Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (DevoxxPL2017)

Mark Paluch
June 22, 2017
Programming
0
420

Managing Secrets at Scale (DevoxxPL2017)

Slides of the talk I gave at DevoxxPL 2017.

Links:
* Vault: https://vaultproject.io
* Code: https://github.com/spring-cloud/spring-cloud-vault
* Samples: https://github.com/mp911de/spring-cloud-vault-config-samples

Mark Paluch

June 22, 2017
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Data Access with Sping Data
mp911de
1
37
Project Loom: Broadening Concurrency
mp911de
0
150
Full Steam Ahead, R2DBC!
mp911de
2
530
Reactive Relational Database Connectivity 2020
mp911de
3
170
Reactive Relational Database Connectivity
mp911de
3
840
Building Event-Driven Java Applications using Redis Streams
mp911de
1
460
What's New in CDI 2.0 at JUG HH
mp911de
0
300
Reactive Spring Workshop
mp911de
1
1.2k
Under the Hood of Reactive Data Access
mp911de
3
1.8k

Other Decks in Programming

See All in Programming
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
340
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
230
Ethereum_.pdf
nekomatu
0
460
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.2k
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
120
Click-free releases & the making of a CLI app
oheyadam
2
120
flutterkaigi_2024.pdf
kyoheig3
0
150
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
200
watsonx.ai Dojo #4 生成AIを使ったアプリ開発、応用編
oniak3ibm
PRO
1
140
Realtime API 入門
riofujimon
0
150

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
The Invisible Side of Design
smashingmag
298
50k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
What's in a price? How to price your products and services
michaelherold
243
12k
Six Lessons from altMBA
skipperchong
27
3.5k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
It's Worth the Effort
3n
183
27k
How GitHub (no longer) Works
holman
310
140k

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale Mark Paluch • Pivotal • @mp911de
  2. None

  3. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 3 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>

  4. https://www.flickr.com/photos/dahlstroms/4188244058

  5. None

  6. https://www.flickr.com/photos/nateone/5456129071

  7. None
  8. None

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storages ! Sealing/Unsealing ! Multiple authentication mechanisms ! Multiple secret backends ! ACL/policies ! HA ! HTTP API 9

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions 10 Community Enterprise

  11. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

  12. HTTP API curl -HX-Vault-Token:… \ https://localhost:8200/v1/secret/devoxx-pl GET /v1/secret/my-spring-boot-app HTTP/1.0 X-Vault-Token:

  13. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends 13

  14. https://www.flickr.com/photos/kristencavanaugh/10710047746

  15. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token
 ! MFA (Duo) ! TLS Certificates ! App ID ! AppRole ! AWS EC2 15

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ X 1 Operator configures AppRole 2 Store RoleId in App configuration 3 Obtain SecretId 4 App start: Vault login with RoleId and SecretId AppRole

  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints ! Use SSL ! Keep unseal keys secret ! Operate in High-Availability setup 18

  20. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Vault Spring Cloud Vault Demo

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Code: github.com/spring-cloud/spring-cloud-vault ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Slides: mp911.de/msas-devoxxpl 20 @mp911de

  22. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz