SlideShare a Scribd company logo

HashiCorp Vault configuration as code via HashiCorp Terraform- stories from trenches

Andrey Devyatkin
Andrey Devyatkin

- Vault configuration as code via Terraform was discussed, including deployment, authentication, secrets engines, and integration considerations - Key topics included deploying Vault in AWS using Terraform, configuring LDAP and AWS IAM authentication backends, and using the KV secrets engine for database credentials and temporary AWS credentials - Challenges with keeping Terraform and Vault in sync were noted, such as state issues when Vault values are added outside of Terraform

1 of 63
Download to read offline
Vault configuration as code via Terraform: stories from trenches Andrey Devyatkin
Big thanks to DevOpsPro team!
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from trenches
I’m Andrey ● Enjoying life as technology specialist, father and endurance athlete ● 10+ years in the industry ● Writing tools ● Fixing automation, projects and organisations ● Meetups/conferences organizer ● Trainer ● Certified this and that
Why this presentation? What to expect? ● Not pretending to be an expert just sharing what worked and what didn’t ● Share what worked for us and hopefully save some time for some of you ● A lot of technical details and references ● Slides will be available online - you don’t have to remember/photo everything
Agenda ● Context ● Deployment ● Configuration ● Integration ● Access control and development workflow ● Unexpected findings
Why Vault? ● Centrally Manage Secrets to Reduce Secrets Sprawl ● Shift from static secrets to short-time dynamically generated ones ● Protect Sensitive Data Across Clouds and Private Datacenters
Where do we start? Collect requirements and clarify context
Questions to ask - deployment and operations ● Where to deploy? VM? Container? Baremetal? ● Patch or scratch? ● How to access? VPN? Public? Service mesh? ● How to auto-unseal? ● How to get in initial secrets? (Ex. TLS) ● What storage is available? ● Where to stream logs? ● Where to stream telemetry? ● How to extract audit files? ● HA? DR? ● One per env or one for all?
Look for best practices and templates ● Why not to make use of https://github.com/hashicorp/terraform-aws-vault, right? ● With some small tweaks ● And little more tweaks ● And some more tweaks (TLS certs handling, consul-less, dynamic configuration depending on environment, rolling upgrades via multiple auto scaling configurations, audit files sync, etc) Another option - https://github.com/hashicorp/vault-helm Some inspiration https://learn.hashicorp.com/vault/operations/ops-reference-architecture
Vault production (min) readiness checklist ● TLS termination ● Vault HA storage - ACL and encryption ● Local storage encryption ● Auto-unseal using KMS ● Stripped down image, infra as code, encryption, minimal exec rights ● No ssh or other kind of remote access, NACL for outgoing traffic ● IDS ● Backups and DR ● Logs and telemetry export from the node ● Audit on, sync audit files to remote storage, integrity check for audit files ● Sync audit files to archive ● Audit files parsing and anomaly detection ● Availability/performance monitoring and alerting More here https://learn.hashicorp.com/vault/operations/production-hardening
Context - before Vault ● Applications running in containers ● Orchestrated by Kubernetes ● Running in AWS ● Secrets in configmaps/secrets ● Apps require database connection and connection to other cloud services (i.e. database creds and cloud access creds), other static secrets ● Developers pulling secrets from k8s secrets
Deployment ● EC2, classic ELB, auto-scaling group per AZ (for rolling updates) ● Immutable infra ● Initial secrets baked in as encrypted archive that could be un-encrypted only with key accessible to Vault instances ● Behind VPN ● Auto-unseal with KMS ● HA storage in DynamoDB with point in time restore ● Logs in CloudWatch ● Telemetry in Prometheus
It would be a good idea to split deployment terraform spec and configuration terraform spec
Vault is up and running. What is next?
To start configuring Vault via Terraform we need... ● Vault URL configured as VAULT_ADDR env variable ● Vault token (root token will do for the start but revoke it afterwards together with the rest of the root tokens) ● A good idea what are you after… More here https://www.youtube.com/watch?v=fOybhcbuxJ0 and here https://www.terraform.io/docs/providers/vault/index.html
One slide Vault intro LDAP k8s App Role AWS ... Auth methods Vault token AWS Data base Secret Engines Rabbit MQ PKI Database login credentials AWS access keys RabbitMQ logic credentials Certificates Lease Audit device More here https://www.youtube.com/watch?v=VYfl-DpZ5wM KV Transit Encrypted data Secret value Vault policies
Token Be aware of TTL and Max TTL
Auth methods and policies Boring but very important
You probably need more than one... ● Humans - operators and developers ● Machines - CI/CD, bots, etc ● Things - Apps, Infra etc A good idea is to use MFA for humans, limit from where auth methods could be invoked
Auth -> Role -> Token with policy Ex. LDAP -> LDAP Group -> Token with policy
LDAP ● Leverages existing IAM setup ● Delegates credentials validation ● Used my humans ● Would be a good idea to simplify login procedure for your users More here https://www.vaultproject.io/docs/auth/ldap.html
