Name: vault-cluster-abcd0123 Cluster ID: deadbeef-beef-beef-beef-deadbeefcafe High-Availability Enabled: true Mode: active Leader: https://vault-1.example.com:8200
  • 24. Secret Backends • Static or dynamic secrets • Backend configuration • Multiple backend mountpoints
  • 25. Generic Backend • Default backend • Mounted at secret • Stores and retrieves static secrets as k/v pairs • Great for: • username/password • RSA private keys • API keys
  • 26. Tokens • Authentication in vault is performed via tokens • UUIDs returned by authentication backends • Tokens can expire and must be renewed • Tokens can be revoked • A single “root” token never expires
  • 27. Authentication Backends • Returns a token based on credentials • Tokens may have a TTL (backend-dependent) • Options to fit different workflows and platforms
  • 28. Authentication Backends • AppRole (App ID) • AWS EC2 • GitHub • LDAP • TLS Certificates • Tokens • Username & Password
  • 29. LDAP Backend ~$ vault auth -method ldap username=jhorwitz Password (will be hidden): Successfully authenticated! You are now logged in. The token below is already saved in the session. You do not need to "vault auth" again with the token. token: deadbeef-cafe-beef-beef-deadbeafcafe token_duration: 28799 token_policies: [admins, default]
  • 30. Lookup a Token ~$ vault token-lookup deadbeef-cafe-beef-beef-deadbeafcafe Key Value --- ----- accessor 5776eb4b-05b1-3bab-98d3-08d34040a806 creation_time 1480366497 creation_ttl 28800 display_name ldap-jhorwitz explicit_max_ttl 0 id deadbeef-cafe-beef-beef-deadbeafcafe meta map[policies:admins,default username:jhorwitz] num_uses 0 orphan true path auth/ldap/login/jhorwitz policies [admins default] renewable true ttl 27379
  • 31. aws-ec2 Backend • Good for server-level authentication • Fixes the chicken & egg problem on EC2 instances • Let AWS do the dirty work for you
  • 32. Instance Identity $ curl http://169.254.169.254/latest/dynamic/instance-identity/document { "privateIp" : “10.0.0.1”, "devpayProductCodes" : null, "availabilityZone" : "us-east-1a", "accountId" : "1234567890", "version" : "2010-08-31", "instanceId" : "i-deadbeef", "billingProducts" : null, "instanceType" : "t2.nano", "pendingTime" : "2016-09-09T17:30:35Z", "architecture" : "x86_64", "imageId" : "ami-cafebeef", "kernelId" : null, "ramdiskId" : null, "region" : "us-east-1" }
  • 33. Identity Signature $ curl http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGjewog ICJwcml2YXRlSXAiIDogIjEwLjUwLjAuNjgiLAogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVs bCwKICAiYXZhaWxhYmlsaXR5Wm9uZSIgOiAidXMtZWFzdC0xYSIsCiAgImFjY291bnRJZCIgOiAi Mjk4Nzg1NDUzNTkwIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQi IDogImktYzRkMDQwZjUiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VU …
  • 34. Whitelisting • Vault maintains a whitelist of instance IDs • Cannot reauthenticate using an ID in the whitelist • You can turn this off or remove ID from whitelist • Use a nonce to prevent replay attacks
  • 35. Roles • Clients specify a role with authentication requests • Roles are “bound” to instance properties • IAM role or instance profile • AMI ID • Vault cross-checks with EC2 before returning token
  • 36. Creating a Role $ vault write auth/aws-ec2/role/deployer 
 bound_iam_role_arn=arn:aws:iam::1234567890:instance-profile/deployer policies=deployer
 Success! Data written to: auth/aws-ec2/role/deployer
 
 

  • 37. Policies • ACLs that are applied to roles, users and groups • Applied at token creation • Tokens can have multiple policies
  • 38. Sample User Policy path "secret/test/*" { policy = "write" } path "secret/*" { policy = "read" } path "secret/classified/*" { capabilities = ["deny"] }
  • 39. Sample Server Policy path "secret/env/prod/*" { policy = "read" } path "secret/shared/*" { policy = "read" } path "secret/ssl/private-key" { policy = "read" }
  • 40. Integration • Chef authenticates instance to aws-ec2 backend • Chef stores token • local filesystem (for scripts and apps) • node run state (for Chef recipes)
  • 41. Get PKCS7 Signature def instance_identity_pkcs7 uri = URI.parse('http://169.254.169.254/latest/dynamic/instance-identity/pkcs7') resp = Net::HTTP.get_response(uri) resp.body.delete("n", '') end
  • 42. Generate Nonce nonce = SecureRandom.uuid
  • 43. Send Login Request def aws_ec2_login(address, role, pkcs7, nonce) # find the leader, since Net::HTTP doesn't handle redirects uri = URI.parse("#{address}/v1/sys/leader") resp = Net::HTTP.get_response(uri) leader = JSON.parse(resp.body)['leader_address'] uri = URI.parse("#{leader}/v1/auth/aws-ec2/login") data = { 'role' => role, 'pkcs7' => pkcs7, 'nonce' => nonce } req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json') req.body = data.to_json resp = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http| http.request(req) end …
  • 44. Write Token to File file node['leadid_vault']['client']['token_file'] do content lazy { node.run_state['token'] || node['leadid_vault']['client']['token'] } owner node['leadid_vault']['client']['uid'] group node['leadid_vault']['client']['gid'] mode '0440' sensitive true action :create_if_missing only_if { node['leadid_vault']['client']['enabled'] } end.run_action(:create)
  • 45. Using the Token • Chef recipes use the vault gem • Other apps use consul-template
  • 46. Configure Vault Chef gem def configure(opts = {}) require 'vault' Vault.configure do |config| config.address = opts[:address] config.ssl_ca_cert = opts[:ssl_ca_cert] config.ssl_verify = opts[:ssl_verify] if opts[:token] config.token = opts[:token] elsif opts[:token_file] config.token = File.read(opts[:token_file]) else raise 'must specify either token or token_file' end end end
  • 47. Helper to read secrets def read(path) require 'vault' Vault.logical.read(path) end
  • 48. Reading secrets in Chef Chef::Recipe.send(:include, VaultHelpers) if node['leadid_vault']['client']['enabled'] # Grab the Datadog API and Application Key from vault api_key = read( "#{node['leadid_base']['datadog']['secret_path']}" + "/datadog/api-key").data node.default['datadog']['api_key'] = api_key[:value] end … include_recipe 'datadog::dd-agent' include_recipe 'datadog::dd-handler'
  • 49. consul-template $ consul-template -consul consul.example.com -template "/opt/jornaya/app.yml.ctmpl:/opt/jornaya/app.yml:service nginx restart"
  • 50. consul-template database: host: db.example.com dbname: myapp {{with secret "secret/leadid/env/prod/db-user"}} user: {{.Data.username}} password: {{.Data.password}} {{end}}
  • 52. Learnings • Don't use a self-signed certificate. There is pain. • For SSL, name your servers or use static IP addresses. • Clustering was the easiest part. Do it. • Set up your path hierarchy ahead of time. • Be prepared to RTFM. • Different backends behave differently. • Tokens do not live forever.