Enviar búsqueda
Cargar
Delivering Secret Zero: Vault AppRole with Terraform and Chef
•
Descargar como PPTX, PDF
•
1 recomendación
•
8,455 vistas
A
Amanda MacLeod
Seguir
2018-03-09
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 13
Descargar ahora
Recomendados
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Amanda MacLeod
Vault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New Features
Mitchell Pronschinske
Vault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 features
Mitchell Pronschinske
Vault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of Us
Mitchell Pronschinske
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
Mitchell Pronschinske
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
Recomendados
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Amanda MacLeod
Vault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New Features
Mitchell Pronschinske
Vault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 features
Mitchell Pronschinske
Vault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of Us
Mitchell Pronschinske
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
Mitchell Pronschinske
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi Vault
Shrivatsa Upadhye
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Mitchell Pronschinske
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
Mitchell Pronschinske
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Stenio Ferreira
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Mitchell Pronschinske
Rein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS Lambda
Amanda MacLeod
Adopting HashiCorp Vault
Adopting HashiCorp Vault
Nicolas Corrarello
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform Cloud
Marko Bevc
Hashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Vault 101
Vault 101
Hazzim Anaya
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
Matt Ray
Demystifying Terraform 012
Demystifying Terraform 012
Stenio Ferreira
Vault 1.4 launch webinar
Vault 1.4 launch webinar
Mitchell Pronschinske
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
Kubernetes security
Kubernetes security
Thomas Fricke
Más contenido relacionado
La actualidad más candente
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi Vault
Shrivatsa Upadhye
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Mitchell Pronschinske
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
Mitchell Pronschinske
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Stenio Ferreira
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Mitchell Pronschinske
Rein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS Lambda
Amanda MacLeod
Adopting HashiCorp Vault
Adopting HashiCorp Vault
Nicolas Corrarello
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform Cloud
Marko Bevc
Hashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Vault 101
Vault 101
Hazzim Anaya
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
Matt Ray
Demystifying Terraform 012
Demystifying Terraform 012
Stenio Ferreira
Vault 1.4 launch webinar
Vault 1.4 launch webinar
Mitchell Pronschinske
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
La actualidad más candente
(20)
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi Vault
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Rein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS Lambda
Adopting HashiCorp Vault
Adopting HashiCorp Vault
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform Cloud
Hashicorp Vault ppt
Hashicorp Vault ppt
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Vault 101
Vault 101
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
Demystifying Terraform 012
Demystifying Terraform 012
Vault 1.4 launch webinar
Vault 1.4 launch webinar
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
Similar a Delivering Secret Zero: Vault AppRole with Terraform and Chef
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
Kubernetes security
Kubernetes security
Thomas Fricke
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
Opsta
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Maki Toshio
OAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring Security
Shuto Uwai
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
Brent Shaffer
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
VMware Tanzu
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Sebastián Guerrero Selma
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
CloudOps2005
Cqcon2015
Cqcon2015
Antonio Sanso
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
wesley chun
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer
Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020
Peter Souter
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Spark Solutions
Similar a Delivering Secret Zero: Vault AppRole with Terraform and Chef
(20)
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Kubernetes security
Kubernetes security
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
OAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring Security
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
Cqcon2015
Cqcon2015
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Último
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Último
(20)
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Delivering Secret Zero: Vault AppRole with Terraform and Chef
1.
Copyright © 2018
HashiCorp Delivering Secret Zero: Vault AppRole with Terraform and Chef Presented By: Teddy Sacilowski Sr. Solutions Engineer
2.
Copyright © 2018
HashiCorp ▪ Teddy Sacilowski ▪ Sr. Solutions Engineer @ HashiCorp ▪ Email: teddy@hashicorp.com ▪ Demo repo: https://github.com/hashicorp/vault- guides/tree/master/identity/vault-chef-approle About Me 2
3.
Copyright © 2018
HashiCorp ▪ Allow myself to introduce… myself… ▪ Lots of conceptual material, looking at source code… ▪ Actual demo part is short ▪ Close the loop with Seth Vargo's Chef + Vault blog/webinar ▪ Understand Vault authentication, in general ▪ Understand Secure Introduction (SI), in general ▪ Learn the AppRole pattern and how it helps with SI Agenda 3
4.
