SlideShare a Scribd company logo
1 of 42
Download to read offline
HashiCorp's Vault
The Examples
Introduction
HashiCorp's Vault - The Examples
Basics Concepts
Vault is a "simple" HTTP service
How to make secrets secure?
● encryption
● renewing
● revoking
How to make secrets secure?
● encryption
● renewing
● revoking
How to make secrets secure?
● encryption
● renewing
● revoking
How to make secrets secure?
● encryption
● renewing
● revoking
How to make secrets secure?
● encryption
● renewing
● revoking
"Install" Vault
Do you know PGP?
keybase.io?
Download Vault
./scripts/download
Download Vault
# Download the 64bit binary
curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip"
# Download checksums and signature
curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS"
curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS.sig"
# Import the hashicorp public key
curl "https://keybase.io/hashicorp/pgp_keys.asc" | gpg --import
Sample link: https://releases.hashicorp.com/vault/0.6.4/
Download Vault
# Verify the signature file is untampered.
$ gpg2 --options $project_directory/.gnupg/gpg.conf 
--verify "vault_${vault_version}_SHA256SUMS.sig" "vault_${vault_version}_SHA256SUMS"
# Verify the SHASUM matches the binary
$ cat "vault_${vault_version}_SHA256SUMS" 
| grep "vault_${vault_version}_linux_amd64.zip" 
| shasum -a 256 -c -
Download Vault
# Install Vault
$ unzip "vault_${vault_version}_linux_amd64.zip"
Download Vault
$ ./scripts/vault version
Vault v0.6.4 ('f4adc7fa960ed8e828f94bc6785bcdbae8d1b263')
Add Vault to $PATH
$ export PATH=$PATH:$PWD/scripts
Boot Vault
Vault in development
Vault development configuration
$ cat configuration/development.hcl
backend "file" {
path = "data"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
default_lease_ttl = "1h"
max_lease_ttl = "2h"
disable_mlock = true
Start Vault Server
$ vault server -config=$PWD/configuration/development.hcl
Initialize Vault
$ vault init -key-shares=1 -key-threshold=1
Unseal Vault Server
$ vault unseal 4e02850adda5af588e290592d11d323fa1ce...
Vault in production
PostgreSQL Backend
HashiCorp's Vault - The Examples
Docker Compose Configuration
$ cat .env.db
POSTGRES_USER=vault
POSTGRES_PASSWORD=vault
POSTGRES_DB=vault
Docker Compose Configuration
$ cat docker-compose.yml
---
version: '2'
services:
db:
image: "postgres:9.5.4"
hostname: db
env_file:
- .env.db
ports:
- "9191:5432"
Start PostgreSQL
$ docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------
vault_db_1 /docker-entrypoint.sh postgres Up 0.0.0.0:9191->5432/tcp
$ docker-compose up -d
Mount the PostgreSQL backend
$ vault mount -path=postgresql-test 
-default-lease-ttl=30m 
-max-lease-ttl=12h 
Postgresql
Successfully mounted 'postgresql' at 'postgresql-test'!
Verify the PostgreSQL backend
$ vault mounts | head -n1 && vault mounts | grep postgresql
Path Type Default TTL Max TTL Description
postgresql-test/ postgresql 1800 43200
Establish connection between
PostgreSQL and Vault
$ source .env.db
$ vault write postgresql-test/config/connection 
connection_url="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@0.0.0.0:9191
/${POSTGRES_DB}?sslmode=disable"
Tell Vault how
to create PostgreSQL users
SQL query in readable format
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD "{{password}}"
VALID UNTIL "{{expiration}}";
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
Tell Vault how
to create PostgreSQL users
$ vault write postgresql-test/roles/readonly 
sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID
UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";"
Success! Data written to: postgresql-test/roles/readonly
Generate user with password
$ vault read -format=json 
postgresql-test/creds/readonly 
| tee postgresql-user-credentials.json 
| jq .
{
"request_id": "b02b0a7f-9ea1-34f0-59fb-b25015114f5c",
"lease_id":
"postgresql-test/creds/readonly/40ff9937-8e6b-41c4-26c4-67e5c2be3024",
"lease_duration": 3600,
"renewable": true,
"data": {
"password": "130a6869-9e1a-94aa-c4ce-88bd5d7cc93e",
"username": "root-42e196da-4b70-47cd-cc72-01fd791cdd84"
},
"warnings": null
}
user with password - result
Connect to PostgreSQL
$ username=$(jq -r .data.username postgresql-user-credentials.json)
$ password=$(jq -r .data.password postgresql-user-credentials.json)
$ docker run --rm -it 
--link=vault_db_1:db 
--net vault_default 
--env PGPASSWORD="${password}" 
--env username="${username}" 
--env POSTGRES_DB="${POSTGRES_DB}" 
postgres:9.5.4 bash
> psql --host=db --username="${username}" "${POSTGRES_DB}"
Connect to PostgreSQL
> SELECT datname AS database,
usename AS user
FROM pg_stat_activity
WHERE state = 'active';
database | user
---------+-------------------------------------------
vault | root-45fb7d50-c99f-dd78-f3c5-e20b9636a300
(1 row)
user with password
SSH Backend
Overview