LDAP resource "vault_ldap_auth_backend" "ldap" { path = "ldap" url = "ldaps://dc-01.example.org" userdn = "OU=Users,OU=Accounts,DC=example,DC=org" userattr = "sAMAccountName" upndomain = "EXAMPLE.ORG" binddn = "${var.binddn}" bindpass = "${var.bindpass}" discoverdn = false groupdn = "OU=Groups,DC=example,DC=org" groupfilter = "(&(objectClass=group)(member:1.:={{.UserDN}}))" } https://www.terraform.io/docs/providers/vault/r/ldap_auth_backend.html
Things to consider ● token_no_default_policy ● token_bound_cidrs ● token_ttl ● token_max_ttl
LDAP role (backend group actually) resource "vault_ldap_auth_backend_group" "group" { groupname = "dba" policies = ["dba"] backend = "${vault_ldap_auth_backend.ldap.path}" } https://www.terraform.io/docs/providers/vault/r/ldap_auth_backend_group.html
Policy data "vault_policy_document" "example" { rule { path = "secret/*" capabilities = ["create", "read", "update", "delete", "list"] description = "allow all on secrets" } } resource "vault_policy" "example" { name = "example_policy" policy = "${data.vault_policy_document.example.hcl}" } https://www.terraform.io/docs/providers/vault/d/policy_document.html
Policy ● You will need a policy to manage policy... ● Deny by default ● Do not have to match LDAP group name but easier for users if it does ● Member of multiple groups gets multiple policies More here https://learn.hashicorp.com/vault/getting-started/policies
AppRole if you really have to... ● If you don’t have a better way ● Mostly used for CI ● Initial secret issue ● No good way to audit access More here https://www.vaultproject.io/docs/auth/approle.html
AppRole resource "vault_auth_backend" "approle" { type = "approle" } resource "vault_approle_auth_backend_role" "example" { backend = vault_auth_backend.approle.path role_name = "test-role" token_policies = ["default", "dev", "prod"] } https://www.terraform.io/docs/providers/vault/r/approle_auth_backend_role.html
AppRole
AppRole resource "vault_approle_auth_backend_role_secret_id" "secret" { backend = "approle" role_name = "${vault_approle_auth_backend_role.role.role_name}" } locals { kv = { role_id = "${vault_approle_auth_backend_role.role.role_id}" secret_id = "${vault_approle_auth_backend_role_secret_id.secret.secret_id}" }} resource "vault_generic_secret" "kv" { path = "${vault_mount.kv.path}/approle" data_json = "${jsonencode(local.kv)}" }
Cloud IAM, K8S, etc ● Better way for non-interactive auth ● Leverages existing entities ● Delegates entity validation
AWS IAM resource "vault_auth_backend" "aws" { description = "Auth method for CI engines" type = "aws" } resource "vault_aws_auth_backend_role" "ci_builder" { backend = "${vault_auth_backend.aws.path}" role = "ci-builder" auth_type = "iam" bound_iam_principal_arns = ["${data.aws_iam_role.ci_builder.arn}"] token_ttl = 3600 token_max_ttl = 3600 token_policies = ["${vault_policy.ci_builder.name}"] } https://www.terraform.io/docs/providers/vault/r/aws_auth_backend_role.html
AWS IAM resource "aws_iam_user" "ci_builder" { name = "${module.iam_auth_for_ci_user_name.qualified_name}" tags = "${module.tags.default}" } resource "aws_iam_access_key" "ci_builder" { user = "${aws_iam_user.ci_builder.name}" } resource "aws_iam_user_policy" "ci_builder" { name = "Allow-Vault-to-look-up-users-for-iam-auth" user = "${aws_iam_user.ci_builder.name}" policy = "${data.aws_iam_policy_document.ci_builder.json}" }
AWS IAM # https://www.vaultproject.io/docs/secrets/aws/index.html#example-iam-policy-for-vault data "aws_iam_policy_document" "iam_auth_for_ci" { statement { effect = "Allow" actions = ["iam:GetUser","iam:GetRole",] resources = ["arn:aws:iam::${data.aws_caller_identity.i.account_id}:*"] } statement { effect = "Allow" actions = ["sts:AssumeRole"] resources = ["arn:aws:iam::${data.aws_caller_identity.i.account_id}:role/vault-cluster*"] } }
AWS IAM resource "vault_aws_auth_backend_client" "ci_builder" { backend = "${vault_auth_backend.ci_builder.path}" access_key = "${aws_iam_access_key.ci_builder.id}" secret_key = "${aws_iam_access_key.ci_builder.secret}" }
K8S resource "kubernetes_service_account" "vault_auth" { metadata { name = "vault-auth" namespace = "${var.k8s_namespace}" } automount_service_account_token = "true" } data "kubernetes_secret" "sa" { depends_on = ${kubernetes_service_account.vault_auth} metadata { name = "${kubernetes_service_account.vault_auth.default_secret_name}" } }
K8S resource "kubernetes_cluster_role_binding" "vault_auth" { metadata { name = "role-tokenreview-binding" } role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" name = "system:auth-delegator" } subject { kind = "ServiceAccount" name = "${kubernetes_service_account.vault_auth.metadata.name}" namespace = "${var.k8s_namespace}" api_group = "" } }
K8S resource "vault_kubernetes_auth_backend_config" "config" { backend = "${vault_auth_backend.kubernetes.path}" kubernetes_host = "${var.k8s_api}" kubernetes_ca_cert = "${data.kubernetes_secret.sa.data.ca.crt}" token_reviewer_jwt = "${data.kubernetes_secret.sa.data.token}" } resource "vault_kubernetes_auth_backend_role" "role" { backend = "kubernetes" role_name = "${var.app_name}" bound_service_account_names = ["${kubernetes_service_account.app.metadata.0.name}"] bound_service_account_namespaces = ["${var.k8s_namespace}"] token_ttl = "${var.ttl}" token_policies = ["${vault_policy.read-psql.name}, "${vault_policy.read-aws.name}"] }
K8S Here are more details if you are interested https://www.youtube.com/watch?v=t6ZKhY0-_cA
I got token. What is next?
KV AWS SSM Parameters Store -> KV for humans Configmaps/Secrets -> KV for Apps
KV Human initiated secret storage for static secrets and Machine initiated-readable storage for static secrets
