SlideShare une entreprise Scribd logo

HashiCorp Vault Workshop:幫 Credentials 找個窩

smalltown
smalltown

Credentials 究竟該儲存在哪邊才算安全一直是個很尷尬的問題,外洩的消息更是時有耳聞;而一般的應用程式設計時,很少考量到如何定期去更新 Credentials,這時 DevOps 的救星 HashiCorp 發現了大家的需求,因而推出 Vault 來作為 Credentials 的歸宿,其主要最大的兩大功能就是讓大家可以將 Credentials 安心地存放在其中,並且針對一些特定的應用服務提供動態 Credentials 的功能,此 Workshop 主要分成三個主軸: - Vault 基本使用 - Dynamic Credentials 使用方式 - Vault 在生產環境使用的最佳準則

Logiciels
1  sur  109
Télécharger pour lire hors ligne
HashiCorp Vault: 幫 Credentials 找個窩
DevOpsDays Taipei 2019 2 https://devopsdays.tw/cfs/
Taipei HUG 3 http://bit.ly/taipei-hug https://t.me/TaiwanHashiCorpUserGroup
We’re Hiring !!! 4 Software Engineer in Test Site Reliability Engineer
Outline ◉ CH00 Environment Setup ◉ CH01 Vault Basics ◉ CH02 Dynamic Credentials ◉ CH03 Daily Operation ◉ CH04 Go Production 5
Environment Setup0 6 Setup Workshop Environment
Setup Cloud9 Following pictures of installation guide comes from: https://github.com/pahud/amazon-eks-workshop 7
Create environment 8
Name environment 9
10
11
Name environment 12
Name environment 13
7. execute ‘aws configure‘ to configure the credentials for your IAM user. Make sure this IAM User has AdministratorAccess and run ‘aws sts get-caller-identity’ - you should be able to see the returned JSON output like this. 14
Create IAM Key if You Have No One (1/4) 15
Create IAM Key if You Have No One (2/4) 16
Create IAM Key if You Have No One (3/4) 17
Create IAM Key if You Have No One (4/4) 18
Run Command in Cloud9 $ git clone https://github.com/Taipei-HUG/workshop.git $ cd vault/CH00 $ ./step1.sh # get all binary $ ./step2.sh # setup eks cluster 19
Vault Basics Introduction 1 20
Questions ● Where do you store credentials? ● How do you rotate credentials? 21
Where do you store credentials? 22
How do you rotate credentials? ● Create a new credential ● Rotate credentials one by one ● Delete old credential ● What if you have 10 components connect to db? 23
Secret Management 24
Where do you store credentials? 25
Credential 1 Credential 2 1. Get Credential by access token or other auth method 2. Access db via credential Basic secret management 0. Admin create credential 26
Vault Feature ● Web UI/CLI/API/SDK ● Centralized secret management ● Secure Secret Storage ● Dynamic Secrets ● Leasing and Renewal ● Revocation 27
Credential 1 User create credential Encrypt and save to Storage 28
Vault Storage | S3 DynamoDB 29
Vault Feature ● Web UI/CLI/API/SDK ● Centralized secret management ● Secure Secret Storage ● Dynamic Secrets ● Leasing and Renewal ● Revocation 30
CMS cluster Dynamic secret endpoint 1 Dynamic secret endpoint 2User: vault-cms-1 Password: dynamic-pw-1 1 2 User: vault-cms-2 Password: dynamic-pw-2 Access via dynamic secret 31
Vault Feature ● Web UI/CLI/API/SDK ● Centralized secret management ● Secure Secret Storage ● Dynamic Secrets ● Leasing and Renewal ● Revocation 32
Credential 1 Credential 2 1. Get Credential by access token or other auth method 2. Access db via credential Basic secret management 0. User create credential 33
Setup Vault on docker-compose # Open cloud9 ide & see CH01/commands.txt $ docker-compose up -d $ export VAULT_ADDR=http://127.0.0.1:8080 $ export VAULT_TOKEN=my-root-token $ vault status 34
Manipulate vault kv $ vault kv list secret $ vault kv put secret/first-secret foo=bar $ vault kv list secret $ vault kv get secret/first-secret $ vault kv put secret/first-secret foo=bar test=true $ vault kv metadata get secret/first-secret $ vault kv delete secret/first-secret $ vault kv metadata delete secret/first-secret 35
Vault UI ● Cloud9 → Preview → Preview Running Application 36
37
Dynamic Secret
CMS cluster Dynamic secret endpoint 1 Dynamic secret endpoint 2User: vault-cms-1 Password: dynamic-pw-1 1 2 User: vault-cms-2 Password: dynamic-pw-2 Access via dynamic secret 39
Vault Dynamic Secret https://learn.hashicorp.com/vault/secrets-management/sm-dynamic-secrets 40
Request a dynamic credential Create a user with certain scope Returns a credentialReturns a credential Access database via the credential Revoke the credential Graceful shutdown Delete the user User deletedCredential deleted 41
Setup Dynamic Secret ● See init.sh ● Setup Vault Dynamic Secret ● Integrate into our service 42
$ vault secrets enable database 43
Supported engines ● Database ○ MySQL, PostgreSQL, MongoDB, etc. ● SSH ● AWS IAM ● Vault docs - secret engine 44
$ vault write database/config/my-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(mysql_url:3306)/" allowed_roles=my-role username=${MYSQL_ROOT_USERNAME} password=${MYSQL_ROOT_PASSWORD} 45
$ vault write database/roles/my-role db_name=my-database creation_statements= "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="2h" 46
1. Request credential --- $ vault read database/creds/my-role 2. Issue a dynamic credential with TTL by root credential 3. Get credential 4. Access db by dynamic credential CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%'; Execute by username=${MYSQL_ROOT_USERNAME} password=${MYSQL_ROOT_PASSWORD} 47
$ npm install $ node index.js 48
const credential = await vault.read("database/creds/my-role"); const { username: user, password } = credential.data; const conn = await mysql.createConnection({ host, port, user, password }); const result = await conn.query("SELECT USER() as user"); await vault.revoke({ lease_id: credential.lease_id }); 49
Revocation ● Manually revoke by cli/api ● Automatically revoke by TTL $ vault read database/creds/my-role Key Value --- ----- lease_id database/creds/my-role/IPUkANwU080vaJwARYm4S8NT lease_duration 1h lease_renewable true password A1a-5pV9iwoVWLmvh3Fu username v-token-my-role-wGzYgA6g8DozFW0k 50
