14. 7. execute ‘aws configure‘ to configure the credentials for your IAM user. Make sure this IAM User has
AdministratorAccess and run ‘aws sts get-caller-identity’ - you should be able to see the returned
JSON output like this.
14
19. Run Command in Cloud9
$ git clone https://github.com/Taipei-HUG/workshop.git
$ cd vault/CH00
$ ./step1.sh # get all binary
$ ./step2.sh # setup eks cluster
19
23. How do you rotate credentials?
● Create a new credential
● Rotate credentials one by one
● Delete old credential
● What if you have 10 components
connect to db?
23
26. Credential 1
Credential 2
1. Get Credential by access
token or other auth method
2. Access db via credential
Basic secret management
0. Admin create
credential
26
33. Credential 1
Credential 2
1. Get Credential by access
token or other auth method
2. Access db via credential
Basic secret management
0. User create
credential
33
34. Setup Vault on docker-compose
# Open cloud9 ide & see CH01/commands.txt
$ docker-compose up -d
$ export VAULT_ADDR=http://127.0.0.1:8080
$ export VAULT_TOKEN=my-root-token
$ vault status
34
35. Manipulate vault kv
$ vault kv list secret
$ vault kv put secret/first-secret foo=bar
$ vault kv list secret
$ vault kv get secret/first-secret
$ vault kv put secret/first-secret foo=bar test=true
$ vault kv metadata get secret/first-secret
$ vault kv delete secret/first-secret
$ vault kv metadata delete secret/first-secret
35
41. Request a dynamic credential Create a user with certain scope
Returns a credentialReturns a credential
Access database via the credential
Revoke the credential
Graceful
shutdown
Delete the user
User deletedCredential deleted
41
42. Setup Dynamic Secret
● See init.sh
● Setup Vault Dynamic Secret
● Integrate into our service
42
46. $ vault write database/roles/my-role
db_name=my-database
creation_statements=
"CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';"
default_ttl="1h"
max_ttl="2h"
46
47. 1. Request credential
---
$ vault read database/creds/my-role
2. Issue a dynamic
credential with TTL
by root credential
3. Get credential
4. Access db by dynamic credential
CREATE USER '{{name}}'@'%'
IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.*
TO '{{name}}'@'%';
Execute by
username=${MYSQL_ROOT_USERNAME}
password=${MYSQL_ROOT_PASSWORD}
47
51. Credential 1
Credential 2
1. Get Credential by access
token or other auth method
2. Access db via credential
Basic secret management
0. User create
credential
51
53. Kubernetes cluster
Deployment A
Deployment B
Credential 1
Credential 2
Role A - Policy A
Role B - Policy B
Credential 1
Credential 2
See more: Vault 與 Kubernetes 的深度整合
Vault
53
55. Put all together
● Dynamic Secret
● Kubernetes service authentication
● Limit permission scope
55
56. Ideal Credential Lifecycle
56
Service is Accessed
Application
1. Request Access Credential (Running)
2. Use the Credential to Access Service
3. Revoke the Credential
Credentials Only
Exist in Memory
59. ◉ When a Vault server is first
initialized, Vault generates a
master key
◉ Immediately splits this master
key into a series of key shares
following Shamir's Secret
Sharing Algorithm
Master Key
59
60. ◉ The master key is used to decrypt the
underlying encryption key
◉ Vault uses the encryption key to encrypt data
at rest in a storage backend like the filesystem
or Consul
Encryption Key
60
61. ◉ Vault never stores the master key, therefore,
the only way to retrieve the master key is to
have a quorum of unseal keys re-generate it.
Seal/Unseal
61
62. Practice (1/3)
# switch to CH03 folder
~$ cd vault/CH03
# boot vault server and login it
~$ ./start_local_vault.sh
# check vault status
~$ vault status
Key Value
--- -----
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version n/a
HA Enabled false
62
64. Practice (3/3)
# unseal vault
# repeat 3 times
~$ vault operator unseal
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce
a0dfd3da-0fcb-0268-baba-ef4cbe
5550bc
Version 1.1.2
HA Enabled false
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.1.2
Cluster Name
vault-cluster-59fe6b22
Cluster ID
81a9858f-a363-74c7-931b-ec2b0f42
6e08
HA Enabled false 64
65. ◉ AliCloud KMS, Amazon KMS, Azure Key Vault,
and Google Cloud KMS
Auto-Unseal
65
67. Practice (2/6)
◉ Append seal config section into config/default.hcl
…
seal "awskms" {
region = "us-west-2"
kms_key_id = "xxxxxxxx-wwww-xxxx-zzzz-yyyyyyyyyyyy"
}
67
68. Practice (3/6)
◉ Add AWS AK/SK into .env file
VAULT_ADDR=http://127.0.0.1:8200
AWS_ACCESS_KEY_ID=DFJLSFKJLD8358KJLJK8
AWS_SECRET_ACCESS_KEY=JioeuJek7+jgJLIUJWTYSfv3rr49JRoqt
68
69. Practice (4/6)
# restart vault server
~$ ./restart_local_vault.sh
# check vault status
~$ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed true
Total Recovery Shares 5
Threshold 3
Unseal Progress 0/3
Unseal Nonce n/a
Seal Migration in Progress true
Version 1.1.2
HA Enabled false
69
70. Practice (5/6)
# seal migration
# repeat 3 times
~$ vault operator unseal -migrate
Unseal Key (will be hidden):
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.1.2
Cluster Name
vault-cluster-59fe6b22
Cluster ID
81a9858f-a363-74c7-931b-ec2b0f42
6e08
HA Enabled false
70
71. Practice (6/6)
# exit vault server container by Ctrl+D
# restart vault server
~$ ./restart_local_vault.sh
# check vault status
~$ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.1.2
Cluster Name
vault-cluster-59fe6b22
Cluster ID
81a9858f-a363-74c7-931b-ec2b0f42
6e08
HA Enabled false
71
79. Practice (3/3)
# login user and use the token
~$ unset VAULT_TOKEN
~$ vault login -method=userpass username=smalltown
password=12345678
# try to get the database credentials
~$ vault kv get kv/stag/database/admin
~$ vault kv get kv/prod/database/admin
79
84. Practice (4/4)
# exit vault server container by Ctrl+D
# restart vault server
~$ ./restart_local_vault.sh
# check vault status
~$ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.1.2
Cluster Name
vault-cluster-59fe6b22
Cluster ID
81a9858f-a363-74c7-931b-ec2b0f42
6e08
HA Enabled true
HA Cluster
https://vault-workshop.hub.internal:
444
HA Mode active 84
95. Telemetry
◉ The Vault server process collects various
runtime metrics about the performance of
different libraries and subsystems.
◉ To view the telemetry information, you must
send a signal to the Vault process
◉ Also can be streamed directly from Vault to a
range of metrics aggregation solutions
95