AWS resource "aws_iam_user" "user" { name = "vault-aws-admin" tags = "${module.tags.default}" } resource "aws_iam_access_key" "key" { user = "${aws_iam_user.user.name}" } resource "aws_iam_user_policy" "policy" { name = "Allow-Vault-to-create-temp-users" user = "${aws_iam_user.user.name}" policy = "${data.aws_iam_policy_document.document.json}" }
AWS https://www.vaultproject.io/docs/secrets/aws/index.html#example-iam-policy-for-vault "iam:AttachUserPolicy" "iam:ListGroupsForUser" "iam:CreateAccessKey" "iam:ListUserPolicies" "iam:CreateUser" "iam:PutUserPolicy" "iam:DeleteAccessKey" "iam:RemoveUserFromGroup" "iam:DeleteUser" "iam:DeleteUserPolicy" "iam:DetachUserPolicy" "iam:ListAccessKeys" "iam:ListAttachedUserPolicies"
AWS resource "vault_aws_secret_backend" "aws" { description = "AWS secret engine so operators can get temporary keys" path = "aws" region = "${data.aws_region.r.name}" access_key = "${aws_iam_access_key.key.id}" secret_key = "${aws_iam_access_key.key.secret}" default_lease_ttl_seconds = "28800" max_lease_ttl_seconds = "86400" }
AWS resource "aws_iam_role" "admin" { name = "admin" max_session_duration = "28800" assume_role_policy = "${data.aws_iam_policy_document.trust.json}" tags = "${module.tags.default}" } resource "vault_aws_secret_backend_role" "access-aws-admin-role" { backend = "${vault_aws_secret_backend.aws.path}" name = "access-aws-admin-role" role_arns = ["${aws_iam_role.admin.arn}"] credential_type = "assumed_role" }
AWS # https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html data "aws_iam_policy" "admin" { arn = "arn:aws:iam::aws:policy/SystemAdministrator" } resource "aws_iam_role_policy_attachment" "admin" { role = "${aws_iam_role.admin.name}" policy_arn = "${data.aws_iam_policy.admin.arn}" }
AWS data "aws_iam_policy_document" "trust" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["${aws_iam_user.user.arn}"] } } }
AWS Works in the same way for apps and humans!
AWS Use temporary AWS creds to generate sign-in AWS console URL! No SSO needed! https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console -custom-url.html
For more inspiration https://youtu.be/Y0er4UCmqiA
Database creds ● Creation and revocation statements are hard ● Use RDS IAM auth if possible
Secrets rotation DB_SECRET_ENGINE_MOUNTS=$(vault secrets list -format=json | jq -r '. | to_entries[] | select(.value.type | startswith("database")) | .key') for DB_SECRET_ENGINE_MOUNT in ${DB_SECRET_ENGINE_MOUNTS}; do DB_CONNECTION_NAMES=$(vault list -format=json ${DB_SECRET_ENGINE_MOUNT}config | jq --raw-output .[]) for DB_CONNECTION_NAME in ${DB_CONNECTION_NAMES}; do vault write -force ${DB_SECRET_ENGINE_MOUNT}rotate-root/${DB_CONNECTION_NAME} done done
Secrets rotation AWS_USERS=$(aws iam list-users --query "Users[?starts_with(UserName, 'vault-aws-')].UserName" --output text) for AWS_USER in ${AWS_USERS}; do KEYS_ID=$(aws iam list-access-keys --user-name ${AWS_USER} --query "AccessKeyMetadata[*].AccessKeyId" --output text) for KEY_ID in ${KEYS_ID}; do aws iam delete-access-key --access-key-id ${KEY_ID} --user-name ${AWS_USER} done done terraform apply Note! Keys are still in Terraform state - encrypt state storage and state itself!
Unexpected findings
KV state issue ● Terraform provider for Vault in some cases(?) does not re-read KV and newly added values are not readable/found ● terraform state rm data-source data "vault_generic_secret" "rundeck_auth" { path = "secret/rundeck_auth" } provider "rundeck" { url = "http://rundeck.example.com/" auth_token = "${data.vault_generic_secret.rundeck_auth.data["auth_token"]}" }
Vault and Terraform not always play together resource "vault_database_secret_backend_connection" "postgres" { count = "${var.enable_postgresql}" backend = "${vault_mount.db.path}" name = "${var.postgresql_db_name}" allowed_roles = ["${var.postgresql_role_name}", "${local.read_only_role_name}", "${local.admin_role_name}"] data = { username = "${var.postgresql_db_username}" password = "${var.postgresql_db_username_password}" } postgresql { connection_url = "postgres://{{username}}:{{password}}@${var.postgresql_db_endpoint}:${var.postgresql_db_port}/${var.postgresql_db_name}" max_open_connections = "${var.postgresql_max_open_connections}" } lifecycle { ignore_changes = ["data.password"] } }
Vault and Terraform not always play together resource "aws_iam_access_key" "key" { user = "${aws_iam_user.user.name}" } resource "aws_iam_user_policy" "policy" { name = "Allow-Vault-to-create-temp-users" user = "${aws_iam_user.user.name}" policy = "${data.aws_iam_policy_document.document.json}" } resource "vault_aws_secret_backend" "aws" { description = "AWS secret engine for operators to get temporary keys" path = "$humans-aws" region = "${data.aws_region.r.name}" access_key = "${aws_iam_access_key.key.id}" secret_key = "${aws_iam_access_key.key.secret}" default_lease_ttl_seconds = "28800" max_lease_ttl_seconds = "86400" }
Some misconceptions data "vault_generic_secret" "db_creds" { path = "${module.vault_config.database_path}/creds/${var.db_role_name}" depends_on = ["module.vault_config"] } locals { db_username = "${data.vault_generic_secret.db_creds.data["username"]}" db_password = "${data.vault_generic_secret.db_creds.data["password"]}" } locals { psql_url = "postgres://${local.db_username}:${local.db_password}@${module.db.connection_string}?sslmode=require” } resource "vault_generic_secret" "config" { path = "${module.vault_config.kv_path}/config" data_json = <<EOF { "Psql_url": "${local.psql_ur}" } EOF }
How should I do with Lambdas?
PSQL creds revocation
Thanks! Questions? @andrey9kin info@andreydevyatkin.com https://www.linkedin.com/in/andreydevyatkin/
Ad