Credential 1 Credential 2 1. Get Credential by access token or other auth method 2. Access db via credential Basic secret management 0. User create credential 51
Auth Methods ● Vault token ● Kubernetes ● AWS IAM ● LDAP ● … a lot 52
Kubernetes cluster Deployment A Deployment B Credential 1 Credential 2 Role A - Policy A Role B - Policy B Credential 1 Credential 2 See more: Vault 與 Kubernetes 的深度整合 Vault 53
54
Put all together ● Dynamic Secret ● Kubernetes service authentication ● Limit permission scope 55
Ideal Credential Lifecycle 56 Service is Accessed Application 1. Request Access Credential (Running) 2. Use the Credential to Access Service 3. Revoke the Credential Credentials Only Exist in Memory
57
Daily Operation3 58 Overview of How to Maintain Vault
◉ When a Vault server is first initialized, Vault generates a master key ◉ Immediately splits this master key into a series of key shares following Shamir's Secret Sharing Algorithm Master Key 59
◉ The master key is used to decrypt the underlying encryption key ◉ Vault uses the encryption key to encrypt data at rest in a storage backend like the filesystem or Consul Encryption Key 60
◉ Vault never stores the master key, therefore, the only way to retrieve the master key is to have a quorum of unseal keys re-generate it. Seal/Unseal 61
Practice (1/3) # switch to CH03 folder ~$ cd vault/CH03 # boot vault server and login it ~$ ./start_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Seal Type shamir Initialized false Sealed true Total Shares 0 Threshold 0 Unseal Progress 0/0 Unseal Nonce n/a Version n/a HA Enabled false 62
Practice (2/3) # initialize vault ~$ vault operator init # keep the unseal key and root token Unseal Key 1: QosKlf+rXJkDLZJX7tgpiKj8zDDNzGHrv4HrV2C9xlxH Unseal Key 2: 8dUP2J+1vPQcRM09QdK5Lo83YnHHjDe1nLdfAjESSKfa Unseal Key 3: t89QgyeOIC4W/7ZRCcMzrgPBYLhGeVOMtuHVNU2IQ5k2 Unseal Key 4: KPnn8uvGWu5DOpcuQA1/1DnjGCiakPWdP1ExtAcQm0L7 Unseal Key 5: LPCOtvaU944O2tbWXoeJGo7SL4d6pc0iFA8vrUv1gHyW Initial Root Token: s.96aLKTnD3WRiT0STWeLbLDDI 63
Practice (3/3) # unseal vault # repeat 3 times ~$ vault operator unseal Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce a0dfd3da-0fcb-0268-baba-ef4cbe 5550bc Version 1.1.2 HA Enabled false Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled false 64
◉ AliCloud KMS, Amazon KMS, Azure Key Vault, and Google Cloud KMS Auto-Unseal 65
Practice (1/6) # exit vault server container by Ctrl+D # create kms key ~$ aws kms create-key { "KeyMetadata": { "AWSAccountId": "123456789012", "KeyId": "xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyyyyy", "Arn": "arn:aws:kms:us-west-2:123456789012:key/xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyy yyy", "CreationDate": 1559233248.825, ... 66
Practice (2/6) ◉ Append seal config section into config/default.hcl … seal "awskms" { region = "us-west-2" kms_key_id = "xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyyyyy" } 67
Practice (3/6) ◉ Add AWS AK/SK into .env file VAULT_ADDR=http://127.0.0.1:8200 AWS_ACCESS_KEY_ID=DFJLSFKJLD8358KJLJK8 AWS_SECRET_ACCESS_KEY=JioeuJek7+jgJLIUJWTYSfv3rr49JRoqt 68
Practice (4/6) # restart vault server ~$ ./restart_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed true Total Recovery Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Seal Migration in Progress true Version 1.1.2 HA Enabled false 69
Practice (5/6) # seal migration # repeat 3 times ~$ vault operator unseal -migrate Unseal Key (will be hidden): Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled false 70
Practice (6/6) # exit vault server container by Ctrl+D # restart vault server ~$ ./restart_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled false 71
Authentication 72
Practice (1/2) # enable Userpass auth method ~$ export VAULT_TOKEN="s.96aLKTnD3WRiT0STWeLbLDDI" ~$ vault auth enable userpass Success! Enabled userpass auth method at: userpass/ ~$ vault write auth/userpass/users/smalltown password=12345678 policies=default Success! Data written to: auth/userpass/users/smalltown 73
Practice (2/2) # try to login vault by account & password ~$ vault login -method=userpass username=smalltown password=12345678 Key Value --- ----- token s.MXYyp2Q9OB1iVQJlhso3v3an token_accessor hPntyUJor6sMb1Iw3XwbW9qi token_duration 768h token_renewable true token_policies ["default"] identity_policies [] policies ["default"] token_meta_username smalltown 74
Authorization 75
Policies ◉ Vault store credentials like key/value database, e.g. ○ secret/stag/database/admin ○ secret/prod/database/admin ◉ Hence, predefined policy grant appropriate permission, e.g. path "secret/stag/database/admin" { capabilities = ["read"] } 76
Practice (1/3) # enable kv ~$ vault secrets enable -version=2 kv # put database credentials into vault ~$ vault kv put kv/stag/database/admin account=stag password=12345678 ~$ vault kv put kv/prod/database/admin account=prod password=87654321 77
Practice (2/3) # create policy ~$ vault policy write stag /vault/policy/stag.hcl ~$ vault policy write prod /vault/policy/prod.hcl # assign policy ~$ vault write auth/userpass/users/smalltown password=12345678 policies=stag 78
Practice (3/3) # login user and use the token ~$ unset VAULT_TOKEN ~$ vault login -method=userpass username=smalltown password=12345678 # try to get the database credentials ~$ vault kv get kv/stag/database/admin ~$ vault kv get kv/prod/database/admin 79
Storage Backend 80
Practice (1/4) # exit vault server container by Ctrl+D # create dynamodb ~$ aws dynamodb create-table --table-name vault-workshop --attribute-definitions AttributeName=Path,AttributeType=S AttributeName=Key,AttributeType=S --key-schema AttributeName=Path,KeyType=HASH AttributeName=Key,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=10 81
