Can you keep a secret?Moisieienko Valerii
XP Days 2017
Who Is This Guy?
• Senior Application Engineer @ Oracle UGBU
• 8+ years in commercial software development
• Oracle Certified Professional
• MapR Certified HBase Developer
• Masters Degree in Information Security
Notification
This presentation is based on my personal experience and does not represent official position of Oracle
company.
Everybody Has A Secret
• Database credentials
• Third-party API keys
• License keys
• Sensitive environment variables
And How Do We Usually Keep Them ?
database: connections: default: url: jdbc:mysql://my.db.server:3306/example_service user: service_user password: superStrongPassword
apiToken: 8d07b5e9-fbb2-4499-a3c4-053190a78827
Private Code RepositoryAuthentification
But No Authorisation
The Task
• Reliable secret storage
• Data encryption support
• Flexible user authentication backend
• Authorization
• Convenient interaction for humans and applications
Possible Solutions
• HSMs
• Amazon KMS
• Keywhiz
• Conjur
• HashiCorp Vault
HashiCorp Vault
• Secure Secret Storage
• Data Encryption
• Access Control
• Pluggable Auth & Storage Backends
• Vault Client & HTTP API
Getting Started
• Vault Server
• Secrets
• Policies
• Authentification
• Tokens
Vault Server
vault server -dev
vault server -config= server_config.hcl
export VAULT_ADDR= 'http://127.0.0.1:8200'
storage "mysql" {
username = "vault"
password = "iamvault"
database = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
Secrets
vault write secret/v1/my/secrets <key1>=<value1> <key2>=<value2> <key3>=<value3>
vault read secret/v1/my/secrets
vault delete secret/v1/my/secrets
vault path-help secret/
Policies
vault policy-write myfirstpolicy policy.hcl
path "secret/*" {
capabilities = ["create"]
}
path "secret/read/only" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
Tokens
vault token-create -policy= <policy_name>
vault auth <token>
vault token-revoke <token>
token
d5da8c66-1b37-6916-85cc-3192a135f9a1
token_accessor
ae97c557-e416-8d98-b815-7394b0d7bcbb
token_duration 768h0m0s
token_renewable true
token_policies [default myfirstpolicy]
Authentification
vault auth-enable github
vault write auth/github/config organization=<github_org>
vault write auth/github/map/teams/default value=default
vault auth -method=github token=<github_token>
vault auth-disable github
Vault Integration• Define secrets
• Create application role
• Create policies
• Provide policy mapping
• Place secrets to Vault
• Adjust application
• Summon
Application Role
vault write auth/token/roles/role.service.example-service allowed_policies="policy.service.example-service"
Polices
• Admin policy • Application policy
Admin Policyexample-service-admin.hcl
# Admins can read/write secrets for their servicepath "secret/service/example_service/v1/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Admins can provision tokens for their servicepath "auth/token/create/role.service.example-service" { capabilities = ["create", "update"] }
Application Policyexample-service.hcl
path "secret/service/example_service/v1/*" { capabilities = ["read", "list"] }
Writing Policies
vault policy-write policy.service.example-service.admin example-service-admin.hcl
vault policy-write policy.service.example-service example-service.hcl
# Specific to particular auth backend vault write auth/github/map/teams/default value=policy.service.example-service.admin
Secrets Go To Vault
vault write secret/service/example_service/v1/db_properties jdbc.url=<jdbc_url> jdbc.username=<username> jdbc.password=<password>
Application Adjustment
Application adjustmentsecrets file
DB_URL: !var secret/service/example_service/v1/db_properties:jdbc.url
DB_USERNAME: !var secret/service/example_service/v1/db_properties:jdbc.username
DB_PASSWORD: !var secret/service/example_service/v1/db_properties:jdbc.password
Application adjustmentproperties file
database: jdbcUrl: ENV[DB_URL] user: ENV[DB_USERNAME] password: ENV[DB_PASSWORD]
Application adjustmentEnvironment Variable Lookup
private static final Pattern SECRETS_PATTERN = Pattern.compile("ENV\\[(.*)\\]");public String resolvePropertyValue(String value) { Matcher matcher = SECRETS_PATTERN.matcher(value); if (matcher.find()) { return System.getenv(matcher.group(1)); } else { return value; }}
Summon• Install
brew tap conjurinc/tools brew install summon
• Vault Provider
mv summon-vault /usr/local/lib/summon/ chmod 755 /usr/local/lib/summon/summon-vault
• Check
VAULT_TOKEN=<TOKEN> summon --provider summon-vault -f secrets.yml ruby -e 'puts ENV["DB_URL"]'
Integration Demo
Pros And Cons
+ Easy setup
+ Master key sharing
+ Pluggable storage and auth backends
+ Straight forward policy control
+ Provides client and HTTP API
- Application integration
- Token renewal mechanism
Thank you!
You are welcome to write me at [email protected]
GitHub https://github.com/moisieienko-valerii/vault-dropwizard
Top Related