Recommended

Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
Nicolas Corrarello
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
Vault
VaultVault
Vault
dawnlua
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
☁ Bryan Krausen
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
VMware Tanzu
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
Stenio Ferreira
 
基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析
CC
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
CA Technologies
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
Ad

More Related Content

What's hot (20)

Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
Nicolas Corrarello
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
Vault
VaultVault
Vault
dawnlua
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
☁ Bryan Krausen
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
VMware Tanzu
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
Stenio Ferreira
 
基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析
CC
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
CA Technologies
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
Nicolas Corrarello
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
Vault
VaultVault
Vault
dawnlua
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
☁ Bryan Krausen
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
VMware Tanzu
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
Stenio Ferreira
 
基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析
CC
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
CA Technologies
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 

Similar to HashiCorp Vault configuration as code via HashiCorp Terraform- stories from trenches (20)

HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
K8s identity management
K8s identity managementK8s identity management
K8s identity management
Marc Boorshtein
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
Grzegorz Adamowicz
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
wesley chun
 
Node.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniquesNode.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniques
Manuel Eusebio de Paz Carmona
 
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps WayDevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
smalltown
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx
nitinscribd
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
smalltown
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote company
Pierre Mavro
 
Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)
Brian Brazil
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and LogsCloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Altoros
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
Serhat Dirik
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
wesley chun
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
K8s identity management
K8s identity managementK8s identity management
K8s identity management
Marc Boorshtein
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
Grzegorz Adamowicz
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
wesley chun
 
Node.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniquesNode.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniques
Manuel Eusebio de Paz Carmona
 
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps WayDevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
DevOpsDays Taipei 2019 - Mastering IaC the DevOps Way
smalltown
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx
nitinscribd
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
smalltown
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote company
Pierre Mavro
 
Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)
Brian Brazil
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and LogsCloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Altoros
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
Serhat Dirik
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
wesley chun
 
Ad

More from Andrey Devyatkin (13)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
Andrey Devyatkin
 
2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...
2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...
2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...
Andrey Devyatkin
 
2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf
2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf
2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf
Andrey Devyatkin
 
2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf
2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf
2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf
Andrey Devyatkin
 
2019 03-21 - cloud native computing las palmas meetup #1
2019 03-21 - cloud native computing las palmas meetup #12019 03-21 - cloud native computing las palmas meetup #1
2019 03-21 - cloud native computing las palmas meetup #1
Andrey Devyatkin
 
Cloud Native Computing Las Palmas. Meetup #0
Cloud Native Computing Las Palmas. Meetup #0Cloud Native Computing Las Palmas. Meetup #0
Cloud Native Computing Las Palmas. Meetup #0
Andrey Devyatkin
 
The state of Jenkins pipelines or do I still need freestyle jobs
The state of Jenkins pipelines or do I still need freestyle jobsThe state of Jenkins pipelines or do I still need freestyle jobs
The state of Jenkins pipelines or do I still need freestyle jobs
Andrey Devyatkin
 
Running jenkins in a public cloud - common issues and some solutions
Running jenkins in a public cloud - common issues and some solutionsRunning jenkins in a public cloud - common issues and some solutions
Running jenkins in a public cloud - common issues and some solutions
Andrey Devyatkin
 
Stockholm JAM September 2018
Stockholm JAM September 2018Stockholm JAM September 2018
Stockholm JAM September 2018
Andrey Devyatkin
 