Practice (2/4) # migrate storage ~$ ./login_local_vault.sh ~$ export VAULT_TOKEN="s.96aLKTnD3WRiT0STWeLbLDDI" ~$ vault operator migrate -config /vault/config/migration.hcl … 2019-05-31T05:37:56.188Z [INFO] copied key: path=sys/token/id/hc99e5ba3d69e7cbaecf0489031eadbf11b55984d698d0f9784e5e1a28 25f93fe 2019-05-31T05:37:56.485Z [INFO] copied key: path=sys/token/salt Success! All of the keys have been migrated. 82
Practice (3/4) # modify the config file config/default.hcl storage "file" { path = "/vault/file" } api_addr = "https://vault-workshop.hub.internal" storage "dynamodb" { ha_enabled = "true" region = "us-west-2" table = "vault-workshop" } 83
Practice (4/4) # exit vault server container by Ctrl+D # restart vault server ~$ ./restart_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled true HA Cluster https://vault-workshop.hub.internal: 444 HA Mode active 84
Audit Devices 85
Practice # enable auditing device ~$ export VAULT_TOKEN="s.96aLKTnD3WRiT0STWeLbLDDI" ~$ vault audit enable file file_path=/vault/logs/audit.log Success! Enabled the file audit device at: file/ ~$ cat /vault/logs/audit.log {"time":"2019-05-31T06:13:54.1656812Z","type":"response","auth":{"client_token":"hmac-sha256:a5a7726a6e12c568dad5caf12 bec4841ca775d28bbd0f7683c09ebb260ae604c","accessor":"hmac-sha256:38c0629c4ecca5961e9954cbafc80cfd009d6c0 31516fc2f13da54b2eea9e1e0","display_name":"root","policies":["root"],"token_policies":["root"],"metadata":null,"entity_id":"","t oken_type":"service"},"request":{"id":"219eb2f0-a0a7-59a0-c2b8-e7eeac31f31c","operation":"update","client_token":"hmac-s ha256:a5a7726a6e12c568dad5caf12bec4841ca775d28bbd0f7683c09ebb260ae604c","client_token_accessor":"hmac-sha25 6:38c0629c4ecca5961e9954cbafc80cfd009d6c031516fc2f13da54b2eea9e1e0","namespace":{"id":"root","path":""},"path":"sys /audit/file","data":{"description":"hmac-sha256:3eaeeda1a043e3504c691abdb19982eac0dc42c6d9d3cffda9e7cceaa7e3a88 7","local":false,"options":{"file_path":"hmac-sha256:a0a483f16d313b0b882262eea4bb58358ef1323be63b68eb51da01ebf26b dd1a"},"type":"hmac-sha256:b26ec68f8abd74be4fc88990ebba948314f39b1b428091636b1e7fde2c0e9939"},"policy_override" :false,"remote_address":"127.0.0.1","wrap_ttl":0,"headers":{}},"response":{"headers":null},"error":""} 86
Clean # exit vault server container by Ctrl+D # shutdown vault container ~$ ./stop_local_vault.sh # delete kms key ~$ aws kms schedule-key-deletion --key-id xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyyyyy # delete dynamodb ~$ aws dynamodb delete-table --table-name vault-workshop 87
Go Production4 88 There are Things Need to Do Before Vault Online
High Availability 89
Banzai Cloud - bank-vaults ◉ Bank-Vaults provides various tools for Hashicorp Vault to make its use easier 90
Practice (1/2) # install vault cluster ~$ cd vault/CH04 ~$ ./setup_vault_cluster.sh 91
Practice (2/2) # check vault cluster ~$ kubectl get pod NAME READY STATUS RESTARTS AGE etcd-cluster-vj8r8mwslr 1/1 Running 0 3m8s etcd-operator-588ccb98fd-twrs4 1/1 Running 0 8m46s vault-0 3/3 Running 6 3m42s vault-1 3/3 Running 8 3m42s vault-configurer-759d4679dd-8lsjx 1/1 Running 0 3m42s vault-operator-b8c5c566c-w59b5 1/1 Running 0 5m52s 92
What bank-vaults Do? bank-vaults operator bank-vaults cli Vault storage backend created by ectd operator Create everything needed by vault: bank-vaults cli container, vault, prometheus-exporter bank-vaults cli: 1. Initial and Unseal automatically 2. Configure policy, secret engine...etc 93
How to Monitor Vault 94
Telemetry ◉ The Vault server process collects various runtime metrics about the performance of different libraries and subsystems. ◉ To view the telemetry information, you must send a signal to the Vault process ◉ Also can be streamed directly from Vault to a range of metrics aggregation solutions 95
Monitoring Mechanism StatsD Exporter - Collect telemetry information - Expose to Prometheus - Prometheus scrape metrics - Grafana generate Dashboard 96
Practice (1/5) # install prometheus ~$ ./setup_prometheus.sh ~$ kubectl create -f vault/servicemonitor.yaml ~$ kubectl get pod -n monitoring NAME READY STATUS RESTARTS AGE alertmanager-main-0 2/2 Running 0 8m42s alertmanager-main-1 2/2 Running 0 8m30s alertmanager-main-2 2/2 Running 0 8m19s grafana-74b6b56ddf-5k8mz 1/1 Running 0 8m37s kube-state-metrics-7c7979b6bc-zwrwz 4/4 Running 0 5m56s ... 97
Practice (2/5) # check prometheus scrape vault metric ~$ ./get_prometheus.sh Grafana http://a951eb90e83b511e99a350a7fef3486e-1999986850.us-west-2.elb.amazonaws. com:3000 Prometheus http://aa1ffcdb183b511e99a350a7fef3486e-1607220011.us-west-2.elb.amazonaws.co m:9090 ... 98
Practice (3/5) ◉ Visit Prometheus, then the vault telemetry can be acquired 99
◉ Visit Grafana -> Click Import ◉ Paste JSON from grafana-vault.json ◉ Click Import Practice (4/5) 100
Practice (5/5) 101
Clean # Don’t forget to remove the resource create in CH04 ~$ ./uninstall.sh 102
All Thing Down !!!
Of Course Not!!!
Production Hardening (1/3) ◉ End-to-End TLS (O) ◉ Single Tenancy (X) ◉ Firewall traffic (X) ◉ Disable SSH / Remote Desktop (X) ◉ Disable Swap (X) ◉ Don't Run as Root (O) 105
Production Hardening (2/3) ◉ Turn Off Core Dumps (X) ◉ Immutable Upgrades (O) ◉ Avoid Root Tokens (X) ◉ Enable Auditing (O) ◉ Upgrade Frequently (X) ◉ Configure SELinux / AppArmor (X) 106
Production Hardening (3/3) ◉ Restrict Storage Access (X) ◉ Disable Shell Command History (X) ◉ Tweak ulimits (X) ◉ Docker Containers (X) Ref 107
Any questions ? Thanks!
We’re Hiring !!! 109 Software Engineer in Test Site Reliability Engineer

