An important use-case for Vault is to provide short lived and least privileged Cloud credentials. In this webinar we will review specifically how Vault's Azure Secrets Engine can provide dynamic Azure credentials. We will cover details on how to configure the Azure Secrets Engine in Vault and use it in an application. If you are using Azure now or in the near future, join us for some patterns on maintaining a high security posture with Vault's dynamic credentials model!

1. © 2019 HashiCorp
Dynamic Azure
Credentials for
Applications and CI/CD
Pipelines
SE Webinar - July 21st, 2020
Kawsar Kamal - Staff Solution Engineer (http://kawsark.gitlab.io)
Brianna DeLuca - Sr. Field Marketing Manager

2. Agenda
● Introductions (Brianna) - 5
● Vault overview (Kawsar) - 10
● Demo (Kawsar) - 20
● Q/A (moderated by Brianna) - 15

3. Objectives
● Business driver: move to cloud while maintaining high security posture.

4. A generational transition is underway
Traditional datacenter
“Static”
Modern datacenter
“Dynamic”
Dedicated
infrastructure
Private cloud
SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT
Public multi-cloud
+

5. The HashiCorp Stack
A control plane for every layer of the cloud operating model
Run
Development Cloud Application Automation
Connect
Networking Cloud Networking Automation
Secure
Security Cloud Security Automation
Provision
Operations Cloud Infrastructure Automation
vSphere
Various
Hardware
Identity:
AD/LDAP
Terraform
EKS / ECS
Lambda
CloudApp/
AppMesh
Identity:
AWS IAM
Cloud
Formation
AKS / ACS
Azure Functions
Proprietary
Identity:
Azure AD
Resource
Manager
GKE Cloud
Functions
Proprietary
Identity:
GCP IAM
Cloud
Deployment
Manager

6. Vault: Manage Secrets and Protect
sensitive data
*slide from HashiCorp corporate overview
High Trust
Long-lived IP, clear network
perimeter.
Low Trust
No clear perimeter
Mixed identities: Cloud, VMs,
Container, Serverless
Maintained by
HashiCorp
Written in Go Cloud
agnostic
Opensource
community

7. Vault
Manage Secrets and Protect sensitive Data
Secrets management to centrally store and
protect secrets across clouds and applications
Data encryption to keep application data secure
across environments and workloads
Advanced Data Protection to secure workloads
and data across traditional systems, clouds, and
infrastructure.
300+
Enterprise
Customers
1M+
Monthly D/Ls
2T+
Transactions
Trusted by:

8. How Vault works

9. Azure plugins
Dynamically generates Azure service
principals along with role and group
assignments. Or new password will be
dynamically generated for existing
service principals.
The azure auth method allows
authentication against Vault using
Azure credentials.
Azure Auth Method Azure Secrets Engine

10. Dynamic credentials

11. Demo: Dynamic credentials

12. Terraform Enterprise
Demo: Securing CI/CD Pipeline
Version Control
CI/CD
Terraform IaC
(*.tf)
AKS
Workspace

13. Key benefits
● Azure credentials are unique to each application instance - no password sharing.
● Cloud credentials have least privilege roles to limit blast radius.
● Cloud credentials are time bound so in case of a credential leak, the risk of it being valid is
limited.
● Credentials can be audited to check which application instance retrieved a secret.
● Easy to revoke credentials if needed.

14. Q/A

15. Resources
Demo repository https://gitlab.com/kawsark/vault-azure-demo
Azure Secrets Engine https://www.vaultproject.io/docs/secrets/azure
Blog post
https://medium.com/hashicorp-engineering/onboarding-the-azure-secrets-engine-for-vault-f09d48c68b69?sour
ce=friends_link&sk=59acf7d78362a48bf6cb039385776114
Azure Authentication Method https://www.vaultproject.io/docs/auth/azure
Webinar Assets This will be emailed
Vault 1.4 Blog post https://www.hashicorp.com/blog/vault-1-4/
Deploying Vault in Kubernetes https://www.vaultproject.io/docs/platform/k8s/helm/run
Terraform for AKS https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/kubernetes
Transform Secrets Engine
wrapper
https://github.com/kawsark/transform.py