Getting Git Right @ Git Merge 2018
Getting Git Right @ Git Merge 2018Getting Git Right @ Git Merge 2018
Getting Git Right @ Git Merge 2018
Andrey Devyatkin
 
Stockholm Jenkins Area Meetup, March 2017
Stockholm Jenkins Area Meetup, March 2017Stockholm Jenkins Area Meetup, March 2017
Stockholm Jenkins Area Meetup, March 2017
Andrey Devyatkin
 
Synchronizing parallel delivery flows in jenkins using groovy, build flow and...
Synchronizing parallel delivery flows in jenkins using groovy, build flow and...Synchronizing parallel delivery flows in jenkins using groovy, build flow and...
Synchronizing parallel delivery flows in jenkins using groovy, build flow and...
Andrey Devyatkin
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
Andrey Devyatkin
 
2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...
2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...
2023-11-23-AWS-UG-Las-Palmas-Increase-your-security-posture-with-temporary-el...
Andrey Devyatkin
 
2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf
2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf
2023-09-28-AWS Las Palmas UG - Dynamic Anti-Frigile Systems.pdf
Andrey Devyatkin
 
2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf
2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf
2023-05-24 - Three problems of Terraform DevOps Pro EU.pdf
Andrey Devyatkin
 
2019 03-21 - cloud native computing las palmas meetup #1
2019 03-21 - cloud native computing las palmas meetup #12019 03-21 - cloud native computing las palmas meetup #1
2019 03-21 - cloud native computing las palmas meetup #1
Andrey Devyatkin
 
Cloud Native Computing Las Palmas. Meetup #0
Cloud Native Computing Las Palmas. Meetup #0Cloud Native Computing Las Palmas. Meetup #0
Cloud Native Computing Las Palmas. Meetup #0
Andrey Devyatkin
 
The state of Jenkins pipelines or do I still need freestyle jobs
The state of Jenkins pipelines or do I still need freestyle jobsThe state of Jenkins pipelines or do I still need freestyle jobs
The state of Jenkins pipelines or do I still need freestyle jobs
Andrey Devyatkin
 
Running jenkins in a public cloud - common issues and some solutions
Running jenkins in a public cloud - common issues and some solutionsRunning jenkins in a public cloud - common issues and some solutions
Running jenkins in a public cloud - common issues and some solutions
Andrey Devyatkin
 
Stockholm JAM September 2018
Stockholm JAM September 2018Stockholm JAM September 2018
Stockholm JAM September 2018
Andrey Devyatkin
 
Getting Git Right @ Git Merge 2018
Getting Git Right @ Git Merge 2018Getting Git Right @ Git Merge 2018
Getting Git Right @ Git Merge 2018
Andrey Devyatkin
 
Stockholm Jenkins Area Meetup, March 2017
Stockholm Jenkins Area Meetup, March 2017Stockholm Jenkins Area Meetup, March 2017
Stockholm Jenkins Area Meetup, March 2017
Andrey Devyatkin
 
Synchronizing parallel delivery flows in jenkins using groovy, build flow and...
Synchronizing parallel delivery flows in jenkins using groovy, build flow and...Synchronizing parallel delivery flows in jenkins using groovy, build flow and...
Synchronizing parallel delivery flows in jenkins using groovy, build flow and...
Andrey Devyatkin
 
Ad

Recently uploaded (20)

Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 

HashiCorp Vault configuration as code via HashiCorp Terraform- stories from trenches