Recommandé

Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 

Recommandé

Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Kubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examKubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examAhmed AbouZaid
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)DongHyeon Kim
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp VaultNicolas Corrarello
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesNGINX, Inc.
 
Vault
VaultVault
Vaultdawnlua
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Helm.pptx
Helm.pptxHelm.pptx
Helm.pptxSISTechnologies
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 

Contenu connexe

Tendances

Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Kubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examKubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examAhmed AbouZaid
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)DongHyeon Kim
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesNGINX, Inc.
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 

Tendances (20)

Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Vault
VaultVault
Vault
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Kubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examKubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS exam
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
Vault 101
Vault 101Vault 101
Vault 101
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
 
Vault
VaultVault
Vault
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Helm.pptx
Helm.pptxHelm.pptx
Helm.pptx
 

Similaire à HashiCorp Vault Workshop:幫 Credentials 找個窩

[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Docker Registry + Basic Auth
Docker Registry + Basic AuthDocker Registry + Basic Auth
Docker Registry + Basic AuthRemotty
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Composeraccoony
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Openstack 101
Openstack 101Openstack 101
Openstack 101POSSCON
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in VaultNeven Rakonić
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
How to create a multi tenancy for an interactive data analysis with jupyter h...
How to create a multi tenancy for an interactive data analysis with jupyter h...How to create a multi tenancy for an interactive data analysis with jupyter h...
How to create a multi tenancy for an interactive data analysis with jupyter h...Tiago Simões
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
 
Things I've learned working with Docker Support
Things I've learned working with Docker SupportThings I've learned working with Docker Support
Things I've learned working with Docker SupportSujay Pillai
 
Configurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud ConfigConfigurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud ConfigEmmanuel Neri
 

Similaire à HashiCorp Vault Workshop:幫 Credentials 找個窩 (20)

[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Docker Registry + Basic Auth
Docker Registry + Basic AuthDocker Registry + Basic Auth
Docker Registry + Basic Auth
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
Simple docker hosting in FIWARE Lab
Simple docker hosting in FIWARE LabSimple docker hosting in FIWARE Lab
Simple docker hosting in FIWARE Lab
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in Vault
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
 
Docker security
Docker securityDocker security
Docker security
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
How to create a multi tenancy for an interactive data analysis with jupyter h...
How to create a multi tenancy for an interactive data analysis with jupyter h...How to create a multi tenancy for an interactive data analysis with jupyter h...
How to create a multi tenancy for an interactive data analysis with jupyter h...
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
Things I've learned working with Docker Support
Things I've learned working with Docker SupportThings I've learned working with Docker Support
Things I've learned working with Docker Support
 
Configurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud ConfigConfigurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud Config
 

Plus de smalltown

Kubernetes Summit 2023: Head First Kubernetes
Kubernetes Summit 2023: Head First Kubernetes Kubernetes Summit 2023: Head First Kubernetes
Kubernetes Summit 2023: Head First Kubernetes smalltown
 
SRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call CultureSRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call Culturesmalltown
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Uglysmalltown
 
DevOpsDays Taipei 2021 - How FinTech Embrace Change Management
DevOpsDays Taipei 2021 - How FinTech Embrace Change ManagementDevOpsDays Taipei 2021 - How FinTech Embrace Change Management
DevOpsDays Taipei 2021 - How FinTech Embrace Change Managementsmalltown
 
Kubernetes Summit 2020 - DevOps: Where is My PodPod
Kubernetes Summit 2020 - DevOps: Where is My PodPodKubernetes Summit 2020 - DevOps: Where is My PodPod
Kubernetes Summit 2020 - DevOps: Where is My PodPodsmalltown
 
CDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCCDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCsmalltown
 
AWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWS
AWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWSAWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWS
AWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWSsmalltown
 