More Related Content

What's hot

Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Azure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaAzure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaBraja Krishna Das
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...QAware GmbH
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 

What's hot (20)

Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Azure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaAzure Key Vault Integration in Scala
Azure Key Vault Integration in Scala
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
Helm 3
Helm 3Helm 3
Helm 3
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 

Similar to HashiCorp's Vault - The Examples

Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.Prajal Kulkarni
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierCarlos Sanchez
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Kafka security ssl
Kafka security sslKafka security ssl
Kafka security sslHeng-Xiu Xu
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Composeraccoony
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
PHP London Dec 2013 - Varnish - The 9 circles of hell
PHP London Dec 2013 - Varnish - The 9 circles of hellPHP London Dec 2013 - Varnish - The 9 circles of hell
PHP London Dec 2013 - Varnish - The 9 circles of hellluis-ferro
 
Keep it simple web development stack
Keep it simple web development stackKeep it simple web development stack
Keep it simple web development stackEric Ahn
 
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...QCloudMentor
 
Start tracking your ruby infrastructure
Start tracking your ruby infrastructureStart tracking your ruby infrastructure
Start tracking your ruby infrastructureSergiy Kukunin
 
Into The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerInto The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerOrtus Solutions, Corp
 
Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018Ortus Solutions, Corp
 
Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기
Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기
Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기raccoony
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016StackIQ
 
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Carlos Sanchez
 
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSHow To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSVEXXHOST Private Cloud
 
Install elasticsearch, logstash and kibana
Install elasticsearch, logstash and kibana Install elasticsearch, logstash and kibana
Install elasticsearch, logstash and kibana Chanaka Lasantha
 
Postgres the hardway
Postgres the hardwayPostgres the hardway
Postgres the hardwayDave Pitts
 

Similar to HashiCorp's Vault - The Examples (20)

Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Kafka security ssl
Kafka security sslKafka security ssl
Kafka security ssl
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
PHP London Dec 2013 - Varnish - The 9 circles of hell
PHP London Dec 2013 - Varnish - The 9 circles of hellPHP London Dec 2013 - Varnish - The 9 circles of hell
PHP London Dec 2013 - Varnish - The 9 circles of hell
 
Keep it simple web development stack
Keep it simple web development stackKeep it simple web development stack
Keep it simple web development stack
 
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
 
Start tracking your ruby infrastructure
Start tracking your ruby infrastructureStart tracking your ruby infrastructure
Start tracking your ruby infrastructure
 
Into The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerInto The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and docker
 
Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018
 
Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기
Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기
Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
 
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
 
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSHow To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
 
Install elasticsearch, logstash and kibana
Install elasticsearch, logstash and kibana Install elasticsearch, logstash and kibana
Install elasticsearch, logstash and kibana
 
Postgres the hardway
Postgres the hardwayPostgres the hardway
Postgres the hardway
 

Recently uploaded

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 

Recently uploaded (20)