  • 1. Vault configuration as code via Terraform: stories from trenches Andrey Devyatkin
  • 4. I’m Andrey ● Enjoying life as technology specialist, father and endurance athlete ● 10+ years in the industry ● Writing tools ● Fixing automation, projects and organisations ● Meetups/conferences organizer ● Trainer ● Certified this and that
  • 5. Why this presentation? What to expect? ● Not pretending to be an expert just sharing what worked and what didn’t ● Share what worked for us and hopefully save some time for some of you ● A lot of technical details and references ● Slides will be available online - you don’t have to remember/photo everything
  • 6. Agenda ● Context ● Deployment ● Configuration ● Integration ● Access control and development workflow ● Unexpected findings
  • 7. Why Vault? ● Centrally Manage Secrets to Reduce Secrets Sprawl ● Shift from static secrets to short-time dynamically generated ones ● Protect Sensitive Data Across Clouds and Private Datacenters
  • 8. Where do we start? Collect requirements and clarify context
  • 9. Questions to ask - deployment and operations ● Where to deploy? VM? Container? Baremetal? ● Patch or scratch? ● How to access? VPN? Public? Service mesh? ● How to auto-unseal? ● How to get in initial secrets? (Ex. TLS) ● What storage is available? ● Where to stream logs? ● Where to stream telemetry? ● How to extract audit files? ● HA? DR? ● One per env or one for all?
  • 10. Look for best practices and templates ● Why not to make use of https://github.com/hashicorp/terraform-aws-vault, right? ● With some small tweaks ● And little more tweaks ● And some more tweaks (TLS certs handling, consul-less, dynamic configuration depending on environment, rolling upgrades via multiple auto scaling configurations, audit files sync, etc) Another option - https://github.com/hashicorp/vault-helm Some inspiration https://learn.hashicorp.com/vault/operations/ops-reference-architecture
  • 11. Vault production (min) readiness checklist ● TLS termination ● Vault HA storage - ACL and encryption ● Local storage encryption ● Auto-unseal using KMS ● Stripped down image, infra as code, encryption, minimal exec rights ● No ssh or other kind of remote access, NACL for outgoing traffic ● IDS ● Backups and DR ● Logs and telemetry export from the node ● Audit on, sync audit files to remote storage, integrity check for audit files ● Sync audit files to archive ● Audit files parsing and anomaly detection ● Availability/performance monitoring and alerting More here https://learn.hashicorp.com/vault/operations/production-hardening
  • 12. Context - before Vault ● Applications running in containers ● Orchestrated by Kubernetes ● Running in AWS ● Secrets in configmaps/secrets ● Apps require database connection and connection to other cloud services (i.e. database creds and cloud access creds), other static secrets ● Developers pulling secrets from k8s secrets
  • 13. Deployment ● EC2, classic ELB, auto-scaling group per AZ (for rolling updates) ● Immutable infra ● Initial secrets baked in as encrypted archive that could be un-encrypted only with key accessible to Vault instances ● Behind VPN ● Auto-unseal with KMS ● HA storage in DynamoDB with point in time restore ● Logs in CloudWatch ● Telemetry in Prometheus
  • 14. It would be a good idea to split deployment terraform spec and configuration terraform spec
  • 15. Vault is up and running. What is next?
  • 16. To start configuring Vault via Terraform we need... ● Vault URL configured as VAULT_ADDR env variable ● Vault token (root token will do for the start but revoke it afterwards together with the rest of the root tokens) ● A good idea what are you after… More here https://www.youtube.com/watch?v=fOybhcbuxJ0 and here https://www.terraform.io/docs/providers/vault/index.html
  • 17. One slide Vault intro LDAP k8s App Role AWS ... Auth methods Vault token AWS Data base Secret Engines Rabbit MQ PKI Database login credentials AWS access keys RabbitMQ logic credentials Certificates Lease Audit device More here https://www.youtube.com/watch?v=VYfl-DpZ5wM KV Transit Encrypted data Secret value Vault policies
  • 18. Token Be aware of TTL and Max TTL
  • 19. Auth methods and policies Boring but very important
  • 20. You probably need more than one... ● Humans - operators and developers ● Machines - CI/CD, bots, etc ● Things - Apps, Infra etc A good idea is to use MFA for humans, limit from where auth methods could be invoked
  • 21. Auth -> Role -> Token with policy Ex. LDAP -> LDAP Group -> Token with policy
  • 22. LDAP ● Leverages existing IAM setup ● Delegates credentials validation ● Used my humans ● Would be a good idea to simplify login procedure for your users More here https://www.vaultproject.io/docs/auth/ldap.html
  • 23. LDAP resource "vault_ldap_auth_backend" "ldap" { path = "ldap" url = "ldaps://dc-01.example.org" userdn = "OU=Users,OU=Accounts,DC=example,DC=org" userattr = "sAMAccountName" upndomain = "EXAMPLE.ORG" binddn = "${var.binddn}" bindpass = "${var.bindpass}" discoverdn = false groupdn = "OU=Groups,DC=example,DC=org" groupfilter = "(&(objectClass=group)(member:1.:={{.UserDN}}))" } https://www.terraform.io/docs/providers/vault/r/ldap_auth_backend.html
  • 24. Things to consider ● token_no_default_policy ● token_bound_cidrs ● token_ttl ● token_max_ttl
  • 25. LDAP role (backend group actually) resource "vault_ldap_auth_backend_group" "group" { groupname = "dba" policies = ["dba"] backend = "${vault_ldap_auth_backend.ldap.path}" } https://www.terraform.io/docs/providers/vault/r/ldap_auth_backend_group.html
  • 26. Policy data "vault_policy_document" "example" { rule { path = "secret/*" capabilities = ["create", "read", "update", "delete", "list"] description = "allow all on secrets" } } resource "vault_policy" "example" { name = "example_policy" policy = "${data.vault_policy_document.example.hcl}" } https://www.terraform.io/docs/providers/vault/d/policy_document.html
  • 27. Policy ● You will need a policy to manage policy... ● Deny by default ● Do not have to match LDAP group name but easier for users if it does ● Member of multiple groups gets multiple policies More here https://learn.hashicorp.com/vault/getting-started/policies
  • 28. AppRole if you really have to... ● If you don’t have a better way ● Mostly used for CI ● Initial secret issue ● No good way to audit access More here https://www.vaultproject.io/docs/auth/approle.html
  • 29. AppRole resource "vault_auth_backend" "approle" { type = "approle" } resource "vault_approle_auth_backend_role" "example" { backend = vault_auth_backend.approle.path role_name = "test-role" token_policies = ["default", "dev", "prod"] } https://www.terraform.io/docs/providers/vault/r/approle_auth_backend_role.html
  • 31. AppRole resource "vault_approle_auth_backend_role_secret_id" "secret" { backend = "approle" role_name = "${vault_approle_auth_backend_role.role.role_name}" } locals { kv = { role_id = "${vault_approle_auth_backend_role.role.role_id}" secret_id = "${vault_approle_auth_backend_role_secret_id.secret.secret_id}" }} resource "vault_generic_secret" "kv" { path = "${vault_mount.kv.path}/approle" data_json = "${jsonencode(local.kv)}" }
  • 32. Cloud IAM, K8S, etc ● Better way for non-interactive auth ● Leverages existing entities ● Delegates entity validation
  • 33. AWS IAM resource "vault_auth_backend" "aws" { description = "Auth method for CI engines" type = "aws" } resource "vault_aws_auth_backend_role" "ci_builder" { backend = "${vault_auth_backend.aws.path}" role = "ci-builder" auth_type = "iam" bound_iam_principal_arns = ["${data.aws_iam_role.ci_builder.arn}"] token_ttl = 3600 token_max_ttl = 3600 token_policies = ["${vault_policy.ci_builder.name}"] } https://www.terraform.io/docs/providers/vault/r/aws_auth_backend_role.html
  • 34. AWS IAM resource "aws_iam_user" "ci_builder" { name = "${module.iam_auth_for_ci_user_name.qualified_name}" tags = "${module.tags.default}" } resource "aws_iam_access_key" "ci_builder" { user = "${aws_iam_user.ci_builder.name}" } resource "aws_iam_user_policy" "ci_builder" { name = "Allow-Vault-to-look-up-users-for-iam-auth" user = "${aws_iam_user.ci_builder.name}" policy = "${data.aws_iam_policy_document.ci_builder.json}" }
  • 35. AWS IAM # https://www.vaultproject.io/docs/secrets/aws/index.html#example-iam-policy-for-vault data "aws_iam_policy_document" "iam_auth_for_ci" { statement { effect = "Allow" actions = ["iam:GetUser","iam:GetRole",] resources = ["arn:aws:iam::${data.aws_caller_identity.i.account_id}:*"] } statement { effect = "Allow" actions = ["sts:AssumeRole"] resources = ["arn:aws:iam::${data.aws_caller_identity.i.account_id}:role/vault-cluster*"] } }
  • 36. AWS IAM resource "vault_aws_auth_backend_client" "ci_builder" { backend = "${vault_auth_backend.ci_builder.path}" access_key = "${aws_iam_access_key.ci_builder.id}" secret_key = "${aws_iam_access_key.ci_builder.secret}" }
  • 37. K8S resource "kubernetes_service_account" "vault_auth" { metadata { name = "vault-auth" namespace = "${var.k8s_namespace}" } automount_service_account_token = "true" } data "kubernetes_secret" "sa" { depends_on = ${kubernetes_service_account.vault_auth} metadata { name = "${kubernetes_service_account.vault_auth.default_secret_name}" } }
  • 38. K8S resource "kubernetes_cluster_role_binding" "vault_auth" { metadata { name = "role-tokenreview-binding" } role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" name = "system:auth-delegator" } subject { kind = "ServiceAccount" name = "${kubernetes_service_account.vault_auth.metadata.name}" namespace = "${var.k8s_namespace}" api_group = "" } }
  • 39. K8S resource "vault_kubernetes_auth_backend_config" "config" { backend = "${vault_auth_backend.kubernetes.path}" kubernetes_host = "${var.k8s_api}" kubernetes_ca_cert = "${data.kubernetes_secret.sa.data.ca.crt}" token_reviewer_jwt = "${data.kubernetes_secret.sa.data.token}" } resource "vault_kubernetes_auth_backend_role" "role" { backend = "kubernetes" role_name = "${var.app_name}" bound_service_account_names = ["${kubernetes_service_account.app.metadata.0.name}"] bound_service_account_namespaces = ["${var.k8s_namespace}"] token_ttl = "${var.ttl}" token_policies = ["${vault_policy.read-psql.name}, "${vault_policy.read-aws.name}"] }
  • 40. K8S Here are more details if you are interested https://www.youtube.com/watch?v=t6ZKhY0-_cA
  • 41. I got token. What is next?
  • 42. KV AWS SSM Parameters Store -> KV for humans Configmaps/Secrets -> KV for Apps
  • 43. KV Human initiated secret storage for static secrets and Machine initiated-readable storage for static secrets
  • 44. AWS resource "aws_iam_user" "user" { name = "vault-aws-admin" tags = "${module.tags.default}" } resource "aws_iam_access_key" "key" { user = "${aws_iam_user.user.name}" } resource "aws_iam_user_policy" "policy" { name = "Allow-Vault-to-create-temp-users" user = "${aws_iam_user.user.name}" policy = "${data.aws_iam_policy_document.document.json}" }