Cloud Native User Group: Shift-Left Testing IaC With PaC
Cloud Native User Group: Shift-Left Testing IaC With PaCCloud Native User Group: Shift-Left Testing IaC With PaC
Cloud Native User Group: Shift-Left Testing IaC With PaCsmalltown
 
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps WayDevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Waysmalltown
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?smalltown
 
Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2smalltown
 
Kubernetes User Group: 維運 Kubernetes 的兩三事
Kubernetes User Group: 維運 Kubernetes 的兩三事Kubernetes User Group: 維運 Kubernetes 的兩三事
Kubernetes User Group: 維運 Kubernetes 的兩三事smalltown
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?smalltown
 
AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事
AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事
AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事smalltown
 
Kubernetes Summit 2018 - Kubernetes: Stateless -> Stateful
Kubernetes Summit 2018 - Kubernetes: Stateless -> StatefulKubernetes Summit 2018 - Kubernetes: Stateless -> Stateful
Kubernetes Summit 2018 - Kubernetes: Stateless -> Statefulsmalltown
 
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!smalltown
 
Docker Summit 2016 - Kubernetes: Sweets and Bitters
Docker Summit 2016 - Kubernetes: Sweets and BittersDocker Summit 2016 - Kubernetes: Sweets and Bitters
Docker Summit 2016 - Kubernetes: Sweets and Bitterssmalltown
 
DevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is CodeDevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is Codesmalltown
 
COSCUP 2017 - infrastructure As Code
COSCUP 2017 - infrastructure As Code COSCUP 2017 - infrastructure As Code
COSCUP 2017 - infrastructure As Code smalltown
 

Plus de smalltown (20)

Kubernetes Summit 2023: Head First Kubernetes
Kubernetes Summit 2023: Head First Kubernetes Kubernetes Summit 2023: Head First Kubernetes
Kubernetes Summit 2023: Head First Kubernetes
 
SRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call CultureSRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call Culture
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
 
DevOpsDays Taipei 2021 - How FinTech Embrace Change Management
DevOpsDays Taipei 2021 - How FinTech Embrace Change ManagementDevOpsDays Taipei 2021 - How FinTech Embrace Change Management
DevOpsDays Taipei 2021 - How FinTech Embrace Change Management
 
Kubernetes Summit 2020 - DevOps: Where is My PodPod
Kubernetes Summit 2020 - DevOps: Where is My PodPodKubernetes Summit 2020 - DevOps: Where is My PodPod
Kubernetes Summit 2020 - DevOps: Where is My PodPod
 
CDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCCDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaC
 
AWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWS
AWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWSAWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWS
AWS re:Invent re:Cap 2019: My ElasticSearch Journey on AWS
 
Cloud Native User Group: Shift-Left Testing IaC With PaC
Cloud Native User Group: Shift-Left Testing IaC With PaCCloud Native User Group: Shift-Left Testing IaC With PaC
Cloud Native User Group: Shift-Left Testing IaC With PaC
 
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps WayDevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?
 
Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2
 
Kubernetes User Group: 維運 Kubernetes 的兩三事
Kubernetes User Group: 維運 Kubernetes 的兩三事Kubernetes User Group: 維運 Kubernetes 的兩三事
Kubernetes User Group: 維運 Kubernetes 的兩三事
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
 
AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事
AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事
AgileTW Feat. DevOpsTW: 維運 Kubernetes 的兩三事
 
Kubernetes Summit 2018 - Kubernetes: Stateless -> Stateful
Kubernetes Summit 2018 - Kubernetes: Stateless -> StatefulKubernetes Summit 2018 - Kubernetes: Stateless -> Stateful
Kubernetes Summit 2018 - Kubernetes: Stateless -> Stateful
 
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!
 
Docker Summit 2016 - Kubernetes: Sweets and Bitters
Docker Summit 2016 - Kubernetes: Sweets and BittersDocker Summit 2016 - Kubernetes: Sweets and Bitters
Docker Summit 2016 - Kubernetes: Sweets and Bitters
 
DevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is CodeDevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is Code
 
COSCUP 2017 - infrastructure As Code
COSCUP 2017 - infrastructure As Code COSCUP 2017 - infrastructure As Code
COSCUP 2017 - infrastructure As Code
 

Dernier

PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 

Dernier (20)

PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 

HashiCorp Vault Workshop:幫 Credentials 找個窩

  • 4. We’re Hiring !!! 4 Software Engineer in Test Site Reliability Engineer
  • 5. Outline ◉ CH00 Environment Setup ◉ CH01 Vault Basics ◉ CH02 Dynamic Credentials ◉ CH03 Daily Operation ◉ CH04 Go Production 5
  • 7. Setup Cloud9 Following pictures of installation guide comes from: https://github.com/pahud/amazon-eks-workshop 7
  • 10. 10
  • 11. 11
  • 14. 7. execute ‘aws configure‘ to configure the credentials for your IAM user. Make sure this IAM User has AdministratorAccess and run ‘aws sts get-caller-identity’ - you should be able to see the returned JSON output like this. 14
  • 15. Create IAM Key if You Have No One (1/4) 15
  • 16. Create IAM Key if You Have No One (2/4) 16
  • 17. Create IAM Key if You Have No One (3/4) 17
  • 18. Create IAM Key if You Have No One (4/4) 18
  • 19. Run Command in Cloud9 $ git clone https://github.com/Taipei-HUG/workshop.git $ cd vault/CH00 $ ./step1.sh # get all binary $ ./step2.sh # setup eks cluster 19
  • 21. Questions ● Where do you store credentials? ● How do you rotate credentials? 21
  • 22. Where do you store credentials? 22
  • 23. How do you rotate credentials? ● Create a new credential ● Rotate credentials one by one ● Delete old credential ● What if you have 10 components connect to db? 23
  • 25. Where do you store credentials? 25
  • 26. Credential 1 Credential 2 1. Get Credential by access token or other auth method 2. Access db via credential Basic secret management 0. Admin create credential 26
  • 27. Vault Feature ● Web UI/CLI/API/SDK ● Centralized secret management ● Secure Secret Storage ● Dynamic Secrets ● Leasing and Renewal ● Revocation 27
  • 28. Credential 1 User create credential Encrypt and save to Storage 28
  • 30. Vault Feature ● Web UI/CLI/API/SDK ● Centralized secret management ● Secure Secret Storage ● Dynamic Secrets ● Leasing and Renewal ● Revocation 30
  • 31. CMS cluster Dynamic secret endpoint 1 Dynamic secret endpoint 2User: vault-cms-1 Password: dynamic-pw-1 1 2 User: vault-cms-2 Password: dynamic-pw-2 Access via dynamic secret 31
  • 32. Vault Feature ● Web UI/CLI/API/SDK ● Centralized secret management ● Secure Secret Storage ● Dynamic Secrets ● Leasing and Renewal ● Revocation 32
  • 33. Credential 1 Credential 2 1. Get Credential by access token or other auth method 2. Access db via credential Basic secret management 0. User create credential 33
  • 34. Setup Vault on docker-compose # Open cloud9 ide & see CH01/commands.txt $ docker-compose up -d $ export VAULT_ADDR=http://127.0.0.1:8080 $ export VAULT_TOKEN=my-root-token $ vault status 34
  • 35. Manipulate vault kv $ vault kv list secret $ vault kv put secret/first-secret foo=bar $ vault kv list secret $ vault kv get secret/first-secret $ vault kv put secret/first-secret foo=bar test=true $ vault kv metadata get secret/first-secret $ vault kv delete secret/first-secret $ vault kv metadata delete secret/first-secret 35
  • 36. Vault UI ● Cloud9 → Preview → Preview Running Application 36
  • 37. 37
  • 39. CMS cluster Dynamic secret endpoint 1 Dynamic secret endpoint 2User: vault-cms-1 Password: dynamic-pw-1 1 2 User: vault-cms-2 Password: dynamic-pw-2 Access via dynamic secret 39
  • 41. Request a dynamic credential Create a user with certain scope Returns a credentialReturns a credential Access database via the credential Revoke the credential Graceful shutdown Delete the user User deletedCredential deleted 41
  • 42. Setup Dynamic Secret ● See init.sh ● Setup Vault Dynamic Secret ● Integrate into our service 42
  • 43. $ vault secrets enable database 43
  • 44. Supported engines ● Database ○ MySQL, PostgreSQL, MongoDB, etc. ● SSH ● AWS IAM ● Vault docs - secret engine 44
  • 45. $ vault write database/config/my-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(mysql_url:3306)/" allowed_roles=my-role username=${MYSQL_ROOT_USERNAME} password=${MYSQL_ROOT_PASSWORD} 45
  • 46. $ vault write database/roles/my-role db_name=my-database creation_statements= "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="2h" 46
  • 47. 1. Request credential --- $ vault read database/creds/my-role 2. Issue a dynamic credential with TTL by root credential 3. Get credential 4. Access db by dynamic credential CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%'; Execute by username=${MYSQL_ROOT_USERNAME} password=${MYSQL_ROOT_PASSWORD} 47
  • 48. $ npm install $ node index.js 48
  • 49. const credential = await vault.read("database/creds/my-role"); const { username: user, password } = credential.data; const conn = await mysql.createConnection({ host, port, user, password }); const result = await conn.query("SELECT USER() as user"); await vault.revoke({ lease_id: credential.lease_id }); 49
  • 50. Revocation ● Manually revoke by cli/api ● Automatically revoke by TTL $ vault read database/creds/my-role Key Value --- ----- lease_id database/creds/my-role/IPUkANwU080vaJwARYm4S8NT lease_duration 1h lease_renewable true password A1a-5pV9iwoVWLmvh3Fu username v-token-my-role-wGzYgA6g8DozFW0k 50
  • 51. Credential 1 Credential 2 1. Get Credential by access token or other auth method 2. Access db via credential Basic secret management 0. User create credential 51
  • 52. Auth Methods ● Vault token ● Kubernetes ● AWS IAM ● LDAP ● … a lot 52
  • 53. Kubernetes cluster Deployment A Deployment B Credential 1 Credential 2 Role A - Policy A Role B - Policy B Credential 1 Credential 2 See more: Vault 與 Kubernetes 的深度整合 Vault 53
  • 54. 54
