vault - secret and key management

HashiCorp Vault

Managing Secrets and Passwords

What this Brown Bag is about

Quick intro to HashiCorp Vault

Storing secrets/config with Vault

Integrating systems using Vault

What this Brown Bag is NOT about

Consul Discovery

Using Vault as an oAuth service

Ever had this happen to you?

**** WARNING AWS SECRET FOUND IN REPO ****

**** WARNING CREDENTIALS FOUND! ****

config: aws_access_key_id: AHSSKK21342KJ234LJH aws_secret_access_key_id: XXXXXXXXXXXXXXX

config: jdbc.username: quickadminuser jdbc.password: G3tM30u70fH3r3!

Storing credentials in a public repo is risky!

TipNever push credentials to GitHub.GitHub uses bots to scan files on public repos to discover keys and secrets!

Vault by HashicorpVault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

How many times do you change yourpassword?

TipNo one is expected to change their password every day. Though it is a good idea to change your password regularly.

Agenda

Overview of Vault

Vault ArchitectureVault Data Storage Options

Vault Authentication Options

Policies

Using Vault

Demo

Vault by Hashicorp● Secret storage

● Key & Password Rotation

● Audit Logs

● Object Storage

Vault Architecture

Vault Architecture

Access Vault with:command line tool

HTTP APIs

$ vault read secret/patient-svc

$ curl -X GET -H “X-Vault-Token: $VAULT_TOKEN”

“http://vault:8200/v1/secret/patient-svc”

12 Factor AppSoftware as a ServiceDeclarative FormatMinimize DivergenceScale up without changeshttps://12factor.net

Tip12 Factor App helps separate the application from the environment removing the distinction of the environment and the application.

Vault Storage Options

Consul (HA)

etcd (HA)

ZooKeeper (HA)

DynamoDB (HA)

S3

Google Cloud Storage

Azure

Swift

MySQL

PostgreSQL

InMem

File

Vault Backends (Mounts)

AWS

Cassandra

Consul

Cubbyhole

Generic

MongoDB

MSSQL

MySQL

PKI Certificates

PostgreSQL

RabbitMQ

SSH

Transit

Custom

Vault Authentication

App Id

AppRole

AWS EC2

GitHub

LDAP

● MFA● TLS Certificates● Tokens● Username & Password

AppRole Authentication

Requires a role_id (UUID) and secret (UUID)

Secret is volatilelasts for a preconfigured time and number of uses

Application requests a client token using role_id & secret_id

Client token is used to access vault

AppRole Authentication

Vault Policies

Control who has access to which parts of Vault

Capabilities include:Create

Read

Update

List

Sudo

Deny

Vault Policies

Create a new consumer (Token)$ vault policy-write patient-policy @patient-policy.json

$ vault token-create -policy=’patient-policy’

Key Value--- -----token a7c4e3c1-f9b3-71c0-514c-67c469b9bd3ftoken_accessor 40d7fcf6-8ff1-c6c4-632f-9916935ba9a3token_duration 768h0m0stoken_renewable truetoken_policies [patient-policy default]

Create a new consumer (AppRole)$ vault write auth/approle/role/cloud-auth-role secret_id_ttl=10m token_ttl=20m token_max_ttl=30m secret_id_num_uses=40 policies=patient-policy

$ vault read auth/approle/role/cloud-auth-role/role_id

Key Value--- -----role_id d4494db4-4047-90fb-30ec-18a5fa79cc19

Create a new consumer (AppRole)$ vault write -f auth/approle/role/cloud-auth-role/secret-id

Key Value--- -----secret_id e01b6593-03c4-6023-cec2-24c8f3c0f2d7secret_id_accessor cde853e3-f264-816f-479e-a63a15097630

Create a new consumer (AppRole)$ vault write auth/approle/login \

role_id=d4494db4-4047-90fb-30ec-18a5fa79cc19

secret_id=e01b6593-03c4-6023-cec2-24c8f3c0f2d7

Key Value--- -----token 50a69d9b-f5ad-21d8-386d-f6fbbbef404dtoken_accessor 6a72e1af-15ae-b896-211d-4f218214db20token_duration 20m0stoken_renewable truetoken_policies [default patient-policy]

Storing data to Vault

$ vault write secret/application app_name=”My Application”

Success! Data written to secret/application

$ vault read secret/application

Key Value--- -----refresh_interval 768h0m0sname My Application

Storing data to Vault

$ vault write secret/application @data.json

Success! Data written to secret/application

$ vault read secret/application

Key Value--- -----refresh_interval 768h0m0sname My Applicationconn_url tcp(192.168.99.100:3306)

data.json{ “name” : “My Application”, “conn_url” : “tcp(192.168.99.100:3306)”}

Setting up MySQL Mount

$ vault mount mysql

$vault write mysql/config/connection

connection_url=”user:password@tcp(database:port)/”

$ vault write mysql/roles/patient-svc

sql = “CREATE USER ‘{{name}}’@’%’ IDENTIFIED BY ‘{{password}}’;

GRANT ALL ON patient_db.* TO ‘{{name}}’@’%’;”

Configure your application

spring.cloud.vault.mysql:

enabled: true

role: patient-svc

backend: mysql

DEMOSpring Cloud Vault

Demo

Basic Spring JDBC integrationRequest JDBC Username/Password

Return database metadata (database name & version)

Request config data from Vault

Display value

JPA IntegrationPersist data to MySQL using:

JPA for persistence

Vault for rotating database credentials

Architecture

Spring Cloud Vault

http://cloud.spring.io/spring-cloud-vault-config/

Currently at 1.0.0.M1

Add-on to the Spring Cloud Suite

Supports configuration and optional database config