$30 off During Our Annual Pro Sale. View Details »

Vault: Unified Operational Access

Ringo
April 12, 2017

Vault: Unified Operational Access

Overview of the possibilities of Vault for a unified operational access layer

Presentation given at the 1st Belgium Hashicorp User Group

Ringo

April 12, 2017
Tweet

More Decks by Ringo

Other Decks in Technology

Transcript

  1. Vault Ringo De Smet - Skyscrapers 12 April 2017 1st

    Belgian Hashicorp User Group Meetup
  2. What is Vault Vault is a tool for securely accessing

    secrets: • Passwords • API keys • Certificates • ...
  3. Which problems does it solve? • Keeping secrets out of

    source control • Unified management to secrets for the multitude of systems ◦ AWS ◦ Database server ◦ ... • Short lived credentials • Full audit trail of any secret access • Revocation ◦ Per credential ◦ Per user ◦ Per system
  4. What does it offer? HTTP API Secret Backend Auth Backend

    Audit Backend Auth • User/Pass • TLS certs • Okta • RADIUS • GitHub • AWS EC2 • MFA • ... Secret • AWS • MySQL / PostgreSQL • Consul • MongoDB • PKI (Certificates) • RabbitMQ • SSH • ... Audit • File • Syslog • Socket
  5. What does it offer? HTTP API Secret Backend Auth Backend

    Audit Backend ACL Define which auth identity (user or service) may access which secret(s) by way of profiles
  6. DEMO • Getting short lived (aka dynamic) credentials from AWS

    • Getting short lived credentials from PostgreSQL
  7. Actual setup HTTP API Secret: AWS Auth: GitHub Org Audit

    Backend Give Vault just enough rights to create access secrets: • Create an IAM user manually • Assign it a role only allowing it to create IAM users or STS tokens • Configure Vault with a keypair of that user Vault CLI • Give Vault a GitHub API token • Set the GitHub org that has access • Map Github org teams to profiles
  8. But... If a service needs to login to Vault to

    get access to a secret where do I store the Vault credentials?
  9. The solution: the proper Auth backend Remember AWS EC2 instance

    profiles? Vault has a similar Auth backend: AWS-EC2 • Instance identity document: PKCS#7 doc signed by AWS • Public keys published by AWS per region • Vault checks the signature & the current EC2 instance running status • Using tags as roles for authorization purposes