  • 55. Put all together ● Dynamic Secret ● Kubernetes service authentication ● Limit permission scope 55
  • 56. Ideal Credential Lifecycle 56 Service is Accessed Application 1. Request Access Credential (Running) 2. Use the Credential to Access Service 3. Revoke the Credential Credentials Only Exist in Memory
  • 57. 57
  • 58. Daily Operation3 58 Overview of How to Maintain Vault
  • 59. ◉ When a Vault server is first initialized, Vault generates a master key ◉ Immediately splits this master key into a series of key shares following Shamir's Secret Sharing Algorithm Master Key 59
  • 60. ◉ The master key is used to decrypt the underlying encryption key ◉ Vault uses the encryption key to encrypt data at rest in a storage backend like the filesystem or Consul Encryption Key 60
  • 61. ◉ Vault never stores the master key, therefore, the only way to retrieve the master key is to have a quorum of unseal keys re-generate it. Seal/Unseal 61
  • 62. Practice (1/3) # switch to CH03 folder ~$ cd vault/CH03 # boot vault server and login it ~$ ./start_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Seal Type shamir Initialized false Sealed true Total Shares 0 Threshold 0 Unseal Progress 0/0 Unseal Nonce n/a Version n/a HA Enabled false 62
  • 63. Practice (2/3) # initialize vault ~$ vault operator init # keep the unseal key and root token Unseal Key 1: QosKlf+rXJkDLZJX7tgpiKj8zDDNzGHrv4HrV2C9xlxH Unseal Key 2: 8dUP2J+1vPQcRM09QdK5Lo83YnHHjDe1nLdfAjESSKfa Unseal Key 3: t89QgyeOIC4W/7ZRCcMzrgPBYLhGeVOMtuHVNU2IQ5k2 Unseal Key 4: KPnn8uvGWu5DOpcuQA1/1DnjGCiakPWdP1ExtAcQm0L7 Unseal Key 5: LPCOtvaU944O2tbWXoeJGo7SL4d6pc0iFA8vrUv1gHyW Initial Root Token: s.96aLKTnD3WRiT0STWeLbLDDI 63
  • 64. Practice (3/3) # unseal vault # repeat 3 times ~$ vault operator unseal Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce a0dfd3da-0fcb-0268-baba-ef4cbe 5550bc Version 1.1.2 HA Enabled false Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled false 64
  • 65. ◉ AliCloud KMS, Amazon KMS, Azure Key Vault, and Google Cloud KMS Auto-Unseal 65
  • 66. Practice (1/6) # exit vault server container by Ctrl+D # create kms key ~$ aws kms create-key { "KeyMetadata": { "AWSAccountId": "123456789012", "KeyId": "xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyyyyy", "Arn": "arn:aws:kms:us-west-2:123456789012:key/xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyy yyy", "CreationDate": 1559233248.825, ... 66
  • 67. Practice (2/6) ◉ Append seal config section into config/default.hcl … seal "awskms" { region = "us-west-2" kms_key_id = "xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyyyyy" } 67
  • 68. Practice (3/6) ◉ Add AWS AK/SK into .env file VAULT_ADDR=http://127.0.0.1:8200 AWS_ACCESS_KEY_ID=DFJLSFKJLD8358KJLJK8 AWS_SECRET_ACCESS_KEY=JioeuJek7+jgJLIUJWTYSfv3rr49JRoqt 68
  • 69. Practice (4/6) # restart vault server ~$ ./restart_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed true Total Recovery Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Seal Migration in Progress true Version 1.1.2 HA Enabled false 69
  • 70. Practice (5/6) # seal migration # repeat 3 times ~$ vault operator unseal -migrate Unseal Key (will be hidden): Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled false 70
  • 71. Practice (6/6) # exit vault server container by Ctrl+D # restart vault server ~$ ./restart_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled false 71
  • 73. Practice (1/2) # enable Userpass auth method ~$ export VAULT_TOKEN="s.96aLKTnD3WRiT0STWeLbLDDI" ~$ vault auth enable userpass Success! Enabled userpass auth method at: userpass/ ~$ vault write auth/userpass/users/smalltown password=12345678 policies=default Success! Data written to: auth/userpass/users/smalltown 73
  • 74. Practice (2/2) # try to login vault by account & password ~$ vault login -method=userpass username=smalltown password=12345678 Key Value --- ----- token s.MXYyp2Q9OB1iVQJlhso3v3an token_accessor hPntyUJor6sMb1Iw3XwbW9qi token_duration 768h token_renewable true token_policies ["default"] identity_policies [] policies ["default"] token_meta_username smalltown 74
  • 76. Policies ◉ Vault store credentials like key/value database, e.g. ○ secret/stag/database/admin ○ secret/prod/database/admin ◉ Hence, predefined policy grant appropriate permission, e.g. path "secret/stag/database/admin" { capabilities = ["read"] } 76
  • 77. Practice (1/3) # enable kv ~$ vault secrets enable -version=2 kv # put database credentials into vault ~$ vault kv put kv/stag/database/admin account=stag password=12345678 ~$ vault kv put kv/prod/database/admin account=prod password=87654321 77
  • 78. Practice (2/3) # create policy ~$ vault policy write stag /vault/policy/stag.hcl ~$ vault policy write prod /vault/policy/prod.hcl # assign policy ~$ vault write auth/userpass/users/smalltown password=12345678 policies=stag 78
  • 79. Practice (3/3) # login user and use the token ~$ unset VAULT_TOKEN ~$ vault login -method=userpass username=smalltown password=12345678 # try to get the database credentials ~$ vault kv get kv/stag/database/admin ~$ vault kv get kv/prod/database/admin 79
  • 81. Practice (1/4) # exit vault server container by Ctrl+D # create dynamodb ~$ aws dynamodb create-table --table-name vault-workshop --attribute-definitions AttributeName=Path,AttributeType=S AttributeName=Key,AttributeType=S --key-schema AttributeName=Path,KeyType=HASH AttributeName=Key,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=10 81
