Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale with Spring Claud Vault

Christoph Strobl
June 01, 2017
Programming
0
91

Managing Secrets at Scale with Spring Claud Vault

Share and manage secrets (certificates, passwords, keys) for your applications using Vault and Spring Vault.

Christoph Strobl

June 01, 2017
Tweet

More Decks by Christoph Strobl

See All by Christoph Strobl
MongoDB for Java Developers: The Ultimate Spring Data MongoDB Starter Kit
christophstrobl
1
47
Spring Data Cookbook
christophstrobl
2
390
No Offset - Pagination with the Seek Method
christophstrobl
0
90
Tech Talk - Persistence with Spring Data
christophstrobl
0
190
A Spring Data’s Guide to Persistence
christophstrobl
0
65
What's new in Spring Data MongoDB
christophstrobl
0
140
Spring Data Moore and Beyond
christophstrobl
0
640
What's new in SpringData Moore
christophstrobl
0
140
Simply Reactive - Eventually build a reactive Elasticsearch client (Technologieplauscherl)
christophstrobl
0
160

Other Decks in Programming

See All in Programming
[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리
beomi
0
110
CSC509 Lecture 08
javiergs
PRO
0
110
リリース8年目のサービスの1800個のERBファイルをViewComponentに移行した方法とその結果
katty0324
5
3.6k
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
140
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
210
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
僕がつくった48個のWebサービス達
yusukebe
18
17k
gopls を改造したら開発生産性が高まった
satorunooshie
8
240
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
240
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
開発効率向上のためのリファクタリングの一歩目の選択肢 ~コード分割~ / JJUG CCC 2024 Fall
ryounasso
0
360

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Designing for humans not robots
tammielis
249
25k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
Building Your Own Lightsaber
phodgson
102
6k
Speed Design
sergeychernyshev
24
570
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Designing Experiences People Love
moore
138
23k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Music & Morning Musume
bryan
46
6.1k
Making the Leap to Tech Lead
cromwellryan
132
8.9k
Gamification - CAS2011
davidbonilla
80
5k
Art, The Web, and Tiny UX
lynnandtonic
296
20k

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale with Vault Christoph Strobl Pivotal Software, Inc. @stroblchristoph #devone

  2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 2

  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 3 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password Passw0rd !</Resource>

  4. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 4 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password xMH5uM1V9vQzVUv5LG7YLA!== PasswordCipher Static3DES !</Resource>

  5. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Symmetric vs. Asymmetric 5

  6. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 6 https://www.flickr.com/photos/dahlstroms/4188244058

  7. 7 Say, change that Password once again!

  8. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 8

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 9

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ •  Secure secret storage •  Sealing •  Revocation •  Leasing and renewal •  Multiple secret backends •  Access control policies •  HTTP endpoint 10

  11. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 11 •  Secret Storage •  Tokens & ACL •  Dynamic Secrets •  Leasing and renewal •  Key Rolling •  Audit Logs •  Hardware Security Modules •  24x7 Support Community Enterprise

  12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Init Vault 12 $ vault init -key-shares=1 -key-threshold=1 Key 1: a9cbc3e47e4635ff2e8239bf43397fad3d659500cc7a0d42deea0ffd4d307244 Initial Root Token: eb5229d6-9858-d494-a1d7-820cae1ea31e $ Sealed: true Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ vault status

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Unseal Vault & Auth Client 13 $ vault unseal a9cbc3e47e4635ff2e8239bf43397fad3d65950… vault auth eb5229d6-9858-d494-a1d7-820cae1ea31e Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 $ Successfully authenticated! token: eb5229d6-9858-d494-a1d7-820cae1ea31e token_duration: 0 token_policies: [root] $

  14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Write & Read Secrets 14 $ vault write secret/devone value=awesome vault read secret/devone Success! Data written to: secret/devone $ Key Value lease_duration 2592000 value awesome $

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started - HTTP API 15 $ curl –H”X-Vault-Token eb5229d6-9858-d494 :49222/v1/secret/devone { lease_id : null, renewable : false, lease_duration : 2592000, data : { value : awesome }, wrap_info : null, … } $

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Seal Vault 16 $ vault seal vault read secret/devone Vault is now sealed. $ Error reading secret/devone: Error making API request. URL: GET :49222/v1/secret/devone Code: 503. Errors: * Vault is sealed $

  17. 17 How is this any better? What if someone’s got

    your token?

  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Use APP ID Auth maybe? 18 18 $ vault auth-enable app-id Successfully enabled 'app-id' at 'app-id'! $ vault write auth/app-id/map/app-id/devone value=admin $ vault write auth/app-id/map/user-id/awesome value=devone& cidr_block=10.0.0.0/16 $

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud In General 19 Service Discovery Circuit Breakers Routing & Messaging Ci Pipelines Tracing API Gateway Configuration

  20. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 20 Configuration Config Server

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 21 Service Discovery Service Reg. Consumer Producer Connect

  22. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud... •  Circuit Breakers withNetflix Hystrix. •  Messaging using RabbitMQ or Apache Kafka. •  Tracing with Spring Cloud Sleuth & Zipkin. •  Spring Cloud Bus •  Spring Cloud Stream (pre. Dataflow) •  Spring Cloud Task •  Spring Cloud AWS •  … and many more! 22

  23. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault 23 Token / Auth

  24. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 24 <dependency> <groupId>org.springframework.cloud!</groupId> <artifactId>spring-cloud-starter-vault-config!</artifactId> !</dependency> src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... Project Setup – Dependencies & Properties

  25. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resolved environment properties $ curl :8080/env | jq { vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, … } $

  26. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Profile support built in $ curl :8080/env | jq { profiles : [test, dev], vault:secret/spring-devone-app/dev : { local : “!!***!!***” }, vault:secret/spring-devone-app/test : { secret-key : “!!***!!***” }, vault:secret/spring-devone-app : { secret-key : “!!***!!***” }, vault:secret/applicaton : { message: “Hello #devone!” }, $ mvn -Dspring.profiles.active=test,dev …

  27. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 27

  28. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Different Backends 28 1. Configure 2. Setup 3. Auth 4. Credentials 5. Auth

  29. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault with different Backends 29 29 $ vault mount mysql $ vault write & mysql/config/connection& connection_url=spring:vault@tcp(localhost:3306) $ vault read mysql/creds/readonly Lease_id mysql/creds/eb5229d6-9858 Lease_duration 2592000 Password: a9cbc3e47e4635ff2e8239b Username: token-eb5229d6-9858

  30. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault with different Backends. 30 src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... spring.cloud.vault.mysql.enabled=true spring.cloud.vault.mysql.role=readonly spring.datasource.url=jdbc:mysql:!//localhost:3306

  31. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 31 Spring Framework 5 RC1 Spring Boot 2 M1 Check out the latest releases!