🔥 If you're interested in a step-by-step course to learn the basics of Vault, check this course out:
HashiCorp Vault 101 - Certified Vault Associate ► https://bit.ly/hc-vault101
In this video, we talk about Hashicorp's Vault tool and how it can generate ephemeral dynamic secrets for a MongoDB.
Agenda
● Intro to Vault
● Why Dynamic Secrets?
● Use Case
● Demo
● Next Steps
● Q & A
What is a Secret?
Anything that allows you to authenticate into a system or authorizes you to do
something on that system
Examples:
● Usernames and passwords
● DB creds
● API tokens
● TLS certs
How to Manage Secrets
The challenge is how to manage these secrets
● Who has access?
● Who has been using them?
● How can we periodically rotate them?
Challenge 1: Secrets Sprawl
Today secrets end up everywhere
● In source code in plain text
● In config mgmt (chef, puppet, ansible) in plain text
● In VCS (github, gitlab, bitbucket)
Vault’s Solution 1: Centralization
● Centralize everything
● Encrypt at rest and in transit (between vault and clients)
● ACL (fine-grained access)
● Audit trail
Challenge 2: Apps don’t keep secrets
Applications do a terrible job keeping secrets
● Show up in stdout and may ship to logging tools (Splunk)
● In diagnostic output traceback exception or in an error report
● Sent to external monitoring systems
Vault’s Solution 2: Dynamic Secrets
● Ephemeral instead of long-lived (30 days for example)
● Unique to each client
● Better revocation story (no outage)
Challenge 3: Cryptography is hard
How could apps store their own data at rest?
● Vault to manage secrets not confidential data
● Store encryption keys in Vault for apps to use in
cryptography
● Easy to get cryptography wrong leading to compromises
Vault’s Solution 3: Encryption as a Service
● Named Keys (ex: CC, SIN, PII)
● High-level APIs for Cryptography (ex: encrypt, sign, verify)
○ Example: HMAC(CC, …)
● Offload key management (key lifecycle)
○ Key versioning
○ Key rotation
○ Key decommissioning
Vault’s Solutions Summary
● Secrets Sprawl: Centralization
● Apps not keeping secrets: Dynamic Secrets
● Difficult Cryptography: Encryption as a Service
Use Case: DB Dynamic Secrets
Demo Steps
● Web-blog app using environment variables
○ Hard-coded MongoDB username and password
○ The username and password are static and don’t expire
● Web-blog app using Vault’s dynamic secrets
○ MongoDB username and password are generated by Vault dynamically and
passed to the app
○ The username and password expire every 10 seconds and get renewed
▬▬▬▬▬▬▬▬▬ Courses 🎓 ▬▬▬▬▬▬▬▬
- TeKanAid Academy Subscription ► https://bit.ly/subscription-premium
- Terraform 101 - Certified Terraform Associate ► https://bit.ly/hc-terraform-101
🎟️ Get 15% off of my Terraform 101 Course with this coupon ► YOUTUBE15TF101
- HashiCorp Sentinel 101 ► https://bit.ly/hc-sentinel-101
- HashiCorp Vault 101 - Certified Vault Associate ► https://bit.ly/hc-vault101
🎟️ Get 15% off of my Vault 101 Course with this coupon ► YOUTUBE15VAULT101
- HashiCorp Vault 201 - Vault for Apps in Kubernetes ► https://bit.ly/hc-vault-201
▬▬▬▬▬▬▬▬ Useful Links 🛠 ▬▬▬▬▬▬▬
Get the code ► https://tekanaid.com/posts/webblog-app-part-2-secrets-development-phases-with-vault#code
▬▬▬▬▬▬▬▬ Community 🌎 ▬▬▬▬▬▬▬▬▬
- TeKanAid Community Forum ► https://tekanaid.com/community
▬▬▬▬▬▬▬▬ Connect 👋 ▬▬▬▬▬▬▬▬▬
Website ► https://bit.ly/TeKanAid_Website
Facebook Page ► https://bit.ly/TeKanAid_Facebook
Don't forget to subscribe ► https://bit.ly/TeKanAid_YouTube_Subscribe
MEDIUM ► https://bit.ly/Sam_Medium
TWITTER TeKanAid ► https://bit.ly/TeKanAid_Twitter
TWITTER Sam ► https://bit.ly/Sam_Twitter
LINKEDIN TeKanAid ► https://bit.ly/TeKanAid_LinkedIn
LINKEDIN Sam ► https://bit.ly/Sam_linkedin