Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
High Availability Vault Service on AWS Environment
Search
Gea-Suan Lin
March 17, 2022
Technology
7.3k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
High Availability Vault Service on AWS Environment
Gea-Suan Lin
March 17, 2022
More Decks by Gea-Suan Lin
See All by Gea-Suan Lin
用 AWS CodeDeploy 解決程式佈署
gslin
0
450
MySQL to NoSQL & Search Engine
gslin
0
2.2k
用 Vagrant 與 Docker 拯救世界
gslin
1
310
Startup IT infrastructure: Developing and Working with AWS
gslin
8
3.8k
Talk about Percona XtraDB Cluster
gslin
0
210
API Design Optimized for Mobile Platform
gslin
9
8.8k
Use Facebook::Graph to write desktop application
gslin
2
520
COSCUP 2012 - MySQL System Stability
gslin
17
12k
MySQL System Stability
gslin
4
6k
Other Decks in Technology
See All in Technology
product engineering with qa
nealle
0
140
背中から、背中へ /paying forward to community
naitosatoshi
0
210
水を運ぶ人としてのリーダーシップ
izumii19
4
1.2k
なぜ人は自分のプロジェクトを 「なんちゃってアジャイル」と 自嘲するのか
kozotaira
0
240
AWS Summit Japan 2026の振り返りと2027へ向けて / AWS Summit Japan 2026 Recap and Prospects for 2027
kaminashi
1
180
AI時代のエンジニアキャリアについて今一度考える
sakamoto_582
1
810
スタートアップにおけるアジャイルの実践について #shibuyagile
murabayashi
3
2k
クラウドファンディング版StackChan 3体(4体)をインタラクティブな体験型作品にして展示もした話 / スタックチャンお誕生日会2026
you
PRO
0
270
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
330
cccccc
moznion
0
1.6k
Terraform 101 (初心者向け) 資料
shuadachi
0
160
#エンジニアBooks 30分でわかる 「技術記事を書く技術」 / engineer-books 2026-06-30
jnchito
1
170
Featured
See All Featured
Navigating Team Friction
lara
192
16k
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.4k
The Mindset for Success: Future Career Progression
greggifford
PRO
0
370
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.6k
Building Adaptive Systems
keathley
44
3.1k
Fireside Chat
paigeccino
42
4k
Automating Front-end Workflow
addyosmani
1370
210k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
230
It's Worth the Effort
3n
188
29k
Producing Creativity
orderedlist
PRO
348
40k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
170
The Art of Programming - Codeland 2020
erikaheidi
57
14k
Transcript
High Availability Vault Service on AWS Environment Gea-Suan Lin (DK)
Director of SW Platform and Infrastructures
Links • This slide: ◦ https://bit.ly/3igUbgh • AWS Summit Taiwan
2021: ◦ https://aws.amazon.com/tw/events/taiwan/2021summit/ • My wiki: ◦ https://wiki.gslin.org/wiki/Vault/Install (in Chinese)
Explain “Migo” • https://wiki.gslin.org/wiki/Migo
What is HashiCorp Vault? • “Manage secrets and protect sensitive
data” • Usually: ◦ Credentials ◦ Tokens ◦ … • Sometimes: ◦ Endpoint information ◦ …
Why do people need Vault? • Auditing. • Credentials/tokens versioning.
• We don’t want to put credentials into Ansible and/or GitLab…
Today’s objectives • High availability. ◦ But I don’t want
to manage HA by myself.
Technologies • Amazon EC2 (Multi-AZ) ◦ (or container-based services like
ECS/EKS) • Amazon DynamoDB • AWS KMS • AWS ELB • AWS ACM (optional)
Setup DynamoDB • Create a table called vault. ◦ Primary
key as Path. ◦ Sort key as Key.
None
Setup KMS • Create a key with SYMMETRIC_DEFAULT.
None
Setup EC2 • Create two t3a.nano or t4g.nano instances. •
We choose Ubuntu 20.04.
None
Install Vault curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -;
sudo apt-add-repository "deb https://apt.releases.hashicorp.com $(lsb_release -cs) main"; sudo apt update && sudo apt install vault
Setup Vault api_addr = "http://10.10.10.10:8200" cluster_addr = "http://10.10.10.10:8201" log_level =
"Info" ui = true listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.10.10.10:8201" tls_disable = "true" } seal "awskms" { region = "ap-southeast-1" access_key = "x" secret_key = "x" kms_key_id = "x" } storage "dynamodb" { ha_enabled = "true" region = "ap-southeast-1" table = "vault" access_key = "x" secret_key = "x" }
Setup EC2 IAM Role • Create an EC2 role. •
Attach two inline policies. • Attach to EC2 instances.
EC2 IAM Role - Policy-Vault-DynamoDB { "Version": "2012-10-17", "Statement": [
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DescribeTable", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:DescribeTimeToLive", "dynamodb:GetRecords" ], "Resource": [ "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*", "arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "dynamodb:DescribeReservedCapacityOfferings", "dynamodb:ListTables", "dynamodb:DescribeReservedCapacity", "dynamodb:DescribeLimits" ], "Resource": "*" } ] }
EC2 IAM Role - Policy-Vault-KMS { "Version": "2012-10-17", "Statement": [
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/01234567-89ab-cdef-0123-456789abcdef" } ] }
None
Setup ELB • Choose ALB • /v1/sys/health as health check
path. • Backend in port 8200. • Frontend in port 80. ◦ Recommend to use ACM for HTTPS (port 443).
Start Vault sudo systemctl enable vault; sudo service vault start
Initialization # Remember to write down the root token vault
operator init \ -recovery-shares=1 \ -recovery-threshold=1 \ -address=http://127.0.0.1:8200
Now it’s working • http://vault.example.com/ ◦ https://vault.example.com/ (HTTPS)
Monitoring • Cloudwatch ◦ ELB (ALB) ◦ EC2 ◦ DynamoDB
◦ KMS
That’s it… • Q&A after sessions. • And we’re hiring!