Can you keep a secret?Moisieienko Valerii

XP Days 2017

Who Is This Guy?

• Senior Application Engineer @ Oracle UGBU

• 8+ years in commercial software development

• Oracle Certified Professional

• MapR Certified HBase Developer

• Masters Degree in Information Security

Notification

This presentation is based on my personal experience and does not represent official position of Oracle

company.

Everybody Has A Secret

• Database credentials

• Third-party API keys

• License keys

• Sensitive environment variables

And How Do We Usually Keep Them ?

database: connections: default: url: jdbc:mysql://my.db.server:3306/example_service user: service_user password: superStrongPassword

apiToken: 8d07b5e9-fbb2-4499-a3c4-053190a78827

Private Code RepositoryAuthentification

But No Authorisation

The Task

• Reliable secret storage

• Data encryption support

• Flexible user authentication backend

• Authorization

• Convenient interaction for humans and applications

Possible Solutions

• HSMs

• Amazon KMS

• Keywhiz

• Conjur

• HashiCorp Vault

HashiCorp Vault

• Secure Secret Storage

• Data Encryption

• Access Control

• Pluggable Auth & Storage Backends

• Vault Client & HTTP API

Getting Started

• Vault Server

• Secrets

• Policies

• Authentification

• Tokens

Vault Server

vault server -dev

vault server -config= server_config.hcl

export VAULT_ADDR= 'http://127.0.0.1:8200'

storage "mysql" {

username = "vault"

password = "iamvault"

database = "vault"

}

listener "tcp" {

address = "127.0.0.1:8200"

tls_disable = 1

}

Secrets

vault write secret/v1/my/secrets <key1>=<value1> <key2>=<value2> <key3>=<value3>

vault read secret/v1/my/secrets

vault delete secret/v1/my/secrets

vault path-help secret/

Policies

vault policy-write myfirstpolicy policy.hcl

path "secret/*" {

capabilities = ["create"]

}

path "secret/read/only" {

capabilities = ["read"]

}

path "auth/token/lookup-self" {

capabilities = ["read"]

}

Tokens

vault token-create -policy= <policy_name>

vault auth <token>

vault token-revoke <token>

token

d5da8c66-1b37-6916-85cc-3192a135f9a1

token_accessor

ae97c557-e416-8d98-b815-7394b0d7bcbb

token_duration 768h0m0s

token_renewable true

token_policies [default myfirstpolicy]

Authentification

vault auth-enable github

vault write auth/github/config organization=<github_org>

vault write auth/github/map/teams/default value=default

vault auth -method=github token=<github_token>

vault auth-disable github

Vault Integration• Define secrets

• Create application role

• Create policies

• Provide policy mapping

• Place secrets to Vault

• Adjust application

• Summon

Application Role

vault write auth/token/roles/role.service.example-service allowed_policies="policy.service.example-service"

Polices

• Admin policy • Application policy

Admin Policyexample-service-admin.hcl

# Admins can read/write secrets for their servicepath "secret/service/example_service/v1/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Admins can provision tokens for their servicepath "auth/token/create/role.service.example-service" { capabilities = ["create", "update"] }

Application Policyexample-service.hcl

path "secret/service/example_service/v1/*" { capabilities = ["read", "list"] }

Writing Policies

vault policy-write policy.service.example-service.admin example-service-admin.hcl

vault policy-write policy.service.example-service example-service.hcl

# Specific to particular auth backend vault write auth/github/map/teams/default value=policy.service.example-service.admin

Secrets Go To Vault

vault write secret/service/example_service/v1/db_properties jdbc.url=<jdbc_url> jdbc.username=<username> jdbc.password=<password>

Application Adjustment

Application adjustmentsecrets file

DB_URL: !var secret/service/example_service/v1/db_properties:jdbc.url

DB_USERNAME: !var secret/service/example_service/v1/db_properties:jdbc.username

DB_PASSWORD: !var secret/service/example_service/v1/db_properties:jdbc.password

Application adjustmentproperties file

database: jdbcUrl: ENV[DB_URL] user: ENV[DB_USERNAME] password: ENV[DB_PASSWORD]

Application adjustmentEnvironment Variable Lookup

private static final Pattern SECRETS_PATTERN = Pattern.compile("ENV\\[(.*)\\]");public String resolvePropertyValue(String value) { Matcher matcher = SECRETS_PATTERN.matcher(value); if (matcher.find()) { return System.getenv(matcher.group(1)); } else { return value; }}

Summon• Install

brew tap conjurinc/tools brew install summon

• Vault Provider

mv summon-vault /usr/local/lib/summon/ chmod 755 /usr/local/lib/summon/summon-vault

• Check

VAULT_TOKEN=<TOKEN> summon --provider summon-vault -f secrets.yml ruby -e 'puts ENV["DB_URL"]'

Integration Demo

Pros And Cons

+ Easy setup

+ Master key sharing

+ Pluggable storage and auth backends

+ Straight forward policy control

+ Provides client and HTTP API

- Application integration

- Token renewal mechanism

Thank you!

You are welcome to write me at valeramoiseenko@gmail.com

GitHub https://github.com/moisieienko-valerii/vault-dropwizard