Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (DevoxxPL2017)

Mark Paluch
June 22, 2017
Programming
0
420

Managing Secrets at Scale (DevoxxPL2017)

Slides of the talk I gave at DevoxxPL 2017.

Links:
* Vault: https://vaultproject.io
* Code: https://github.com/spring-cloud/spring-cloud-vault
* Samples: https://github.com/mp911de/spring-cloud-vault-config-samples

Mark Paluch

June 22, 2017
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Data Access with Sping Data
mp911de
1
33
Project Loom: Broadening Concurrency
mp911de
0
150
Full Steam Ahead, R2DBC!
mp911de
2
530
Reactive Relational Database Connectivity 2020
mp911de
3
170
Reactive Relational Database Connectivity
mp911de
3
840
Building Event-Driven Java Applications using Redis Streams
mp911de
1
460
What's New in CDI 2.0 at JUG HH
mp911de
0
290
Reactive Spring Workshop
mp911de
1
1.2k
Under the Hood of Reactive Data Access
mp911de
3
1.8k

Other Decks in Programming

See All in Programming
Realtime API 入門
riofujimon
0
110
Java ジェネリクス入門 2024
nagise
0
600
JaSST 24 九州:ワークショップ(は除く) 実践!マインドマップを活用したソフトウェアテスト+活用事例
satohiroyuki
0
260
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
230
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220
EventSourcingの理想と現実
wenas
6
2.1k
開発効率向上のためのリファクタリングの一歩目の選択肢 ~コード分割~ / JJUG CCC 2024 Fall
ryounasso
0
360
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
240
僕がつくった48個のWebサービス達
yusukebe
18
17k
約9000個の自動テストの 時間を50分->10分に短縮 Flakyテストを1%以下に抑えた話
hatsu38
23
11k
Tuning GraphQL on Rails
pyama86
2
1k
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
Done Done
chrislema
181
16k
GitHub's CSS Performance
jonrohan
1030
460k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Navigating Team Friction
lara
183
14k
Typedesign – Prime Four
hannesfritz
39
2.4k
Making Projects Easy
brettharned
115
5.9k
The Cult of Friendly URLs
andyhume
78
6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale Mark Paluch • Pivotal • @mp911de
  2. None

  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 3 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>

  4. https://www.flickr.com/photos/dahlstroms/4188244058

  5. None

  6. https://www.flickr.com/photos/nateone/5456129071

  7. None
  8. None

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storages ! Sealing/Unsealing ! Multiple authentication mechanisms ! Multiple secret backends ! ACL/policies ! HA ! HTTP API 9

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions 10 Community Enterprise

  11. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

  12. HTTP API curl -HX-Vault-Token:… \ https://localhost:8200/v1/secret/devoxx-pl GET /v1/secret/my-spring-boot-app HTTP/1.0 X-Vault-Token:

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 13

  14. https://www.flickr.com/photos/kristencavanaugh/10710047746

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token
 ! MFA (Duo) ! TLS Certificates ! App ID ! AppRole ! AWS EC2 15

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ X 1 Operator configures AppRole 2 Store RoleId in App configuration 3 Obtain SecretId 4 App start: Vault login with RoleId and SecretId AppRole

  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints ! Use SSL ! Keep unseal keys secret ! Operate in High-Availability setup 18

  20. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Vault Spring Cloud Vault Demo

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Code: github.com/spring-cloud/spring-cloud-vault ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Slides: mp911.de/msas-devoxxpl 20 @mp911de

  22. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz