Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale with Spring Claud Vault

Christoph Strobl
June 01, 2017
Programming
0
91

Managing Secrets at Scale with Spring Claud Vault

Share and manage secrets (certificates, passwords, keys) for your applications using Vault and Spring Vault.

Christoph Strobl

June 01, 2017
Tweet

More Decks by Christoph Strobl

See All by Christoph Strobl
MongoDB for Java Developers: The Ultimate Spring Data MongoDB Starter Kit
christophstrobl
1
47
Spring Data Cookbook
christophstrobl
2
400
No Offset - Pagination with the Seek Method
christophstrobl
0
91
Tech Talk - Persistence with Spring Data
christophstrobl
0
190
A Spring Data’s Guide to Persistence
christophstrobl
0
66
What's new in Spring Data MongoDB
christophstrobl
0
140
Spring Data Moore and Beyond
christophstrobl
0
650
What's new in SpringData Moore
christophstrobl
0
140
Simply Reactive - Eventually build a reactive Elasticsearch client (Technologieplauscherl)
christophstrobl
0
160

Other Decks in Programming

See All in Programming
Arm移行タイムアタック
qnighy
0
330
最新TCAキャッチアップ
0si43
0
180
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
Macとオーディオ再生 2024/11/02
yusukeito
0
370
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.7k
Outline View in SwiftUI
1024jp
1
330
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
620
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
初めてDefinitelyTypedにPRを出した話
syumai
0
420
ペアーズにおけるAmazon Bedrockを⽤いた障害対応⽀援 ⽣成AIツールの導⼊事例 @ 20241115配信AWSウェビナー登壇
fukubaka0825
6
2k

Featured

See All Featured
For a Future-Friendly Web
brad_frost
175
9.4k
Code Reviewing Like a Champion
maltzj
520
39k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Building Applications with DynamoDB
mza
90
6.1k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
Teambox: Starting and Learning
jrom
133
8.8k
Thoughts on Productivity
jonyablonski
67
4.3k
Building Adaptive Systems
keathley
38
2.3k

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale with Vault Christoph Strobl Pivotal Software, Inc. @stroblchristoph #devone

  2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 2

  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 3 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password Passw0rd !</Resource>

  4. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 4 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password xMH5uM1V9vQzVUv5LG7YLA!== PasswordCipher Static3DES !</Resource>

  5. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Symmetric vs. Asymmetric 5

  6. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 6 https://www.flickr.com/photos/dahlstroms/4188244058

  7. 7 Say, change that Password once again!

  8. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 8

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 9

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ •  Secure secret storage •  Sealing •  Revocation •  Leasing and renewal •  Multiple secret backends •  Access control policies •  HTTP endpoint 10

  11. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 11 •  Secret Storage •  Tokens & ACL •  Dynamic Secrets •  Leasing and renewal •  Key Rolling •  Audit Logs •  Hardware Security Modules •  24x7 Support Community Enterprise

  12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Init Vault 12 $ vault init -key-shares=1 -key-threshold=1 Key 1: a9cbc3e47e4635ff2e8239bf43397fad3d659500cc7a0d42deea0ffd4d307244 Initial Root Token: eb5229d6-9858-d494-a1d7-820cae1ea31e $ Sealed: true Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ vault status

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Unseal Vault & Auth Client 13 $ vault unseal a9cbc3e47e4635ff2e8239bf43397fad3d65950… vault auth eb5229d6-9858-d494-a1d7-820cae1ea31e Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ Successfully authenticated! token: eb5229d6-9858-d494-a1d7-820cae1ea31e token_duration: 0 token_policies: [root] $

  14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Write & Read Secrets 14 $ vault write secret/devone value=awesome vault read secret/devone Success! Data written to: secret/devone $ Key Value lease_duration 2592000 value awesome $

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started - HTTP API 15 $ curl –H”X-Vault-Token eb5229d6-9858-d494 :49222/v1/secret/devone { lease_id : null, renewable : false, lease_duration : 2592000, data : { value : awesome }, wrap_info : null, … } $

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Seal Vault 16 $ vault seal vault read secret/devone Vault is now sealed. $ Error reading secret/devone: Error making API request. URL: GET :49222/v1/secret/devone Code: 503. Errors: * Vault is sealed $

  17. 17 How is this any better? What if someone’s got

    your token?

  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Use APP ID Auth maybe? 18 18 $ vault auth-enable app-id Successfully enabled 'app-id' at 'app-id'! $ vault write auth/app-id/map/app-id/devone value=admin $ vault write auth/app-id/map/user-id/awesome value=devone& cidr_block=10.0.0.0/16 $

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud In General 19 Service Discovery Circuit Breakers Routing & Messaging Ci Pipelines Tracing API Gateway Configuration

  20. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 20 Configuration Config Server

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 21 Service Discovery Service Reg. Consumer Producer Connect

  22. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud... •  Circuit Breakers withNetflix Hystrix. •  Messaging using RabbitMQ or Apache Kafka. •  Tracing with Spring Cloud Sleuth & Zipkin. •  Spring Cloud Bus •  Spring Cloud Stream (pre. Dataflow) •  Spring Cloud Task •  Spring Cloud AWS •  … and many more! 22

  23. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault 23 Token / Auth

  24. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 24 <dependency> <groupId>org.springframework.cloud!</groupId> <artifactId>spring-cloud-starter-vault-config!</artifactId> !</dependency> src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... Project Setup – Dependencies & Properties

  25. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resolved environment properties $ curl :8080/env | jq { vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, … } $

  26. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Profile support built in $ curl :8080/env | jq { profiles : [test, dev], vault:secret/spring-devone-app/dev : { local : “!!***!!***” }, vault:secret/spring-devone-app/test : { secret-key : “!!***!!***” }, vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, $ mvn -Dspring.profiles.active=test,dev …

  27. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 27

  28. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Different Backends 28 1. Configure 2. Setup 3. Auth 4. Credentials 5. Auth

  29. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault with different Backends 29 29 $ vault mount mysql $ vault write & mysql/config/connection& connection_url=spring:vault@tcp(localhost:3306) $ vault read mysql/creds/readonly Lease_id mysql/creds/eb5229d6-9858 Lease_duration 2592000 Password: a9cbc3e47e4635ff2e8239b Username: token-eb5229d6-9858

  30. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault with different Backends. 30 src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... spring.cloud.vault.mysql.enabled=true spring.cloud.vault.mysql.role=readonly spring.datasource.url=jdbc:mysql:!//localhost:3306

  31. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 31 Spring Framework 5 RC1 Spring Boot 2 M1 Check out the latest releases!