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 

HashiCorp's Vault - The Examples

  • 5. Vault is a "simple" HTTP service
  • 6. How to make secrets secure? ● encryption ● renewing ● revoking
  • 7. How to make secrets secure? ● encryption ● renewing ● revoking
  • 8. How to make secrets secure? ● encryption ● renewing ● revoking
  • 9. How to make secrets secure? ● encryption ● renewing ● revoking
  • 10. How to make secrets secure? ● encryption ● renewing ● revoking
  • 12. Do you know PGP? keybase.io?
  • 14. Download Vault # Download the 64bit binary curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip" # Download checksums and signature curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS" curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS.sig" # Import the hashicorp public key curl "https://keybase.io/hashicorp/pgp_keys.asc" | gpg --import Sample link: https://releases.hashicorp.com/vault/0.6.4/
  • 15. Download Vault # Verify the signature file is untampered. $ gpg2 --options $project_directory/.gnupg/gpg.conf --verify "vault_${vault_version}_SHA256SUMS.sig" "vault_${vault_version}_SHA256SUMS" # Verify the SHASUM matches the binary $ cat "vault_${vault_version}_SHA256SUMS" | grep "vault_${vault_version}_linux_amd64.zip" | shasum -a 256 -c -
  • 16. Download Vault # Install Vault $ unzip "vault_${vault_version}_linux_amd64.zip"
  • 17. Download Vault $ ./scripts/vault version Vault v0.6.4 ('f4adc7fa960ed8e828f94bc6785bcdbae8d1b263')
  • 18. Add Vault to $PATH $ export PATH=$PATH:$PWD/scripts
  • 21. Vault development configuration $ cat configuration/development.hcl backend "file" { path = "data" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } default_lease_ttl = "1h" max_lease_ttl = "2h" disable_mlock = true
  • 22. Start Vault Server $ vault server -config=$PWD/configuration/development.hcl
  • 23. Initialize Vault $ vault init -key-shares=1 -key-threshold=1
  • 24. Unseal Vault Server $ vault unseal 4e02850adda5af588e290592d11d323fa1ce...
  • 28. Docker Compose Configuration $ cat .env.db POSTGRES_USER=vault POSTGRES_PASSWORD=vault POSTGRES_DB=vault
  • 29. Docker Compose Configuration $ cat docker-compose.yml --- version: '2' services: db: image: "postgres:9.5.4" hostname: db env_file: - .env.db ports: - "9191:5432"
  • 30. Start PostgreSQL $ docker-compose ps Name Command State Ports ---------------------------------------------------------------------------- vault_db_1 /docker-entrypoint.sh postgres Up 0.0.0.0:9191->5432/tcp $ docker-compose up -d
  • 31. Mount the PostgreSQL backend $ vault mount -path=postgresql-test -default-lease-ttl=30m -max-lease-ttl=12h Postgresql Successfully mounted 'postgresql' at 'postgresql-test'!
  • 32. Verify the PostgreSQL backend $ vault mounts | head -n1 && vault mounts | grep postgresql Path Type Default TTL Max TTL Description postgresql-test/ postgresql 1800 43200
  • 33. Establish connection between PostgreSQL and Vault $ source .env.db $ vault write postgresql-test/config/connection connection_url="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@0.0.0.0:9191 /${POSTGRES_DB}?sslmode=disable"
  • 34. Tell Vault how to create PostgreSQL users SQL query in readable format CREATE ROLE "{{name}}" WITH LOGIN PASSWORD "{{password}}" VALID UNTIL "{{expiration}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
  • 35. Tell Vault how to create PostgreSQL users $ vault write postgresql-test/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" Success! Data written to: postgresql-test/roles/readonly
  • 36. Generate user with password $ vault read -format=json postgresql-test/creds/readonly | tee postgresql-user-credentials.json | jq .
  • 37. { "request_id": "b02b0a7f-9ea1-34f0-59fb-b25015114f5c", "lease_id": "postgresql-test/creds/readonly/40ff9937-8e6b-41c4-26c4-67e5c2be3024", "lease_duration": 3600, "renewable": true, "data": { "password": "130a6869-9e1a-94aa-c4ce-88bd5d7cc93e", "username": "root-42e196da-4b70-47cd-cc72-01fd791cdd84" }, "warnings": null } user with password - result
  • 38. Connect to PostgreSQL $ username=$(jq -r .data.username postgresql-user-credentials.json) $ password=$(jq -r .data.password postgresql-user-credentials.json)
  • 39. $ docker run --rm -it --link=vault_db_1:db --net vault_default --env PGPASSWORD="${password}" --env username="${username}" --env POSTGRES_DB="${POSTGRES_DB}" postgres:9.5.4 bash > psql --host=db --username="${username}" "${POSTGRES_DB}" Connect to PostgreSQL
  • 40. > SELECT datname AS database, usename AS user FROM pg_stat_activity WHERE state = 'active'; database | user ---------+------------------------------------------- vault | root-45fb7d50-c99f-dd78-f3c5-e20b9636a300 (1 row) user with password