SlideShare una empresa de Scribd logo

Delivering Secret Zero: Vault AppRole with Terraform and Chef

Descargar como PPTX, PDF
A
Amanda MacLeod

2018-03-09

Tecnología
1 de 13
Copyright © 2018 HashiCorp Delivering Secret Zero: Vault AppRole with Terraform and Chef Presented By: Teddy Sacilowski Sr. Solutions Engineer
Copyright © 2018 HashiCorp ▪ Teddy Sacilowski ▪ Sr. Solutions Engineer @ HashiCorp ▪ Email: teddy@hashicorp.com ▪ Demo repo: https://github.com/hashicorp/vault- guides/tree/master/identity/vault-chef-approle About Me 2
Copyright © 2018 HashiCorp ▪ Allow myself to introduce… myself… ▪ Lots of conceptual material, looking at source code… ▪ Actual demo part is short ▪ Close the loop with Seth Vargo's Chef + Vault blog/webinar ▪ Understand Vault authentication, in general ▪ Understand Secure Introduction (SI), in general ▪ Learn the AppRole pattern and how it helps with SI Agenda 3
Copyright © 2018 HashiCorp ▪ Using HashiCorp's Vault with Chef: https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef ▪ Manage Secrets with Chef and HashiCorps Vault - Chef Blog: https://blog.chef.io/2016/12/12/manage-secrets-with-chef-and- hashicorps-vault/ ▪ Really awesome job defining Chef + HashiCorp Vault integration patterns ▪ Missing Pieces... how do I get Chef or [insert any other app, client, server, etc.] to authenticate with Vault programmatically??? Closing the Loop... 4
Copyright © 2018 HashiCorp ▪ Vault == centralized secrets management ▪ All our "things" are dynamic, distributed (or at least we want them to be...) ▪ Let’s not depend on humans to deliver secrets ▪ To get to our secrets, we need to authenticate ▪ Maps down to the issuance of a token (LDAP/AD; AWS Auth; Google Cloud Auth; Whatever Auth...) ▪ Policies are attached to the tokens (for the most part...) ▪ All subsequent requests/operations require this token, so… ▪ How do we securely deliver auth tokens to our programmatic clients?? ▪ ^^ This is our challenge, and we use Secure Intro to solve it... Context: Authentication in Vault 5
Copyright © 2018 HashiCorp ▪ See Jeff Mitchell's talk Managing Secrets in a Container Environment - YouTube: https://www.youtube.com/watch?v=skENC9aXgco ▪ Step 1, see if native auth capabilities are enough ▪ AWS Auth ▪ Google Cloud Auth ▪ Kubernetes Auth ▪ See Brokering Cloud Identity: https://www.hashicorp.com/blog/brokering-cloud-identity ▪ Circle of trust... we already have solutions in place that we trust to do "things" ▪ K8s for container scheduling/orchestration... or... Nomad (or even... both??) ;-) ▪ Terraform for provisioning ▪ Chef, Ansible, Puppet, [insert preferred CM tool here] for config management ▪ Jenkins, CircleCI, Travis, [insert preferred CI/CD tool here] (and maybe Packer??) More Context: Secure Introduction 6
Copyright © 2018 HashiCorp ▪ But really, how much do I (or should I) trust any one system? ▪ Say I store a Vault token on my Chef Server to retrieve DB credentials for MyWebScaleApp? ▪ Do I want a Chef Admin to potentially be able to retrieve those DB creds? ▪ Doesn't sound like least privilege to me… ▪ Most likely, at least two of these systems are involved in getting our apps running ▪ What if we had a way to distribute parts of an authentication through separate channels?? ▪ Hint: that's what AppRole allows us to do! Even More Context: Secure Introduction… 7
Copyright © 2018 HashiCorp ▪ Think of AppRole as similar to username/password, but for machines ▪ RoleID - static identifier that… well… identifies our specific role ▪ Not considered secret/sensitive ▪ Can be embedded in an AMI, app code, Dockerfile, env var, etc. ▪ Can’t do anything with just the RoleID ▪ SecretID - this value is considered sensitive and should be unique to each client ▪ Might be delivered via config mgmt, orchestrator, etc. ▪ Also, can’t do anything with just the SecretID ▪ But when I bring them together => Vault token! ▪ … And now my server/app/container can do [permitted] "stuff" in Vault So… What’s AppRole? 8
Copyright © 2018 HashiCorp AppRole Authentication 9 Trusted Systems (Terraform, Jenkins, Chef, Nomad, Kubernetes, Pivotal Cloud Foundry, etc.) Targets (Servers, Applications, Containers, etc.) Get RoleID Get SecretID (wrapped) Deliver RoleID Deliver SecretID (wrapped) 1. Unwrap SecretID 2. AppRole login with RoleID + SecretID 3. Get Authentication token back from Vault
Copyright © 2018 HashiCorp AppRole Authentication 10 Trusted Systems (Terraform, Jenkins, Chef, Nomad, Kubernetes, Pivotal Cloud Foundry, etc.) Targets (Servers, Applications, Containers, etc.) Get RoleID Get SecretID (wrapped) Deliver RoleID Deliver SecretID (wrapped) 1. Unwrap SecretID 2. AppRole login with RoleID + SecretID 3. Get Authentication token back from Vault
s Copyright © 2018 HashiCorp 11 Demo Time!
s Copyright © 2018 HashiCorp 12 Questions?
Thank you. hello@hashicorp.comwww.hashicorp.com

Recomendados

Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Amanda MacLeod
 
Vault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New FeaturesVault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New FeaturesMitchell Pronschinske
 
Vault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 featuresVault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 featuresMitchell Pronschinske
 
Vault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsVault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsMitchell Pronschinske
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 

Recomendados

Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Amanda MacLeod
 
Vault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New FeaturesVault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New FeaturesMitchell Pronschinske
 
Vault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 featuresVault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 featuresMitchell Pronschinske
 
Vault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsVault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsMitchell Pronschinske
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
 
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh GatewaysConsul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh GatewaysMitchell Pronschinske
 
Rein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS LambdaRein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS LambdaAmanda MacLeod
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp VaultNicolas Corrarello
 
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform CloudCommodified IaC using Terraform Cloud
Commodified IaC using Terraform CloudMarko Bevc
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherHashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherMatt Ray
 
Demystifying Terraform 012
Demystifying Terraform 012Demystifying Terraform 012
Demystifying Terraform 012Stenio Ferreira
 
Vault 1.4 launch webinar
Vault 1.4 launch webinar Vault 1.4 launch webinar
Vault 1.4 launch webinar Mitchell Pronschinske
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 

Más contenido relacionado

La actualidad más candente

How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
 
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh GatewaysConsul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh GatewaysMitchell Pronschinske
 
Rein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS LambdaRein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS LambdaAmanda MacLeod
 
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform CloudCommodified IaC using Terraform Cloud
Commodified IaC using Terraform CloudMarko Bevc
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherHashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherMatt Ray
 
Demystifying Terraform 012
Demystifying Terraform 012Demystifying Terraform 012
Demystifying Terraform 012Stenio Ferreira
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 

La actualidad más candente (20)

How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi Vault
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
 
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh GatewaysConsul 1.6: Layer 7 Traffic Management and Mesh Gateways
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
 
Rein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS LambdaRein in Your Cloud Costs with Terraform and AWS Lambda
Rein in Your Cloud Costs with Terraform and AWS Lambda
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform CloudCommodified IaC using Terraform Cloud
Commodified IaC using Terraform Cloud
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Vault 101
Vault 101Vault 101
Vault 101
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherHashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
 
Demystifying Terraform 012
Demystifying Terraform 012Demystifying Terraform 012
Demystifying Terraform 012
 
Vault 1.4 launch webinar
Vault 1.4 launch webinar Vault 1.4 launch webinar
Vault 1.4 launch webinar
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 

Similar a Delivering Secret Zero: Vault AppRole with Terraform and Chef

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the ProxyCloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the ProxyMaki Toshio
 
OAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring SecurityOAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring SecurityShuto Uwai
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Codemotion
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Codemotion
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes DeploymentsUsing CredHub for Kubernetes Deployments
Using CredHub for Kubernetes DeploymentsVMware Tanzu
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultCloudOps2005
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Peter Souter
 
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016Spark Solutions
 

Similar a Delivering Secret Zero: Vault AppRole with Terraform and Chef (20)

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the ProxyCloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
 
OAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring SecurityOAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring Security
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes DeploymentsUsing CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
 
Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020
 
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
Jimmie Lindstrom, Braintree_ePayment Workshop @ Open Commerce Conference 2016
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Delivering Secret Zero: Vault AppRole with Terraform and Chef

  • 1. Copyright © 2018 HashiCorp Delivering Secret Zero: Vault AppRole with Terraform and Chef Presented By: Teddy Sacilowski Sr. Solutions Engineer
  • 2. Copyright © 2018 HashiCorp ▪ Teddy Sacilowski ▪ Sr. Solutions Engineer @ HashiCorp ▪ Email: teddy@hashicorp.com ▪ Demo repo: https://github.com/hashicorp/vault- guides/tree/master/identity/vault-chef-approle About Me 2
  • 3. Copyright © 2018 HashiCorp ▪ Allow myself to introduce… myself… ▪ Lots of conceptual material, looking at source code… ▪ Actual demo part is short ▪ Close the loop with Seth Vargo's Chef + Vault blog/webinar ▪ Understand Vault authentication, in general ▪ Understand Secure Introduction (SI), in general ▪ Learn the AppRole pattern and how it helps with SI Agenda 3
  • 4. Copyright © 2018 HashiCorp ▪ Using HashiCorp's Vault with Chef: https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef ▪ Manage Secrets with Chef and HashiCorps Vault - Chef Blog: https://blog.chef.io/2016/12/12/manage-secrets-with-chef-and- hashicorps-vault/ ▪ Really awesome job defining Chef + HashiCorp Vault integration patterns ▪ Missing Pieces... how do I get Chef or [insert any other app, client, server, etc.] to authenticate with Vault programmatically??? Closing the Loop... 4
  • 5. Copyright © 2018 HashiCorp ▪ Vault == centralized secrets management ▪ All our "things" are dynamic, distributed (or at least we want them to be...) ▪ Let’s not depend on humans to deliver secrets ▪ To get to our secrets, we need to authenticate ▪ Maps down to the issuance of a token (LDAP/AD; AWS Auth; Google Cloud Auth; Whatever Auth...) ▪ Policies are attached to the tokens (for the most part...) ▪ All subsequent requests/operations require this token, so… ▪ How do we securely deliver auth tokens to our programmatic clients?? ▪ ^^ This is our challenge, and we use Secure Intro to solve it... Context: Authentication in Vault 5
  • 6. Copyright © 2018 HashiCorp ▪ See Jeff Mitchell's talk Managing Secrets in a Container Environment - YouTube: https://www.youtube.com/watch?v=skENC9aXgco ▪ Step 1, see if native auth capabilities are enough ▪ AWS Auth ▪ Google Cloud Auth ▪ Kubernetes Auth ▪ See Brokering Cloud Identity: https://www.hashicorp.com/blog/brokering-cloud-identity ▪ Circle of trust... we already have solutions in place that we trust to do "things" ▪ K8s for container scheduling/orchestration... or... Nomad (or even... both??) ;-) ▪ Terraform for provisioning ▪ Chef, Ansible, Puppet, [insert preferred CM tool here] for config management ▪ Jenkins, CircleCI, Travis, [insert preferred CI/CD tool here] (and maybe Packer??) More Context: Secure Introduction 6
  • 7. Copyright © 2018 HashiCorp ▪ But really, how much do I (or should I) trust any one system? ▪ Say I store a Vault token on my Chef Server to retrieve DB credentials for MyWebScaleApp? ▪ Do I want a Chef Admin to potentially be able to retrieve those DB creds? ▪ Doesn't sound like least privilege to me… ▪ Most likely, at least two of these systems are involved in getting our apps running ▪ What if we had a way to distribute parts of an authentication through separate channels?? ▪ Hint: that's what AppRole allows us to do! Even More Context: Secure Introduction… 7
  • 8. Copyright © 2018 HashiCorp ▪ Think of AppRole as similar to username/password, but for machines ▪ RoleID - static identifier that… well… identifies our specific role ▪ Not considered secret/sensitive ▪ Can be embedded in an AMI, app code, Dockerfile, env var, etc. ▪ Can’t do anything with just the RoleID ▪ SecretID - this value is considered sensitive and should be unique to each client ▪ Might be delivered via config mgmt, orchestrator, etc. ▪ Also, can’t do anything with just the SecretID ▪ But when I bring them together => Vault token! ▪ … And now my server/app/container can do [permitted] "stuff" in Vault So… What’s AppRole? 8
  • 9. Copyright © 2018 HashiCorp AppRole Authentication 9 Trusted Systems (Terraform, Jenkins, Chef, Nomad, Kubernetes, Pivotal Cloud Foundry, etc.) Targets (Servers, Applications, Containers, etc.) Get RoleID Get SecretID (wrapped) Deliver RoleID Deliver SecretID (wrapped) 1. Unwrap SecretID 2. AppRole login with RoleID + SecretID 3. Get Authentication token back from Vault
  • 10. Copyright © 2018 HashiCorp AppRole Authentication 10 Trusted Systems (Terraform, Jenkins, Chef, Nomad, Kubernetes, Pivotal Cloud Foundry, etc.) Targets (Servers, Applications, Containers, etc.) Get RoleID Get SecretID (wrapped) Deliver RoleID Deliver SecretID (wrapped) 1. Unwrap SecretID 2. AppRole login with RoleID + SecretID 3. Get Authentication token back from Vault
  • 11. s Copyright © 2018 HashiCorp 11 Demo Time!
  • 12. s Copyright © 2018 HashiCorp 12 Questions?