Copyright © 2018
HashiCorp ▪ Using HashiCorp's Vault with Chef: https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef ▪ Manage Secrets with Chef and HashiCorps Vault - Chef Blog: https://blog.chef.io/2016/12/12/manage-secrets-with-chef-and- hashicorps-vault/ ▪ Really awesome job defining Chef + HashiCorp Vault integration patterns ▪ Missing Pieces... how do I get Chef or [insert any other app, client, server, etc.] to authenticate with Vault programmatically??? Closing the Loop... 4
5.
Copyright © 2018
HashiCorp ▪ Vault == centralized secrets management ▪ All our "things" are dynamic, distributed (or at least we want them to be...) ▪ Let’s not depend on humans to deliver secrets ▪ To get to our secrets, we need to authenticate ▪ Maps down to the issuance of a token (LDAP/AD; AWS Auth; Google Cloud Auth; Whatever Auth...) ▪ Policies are attached to the tokens (for the most part...) ▪ All subsequent requests/operations require this token, so… ▪ How do we securely deliver auth tokens to our programmatic clients?? ▪ ^^ This is our challenge, and we use Secure Intro to solve it... Context: Authentication in Vault 5
6.
Copyright © 2018
HashiCorp ▪ See Jeff Mitchell's talk Managing Secrets in a Container Environment - YouTube: https://www.youtube.com/watch?v=skENC9aXgco ▪ Step 1, see if native auth capabilities are enough ▪ AWS Auth ▪ Google Cloud Auth ▪ Kubernetes Auth ▪ See Brokering Cloud Identity: https://www.hashicorp.com/blog/brokering-cloud-identity ▪ Circle of trust... we already have solutions in place that we trust to do "things" ▪ K8s for container scheduling/orchestration... or... Nomad (or even... both??) ;-) ▪ Terraform for provisioning ▪ Chef, Ansible, Puppet, [insert preferred CM tool here] for config management ▪ Jenkins, CircleCI, Travis, [insert preferred CI/CD tool here] (and maybe Packer??) More Context: Secure Introduction 6
7.
Copyright © 2018
HashiCorp ▪ But really, how much do I (or should I) trust any one system? ▪ Say I store a Vault token on my Chef Server to retrieve DB credentials for MyWebScaleApp? ▪ Do I want a Chef Admin to potentially be able to retrieve those DB creds? ▪ Doesn't sound like least privilege to me… ▪ Most likely, at least two of these systems are involved in getting our apps running ▪ What if we had a way to distribute parts of an authentication through separate channels?? ▪ Hint: that's what AppRole allows us to do! Even More Context: Secure Introduction… 7
8.
Copyright © 2018
HashiCorp ▪ Think of AppRole as similar to username/password, but for machines ▪ RoleID - static identifier that… well… identifies our specific role ▪ Not considered secret/sensitive ▪ Can be embedded in an AMI, app code, Dockerfile, env var, etc. ▪ Can’t do anything with just the RoleID ▪ SecretID - this value is considered sensitive and should be unique to each client ▪ Might be delivered via config mgmt, orchestrator, etc. ▪ Also, can’t do anything with just the SecretID ▪ But when I bring them together => Vault token! ▪ … And now my server/app/container can do [permitted] "stuff" in Vault So… What’s AppRole? 8
9.
Copyright © 2018
HashiCorp AppRole Authentication 9 Trusted Systems (Terraform, Jenkins, Chef, Nomad, Kubernetes, Pivotal Cloud Foundry, etc.) Targets (Servers, Applications, Containers, etc.) Get RoleID Get SecretID (wrapped) Deliver RoleID Deliver SecretID (wrapped) 1. Unwrap SecretID 2. AppRole login with RoleID + SecretID 3. Get Authentication token back from Vault
10.
Copyright © 2018
HashiCorp AppRole Authentication 10 Trusted Systems (Terraform, Jenkins, Chef, Nomad, Kubernetes, Pivotal Cloud Foundry, etc.) Targets (Servers, Applications, Containers, etc.) Get RoleID Get SecretID (wrapped) Deliver RoleID Deliver SecretID (wrapped) 1. Unwrap SecretID 2. AppRole login with RoleID + SecretID 3. Get Authentication token back from Vault
11.
s Copyright © 2018
HashiCorp 11 Demo Time!
12.
s Copyright © 2018
HashiCorp 12 Questions?
13.
Thank you. hello@hashicorp.comwww.hashicorp.com
Descargar ahora