  • 82. Practice (2/4) # migrate storage ~$ ./login_local_vault.sh ~$ export VAULT_TOKEN="s.96aLKTnD3WRiT0STWeLbLDDI" ~$ vault operator migrate -config /vault/config/migration.hcl … 2019-05-31T05:37:56.188Z [INFO] copied key: path=sys/token/id/hc99e5ba3d69e7cbaecf0489031eadbf11b55984d698d0f9784e5e1a28 25f93fe 2019-05-31T05:37:56.485Z [INFO] copied key: path=sys/token/salt Success! All of the keys have been migrated. 82
  • 83. Practice (3/4) # modify the config file config/default.hcl storage "file" { path = "/vault/file" } api_addr = "https://vault-workshop.hub.internal" storage "dynamodb" { ha_enabled = "true" region = "us-west-2" table = "vault-workshop" } 83
  • 84. Practice (4/4) # exit vault server container by Ctrl+D # restart vault server ~$ ./restart_local_vault.sh # check vault status ~$ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.1.2 Cluster Name vault-cluster-59fe6b22 Cluster ID 81a9858f-a363-74c7-931b-ec2b0f42 6e08 HA Enabled true HA Cluster https://vault-workshop.hub.internal: 444 HA Mode active 84
  • 86. Practice # enable auditing device ~$ export VAULT_TOKEN="s.96aLKTnD3WRiT0STWeLbLDDI" ~$ vault audit enable file file_path=/vault/logs/audit.log Success! Enabled the file audit device at: file/ ~$ cat /vault/logs/audit.log {"time":"2019-05-31T06:13:54.1656812Z","type":"response","auth":{"client_token":"hmac-sha256:a5a7726a6e12c568dad5caf12 bec4841ca775d28bbd0f7683c09ebb260ae604c","accessor":"hmac-sha256:38c0629c4ecca5961e9954cbafc80cfd009d6c0 31516fc2f13da54b2eea9e1e0","display_name":"root","policies":["root"],"token_policies":["root"],"metadata":null,"entity_id":"","t oken_type":"service"},"request":{"id":"219eb2f0-a0a7-59a0-c2b8-e7eeac31f31c","operation":"update","client_token":"hmac-s ha256:a5a7726a6e12c568dad5caf12bec4841ca775d28bbd0f7683c09ebb260ae604c","client_token_accessor":"hmac-sha25 6:38c0629c4ecca5961e9954cbafc80cfd009d6c031516fc2f13da54b2eea9e1e0","namespace":{"id":"root","path":""},"path":"sys /audit/file","data":{"description":"hmac-sha256:3eaeeda1a043e3504c691abdb19982eac0dc42c6d9d3cffda9e7cceaa7e3a88 7","local":false,"options":{"file_path":"hmac-sha256:a0a483f16d313b0b882262eea4bb58358ef1323be63b68eb51da01ebf26b dd1a"},"type":"hmac-sha256:b26ec68f8abd74be4fc88990ebba948314f39b1b428091636b1e7fde2c0e9939"},"policy_override" :false,"remote_address":"127.0.0.1","wrap_ttl":0,"headers":{}},"response":{"headers":null},"error":""} 86
  • 87. Clean # exit vault server container by Ctrl+D # shutdown vault container ~$ ./stop_local_vault.sh # delete kms key ~$ aws kms schedule-key-deletion --key-id xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyyyyy # delete dynamodb ~$ aws dynamodb delete-table --table-name vault-workshop 87
  • 88. Go Production4 88 There are Things Need to Do Before Vault Online
  • 90. Banzai Cloud - bank-vaults ◉ Bank-Vaults provides various tools for Hashicorp Vault to make its use easier 90
  • 91. Practice (1/2) # install vault cluster ~$ cd vault/CH04 ~$ ./setup_vault_cluster.sh 91
  • 92. Practice (2/2) # check vault cluster ~$ kubectl get pod NAME READY STATUS RESTARTS AGE etcd-cluster-vj8r8mwslr 1/1 Running 0 3m8s etcd-operator-588ccb98fd-twrs4 1/1 Running 0 8m46s vault-0 3/3 Running 6 3m42s vault-1 3/3 Running 8 3m42s vault-configurer-759d4679dd-8lsjx 1/1 Running 0 3m42s vault-operator-b8c5c566c-w59b5 1/1 Running 0 5m52s 92
  • 93. What bank-vaults Do? bank-vaults operator bank-vaults cli Vault storage backend created by ectd operator Create everything needed by vault: bank-vaults cli container, vault, prometheus-exporter bank-vaults cli: 1. Initial and Unseal automatically 2. Configure policy, secret engine...etc 93
  • 94. How to Monitor Vault 94
  • 95. Telemetry ◉ The Vault server process collects various runtime metrics about the performance of different libraries and subsystems. ◉ To view the telemetry information, you must send a signal to the Vault process ◉ Also can be streamed directly from Vault to a range of metrics aggregation solutions 95
  • 96. Monitoring Mechanism StatsD Exporter - Collect telemetry information - Expose to Prometheus - Prometheus scrape metrics - Grafana generate Dashboard 96
  • 97. Practice (1/5) # install prometheus ~$ ./setup_prometheus.sh ~$ kubectl create -f vault/servicemonitor.yaml ~$ kubectl get pod -n monitoring NAME READY STATUS RESTARTS AGE alertmanager-main-0 2/2 Running 0 8m42s alertmanager-main-1 2/2 Running 0 8m30s alertmanager-main-2 2/2 Running 0 8m19s grafana-74b6b56ddf-5k8mz 1/1 Running 0 8m37s kube-state-metrics-7c7979b6bc-zwrwz 4/4 Running 0 5m56s ... 97
  • 98. Practice (2/5) # check prometheus scrape vault metric ~$ ./get_prometheus.sh Grafana http://a951eb90e83b511e99a350a7fef3486e-1999986850.us-west-2.elb.amazonaws. com:3000 Prometheus http://aa1ffcdb183b511e99a350a7fef3486e-1607220011.us-west-2.elb.amazonaws.co m:9090 ... 98
  • 99. Practice (3/5) ◉ Visit Prometheus, then the vault telemetry can be acquired 99
  • 100. ◉ Visit Grafana -> Click Import ◉ Paste JSON from grafana-vault.json ◉ Click Import Practice (4/5) 100
  • 102. Clean # Don’t forget to remove the resource create in CH04 ~$ ./uninstall.sh 102
  • 105. Production Hardening (1/3) ◉ End-to-End TLS (O) ◉ Single Tenancy (X) ◉ Firewall traffic (X) ◉ Disable SSH / Remote Desktop (X) ◉ Disable Swap (X) ◉ Don't Run as Root (O) 105
  • 106. Production Hardening (2/3) ◉ Turn Off Core Dumps (X) ◉ Immutable Upgrades (O) ◉ Avoid Root Tokens (X) ◉ Enable Auditing (O) ◉ Upgrade Frequently (X) ◉ Configure SELinux / AppArmor (X) 106
  • 107. Production Hardening (3/3) ◉ Restrict Storage Access (X) ◉ Disable Shell Command History (X) ◉ Tweak ulimits (X) ◉ Docker Containers (X) Ref 107
  • 109. We’re Hiring !!! 109 Software Engineer in Test Site Reliability Engineer