  • 45. AWS https://www.vaultproject.io/docs/secrets/aws/index.html#example-iam-policy-for-vault "iam:AttachUserPolicy" "iam:ListGroupsForUser" "iam:CreateAccessKey" "iam:ListUserPolicies" "iam:CreateUser" "iam:PutUserPolicy" "iam:DeleteAccessKey" "iam:RemoveUserFromGroup" "iam:DeleteUser" "iam:DeleteUserPolicy" "iam:DetachUserPolicy" "iam:ListAccessKeys" "iam:ListAttachedUserPolicies"
  • 46. AWS resource "vault_aws_secret_backend" "aws" { description = "AWS secret engine so operators can get temporary keys" path = "aws" region = "${data.aws_region.r.name}" access_key = "${aws_iam_access_key.key.id}" secret_key = "${aws_iam_access_key.key.secret}" default_lease_ttl_seconds = "28800" max_lease_ttl_seconds = "86400" }
  • 47. AWS resource "aws_iam_role" "admin" { name = "admin" max_session_duration = "28800" assume_role_policy = "${data.aws_iam_policy_document.trust.json}" tags = "${module.tags.default}" } resource "vault_aws_secret_backend_role" "access-aws-admin-role" { backend = "${vault_aws_secret_backend.aws.path}" name = "access-aws-admin-role" role_arns = ["${aws_iam_role.admin.arn}"] credential_type = "assumed_role" }
  • 48. AWS # https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html data "aws_iam_policy" "admin" { arn = "arn:aws:iam::aws:policy/SystemAdministrator" } resource "aws_iam_role_policy_attachment" "admin" { role = "${aws_iam_role.admin.name}" policy_arn = "${data.aws_iam_policy.admin.arn}" }
  • 49. AWS data "aws_iam_policy_document" "trust" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["${aws_iam_user.user.arn}"] } } }
  • 50. AWS Works in the same way for apps and humans!
  • 51. AWS Use temporary AWS creds to generate sign-in AWS console URL! No SSO needed! https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console -custom-url.html
  • 52. For more inspiration https://youtu.be/Y0er4UCmqiA
  • 53. Database creds ● Creation and revocation statements are hard ● Use RDS IAM auth if possible
  • 54. Secrets rotation DB_SECRET_ENGINE_MOUNTS=$(vault secrets list -format=json | jq -r '. | to_entries[] | select(.value.type | startswith("database")) | .key') for DB_SECRET_ENGINE_MOUNT in ${DB_SECRET_ENGINE_MOUNTS}; do DB_CONNECTION_NAMES=$(vault list -format=json ${DB_SECRET_ENGINE_MOUNT}config | jq --raw-output .[]) for DB_CONNECTION_NAME in ${DB_CONNECTION_NAMES}; do vault write -force ${DB_SECRET_ENGINE_MOUNT}rotate-root/${DB_CONNECTION_NAME} done done
  • 55. Secrets rotation AWS_USERS=$(aws iam list-users --query "Users[?starts_with(UserName, 'vault-aws-')].UserName" --output text) for AWS_USER in ${AWS_USERS}; do KEYS_ID=$(aws iam list-access-keys --user-name ${AWS_USER} --query "AccessKeyMetadata[*].AccessKeyId" --output text) for KEY_ID in ${KEYS_ID}; do aws iam delete-access-key --access-key-id ${KEY_ID} --user-name ${AWS_USER} done done terraform apply Note! Keys are still in Terraform state - encrypt state storage and state itself!
  • 57. KV state issue ● Terraform provider for Vault in some cases(?) does not re-read KV and newly added values are not readable/found ● terraform state rm data-source data "vault_generic_secret" "rundeck_auth" { path = "secret/rundeck_auth" } provider "rundeck" { url = "http://rundeck.example.com/" auth_token = "${data.vault_generic_secret.rundeck_auth.data["auth_token"]}" }
  • 58. Vault and Terraform not always play together resource "vault_database_secret_backend_connection" "postgres" { count = "${var.enable_postgresql}" backend = "${vault_mount.db.path}" name = "${var.postgresql_db_name}" allowed_roles = ["${var.postgresql_role_name}", "${local.read_only_role_name}", "${local.admin_role_name}"] data = { username = "${var.postgresql_db_username}" password = "${var.postgresql_db_username_password}" } postgresql { connection_url = "postgres://{{username}}:{{password}}@${var.postgresql_db_endpoint}:${var.postgresql_db_port}/${var.postgresql_db_name}" max_open_connections = "${var.postgresql_max_open_connections}" } lifecycle { ignore_changes = ["data.password"] } }
  • 59. Vault and Terraform not always play together resource "aws_iam_access_key" "key" { user = "${aws_iam_user.user.name}" } resource "aws_iam_user_policy" "policy" { name = "Allow-Vault-to-create-temp-users" user = "${aws_iam_user.user.name}" policy = "${data.aws_iam_policy_document.document.json}" } resource "vault_aws_secret_backend" "aws" { description = "AWS secret engine for operators to get temporary keys" path = "$humans-aws" region = "${data.aws_region.r.name}" access_key = "${aws_iam_access_key.key.id}" secret_key = "${aws_iam_access_key.key.secret}" default_lease_ttl_seconds = "28800" max_lease_ttl_seconds = "86400" }
  • 60. Some misconceptions data "vault_generic_secret" "db_creds" { path = "${module.vault_config.database_path}/creds/${var.db_role_name}" depends_on = ["module.vault_config"] } locals { db_username = "${data.vault_generic_secret.db_creds.data["username"]}" db_password = "${data.vault_generic_secret.db_creds.data["password"]}" } locals { psql_url = "postgres://${local.db_username}:${local.db_password}@${module.db.connection_string}?sslmode=require” } resource "vault_generic_secret" "config" { path = "${module.vault_config.kv_path}/config" data_json = <<EOF { "Psql_url": "${local.psql_ur}" } EOF }
  • 61. How should I do with Lambdas?