Deploying Vault by HashiCorp for Secure Cloud Deployments

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Using Vault for secure cloud deployments Nicki Watt
@techiewatt 28/01/2016 1

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 Agenda • Setting the scene  • Where
does Vault fit in? • How is it being used? • Conclusion  

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 3 Setting the scene

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 4 Act 1 : “Take advantage of cloud
computing”

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5 Act 2 : “Efficiently (and securely) Take
advantage of cloud-like computing”

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 6

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8 Enable creation of fast, repeatable, secure environments
capable of running in diﬀerent clouds!

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9 Where does Vault ﬁt in?

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud • Automate everything  • Separate config
from code • API driven clouds & tools • Prefer modular, open source tools  Principles - ASAP

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12 How is it being used?

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 1: Securing the automated IaaS
process

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init The cloud-env mgmt App

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init Request new env The cloud-env mgmt
App

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env speciﬁc mount, policy & add
secrets Init Request new env The cloud-env mgmt App

secrets Init Request new env Spin up new env The cloud-env mgmt App

secrets Init Request new env Spin up new env Get IaaS creds, generate OTP & real token The cloud-env mgmt App

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up
new env Get IaaS creds, generate OTP & real token Create env speciﬁc mount, policy & add secrets Request new env

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22 • Centralised secure storage: • cloud &
other infrastructure provider credentials  • Option to leverage simplified lifecycle management: • dynamic secret backend  • Audit-ability Benefits

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23 • No native terraform integration (yet) •
Terraform #2221, #4169 • Vault API • Allows for custom integrations where required • Make use of existing AWS policies • Awaiting next release (Vault PR #895)  Considerations:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 2: Securing the automated Config
management process

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 26 —>

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up
new env Get IaaS creds, generate OTP & real token Create env speciﬁc mount, policy & add secrets Request new env

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Spin up new env
Get IaaS creds, generate OTP & real token Create env speciﬁc mount, policy & add secrets Request new env TOKEN: USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- TOKEN: USES: 1 REAL TOKEN /cubbyhole cloud provider
management subnet dev subnet orch-vm /env + gitcred1 = x + gitcred2 = z

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN:
USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN:
USES: 0 /cubbyhole REAL TOKEN /env + gitcred1 = x + gitcred2 = z

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env
+ gitcred1 = x + gitcred2 = z

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + gitcred1 = x + gitcred2 =
z cloud provider management subnet dev subnet orch-vm

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env
+ gitcred1 = x + gitcred2 = z

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + secret1 = x + secret2 =
z cloud provider management subnet dev subnet orch-vm

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 38 • Secure bootstrap process: • OTP, real
token not exposed  • Eased changing config man tool • Ansible —> Puppet  • No secrets explicitly stored on disk for puppet usage • https://github.com/jsok/hiera-vault Benefits

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39 • Mount per env • Currently easiest
way to delete all secrets until next release (0.5.0) which includes PR #617  • Puppet Hiera plugin has potential for generating a lot of traffic with Vault • Considering ConsulTemplate Considerations:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 40 Conclusion

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 41 • Vault fits in well with broader
principles & aims of overall solution • Vault is a single focused tool - this is good! • Vault is new • we are still experimenting, but happy thus far! 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 42 Thanks Questions

Deploying Vault by HashiCorp for Secure Cloud D...

Deploying Vault by HashiCorp for Secure Cloud Deployments

Nicki Watt

More Decks by Nicki Watt

Other Decks in Technology

Featured

Transcript