Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deploying Vault by HashiCorp for Secure Cloud D...

Nicki Watt
January 28, 2016
Technology
4
800

Deploying Vault by HashiCorp for Secure Cloud Deployments

Slides to accompany my talk done for HashiCorp Vault webinar on 28/01/2016.

Nicki Watt

January 28, 2016
Tweet

More Decks by Nicki Watt

See All by Nicki Watt
USING GRAPH THEORY & 
NETWORK SCIENCE TO EXPLORE YOUR 
MICROSERVICES ARCHITECTURE
nickithewatt
2
730
Mucon 2019 - Exploring microservice architecture through graph theory
nickithewatt
0
450
Devoxx UK 2019 - Exploring Microservice Boundaries Through Network Science
nickithewatt
0
110
Goto Chicago 2019 - Journeys To Cloud Native Architecture: Sun, Sea And Emergencies
nickithewatt
0
33
Cloud Native London 2018 - Journeys To Cloud Native Architecture: Sun, Sea And Emergencies
nickithewatt
2
95
HashiDays London 2017 - Evolving your Infrastructure with Terraform
nickithewatt
3
990
Microservices Manchester 2016: Security, Microservices & Vault
nickithewatt
4
580
HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools
nickithewatt
3
680
CodeMesh 2015 : Boot my (secure)->(portable) clouds!
nickithewatt
0
290

Other Decks in Technology

See All in Technology
型チェック 速度改善 奮闘記⌛
tocomi
1
150
Engineer Career Talk
lycorp_recruit_jp
0
200
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
7
710
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
230
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.7k
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
140
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
150

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
How to Ace a Technical Interview
jacobian
276
23k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Designing Experiences People Love
moore
138
23k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k

Transcript

  1. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Using Vault for secure cloud deployments Nicki Watt

    @techiewatt 28/01/2016 1

  2. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 Agenda • Setting the scene
 • Where

    does Vault fit in? • How is it being used? • Conclusion 


  3. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 3 Setting the scene

  4. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 4 Act 1 : “Take advantage of cloud

    computing”

  5. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5 Act 2 : “Efficiently (and securely) Take

    advantage of cloud-like computing”

  6. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 6

  7. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7

  8. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8 Enable creation of fast, repeatable, secure environments

    capable of running in different clouds!

  9. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9 Where does Vault fit in?

  10. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

  11. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud • Automate everything
 • Separate config

    from code • API driven clouds & tools • Prefer modular, open source tools
 Principles - ASAP

  12. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12 How is it being used?

  13. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 1: Securing the automated IaaS

    process

  14. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

  15. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init

  16. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init The cloud-env mgmt App

  17. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init Request new env The cloud-env mgmt

    App

  18. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env specific mount, policy & add

    secrets Init Request new env The cloud-env mgmt App

  19. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env specific mount, policy & add

    secrets Init Request new env Spin up new env The cloud-env mgmt App

  20. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env specific mount, policy & add

    secrets Init Request new env Spin up new env Get IaaS creds, generate OTP & real token The cloud-env mgmt App

  21. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up

    new env Get IaaS creds, generate OTP & real token Create env specific mount, policy & add secrets Request new env

  22. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22 • Centralised secure storage: • cloud &

    other infrastructure provider credentials
 • Option to leverage simplified lifecycle management: • dynamic secret backend
 • Audit-ability Benefits

  23. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23 • No native terraform integration (yet) •

    Terraform #2221, #4169 • Vault API • Allows for custom integrations where required • Make use of existing AWS policies • Awaiting next release (Vault PR #895)
 Considerations:

  24. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 2: Securing the automated Config

    management process

  25. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 25 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

  26. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 26 —>

  27. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up

    new env Get IaaS creds, generate OTP & real token Create env specific mount, policy & add secrets Request new env

  28. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Spin up new env

    Get IaaS creds, generate OTP & real token Create env specific mount, policy & add secrets Request new env TOKEN: USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

  29. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- TOKEN: USES: 1 REAL TOKEN /cubbyhole cloud provider

    management subnet dev subnet orch-vm /env + gitcred1 = x + gitcred2 = z

  30. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN:

    USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

  31. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN:

    USES: 0 /cubbyhole REAL TOKEN /env + gitcred1 = x + gitcred2 = z

  32. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env

    + gitcred1 = x + gitcred2 = z

  33. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env

    + gitcred1 = x + gitcred2 = z

  34. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + gitcred1 = x + gitcred2 =

    z cloud provider management subnet dev subnet orch-vm

  35. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + gitcred1 = x + gitcred2 =

    z cloud provider management subnet dev subnet orch-vm

  36. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env

    + gitcred1 = x + gitcred2 = z

  37. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + secret1 = x + secret2 =

    z cloud provider management subnet dev subnet orch-vm

  38. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 38 • Secure bootstrap process: • OTP, real

    token not exposed
 • Eased changing config man tool • Ansible —> Puppet
 • No secrets explicitly stored on disk for puppet usage • https://github.com/jsok/hiera-vault Benefits

  39. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39 • Mount per env • Currently easiest

    way to delete all secrets until next release (0.5.0) which includes PR #617
 • Puppet Hiera plugin has potential for generating a lot of traffic with Vault • Considering ConsulTemplate Considerations:

  40. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 40 Conclusion

  41. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 41 • Vault fits in well with broader

    principles & aims of overall solution • Vault is a single focused tool - this is good! • Vault is new • we are still experimenting, but happy thus far!


  42. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 42 Thanks Questions