![$ vault auth -method=github token=000000905b381e723b3d6a
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do
not
need to "vault auth" again with the token.
token: 0d9ab511-bc25-4fb6-a58b-94ce12b8da9c
token_duration: 2764800
token_policies: [default dev-policy]
Authentication](https://image.slidesharecdn.com/hidingsecretsinvalutss-170323155101/85/Hiding-secrets-in-Vault-65-320.jpg)
Hiding secrets in Vault
- 1. Hiding secrets in Vault STJEPAN HADJIĆ RAILS TEAM LEAD
- 2. 20 person backend team Rails, Elixir, Go and DevOps
- 4. Heroku
- 5. 12 points - how to build your web app
- 6. Chapter III: strict separation of config from code
- 8. Make it open source
- 10. Ryan Hellyer
- 11. TruffleHog
- 13. Carlo van Wyk
- 14. Creating private repositories with Visual Studio 2015
- 17. Keep them hidden! Keep them safe!
- 18. 02FIRST STEPS
- 19. STOP hardcoding your secrets
- 20. STOP committing secrets to SCM
- 35. 03OPTIONS
- 38. Amazon Key Management Service (KMS)
- 39. Confidant?
- 40. Keywhiz
- 41. Vault
- 42. HashiCorp
- 43. Vagrant
- 44. Consul
- 45. 04VAULT
- 47. $ vault init Key 1: 427cd2c310be3b84fe69372e683a790e01 Key 2: 0e2b8f3555b42a232f7ace6fe0e68eaf02 Key 3: 37837e5559b322d0585a6e411614695403 Key 4: 8dd72fd7d1af254de5f82d1270fd87ab04 Key 5: b47fdeb7dda82dbe92d88d3c860f605005 Initial Root Token: eaf5cc32-b48f-7785-5c94-90b5ce300e9b Vault initialized with 5 keys and a key threshold of 3!
- 48. Secret Backends
- 49. Auth Backends APPID APPROLE LDAP USERNAME & PASSWORD MFA
- 51. Dynamic Secrets
- 52. Data Encryption
- 54. Revocation
- 55. Pro and Enterprise editions
- 56. 05THE SETUP
- 57. Vault CLI
- 58. backend "consul" { address = "127.0.0.1:8500" path = "vault" } listener "tcp" { address = "127.0.0.1:8200" } Configuration
- 59. $ vault server -config=example.hcl ==> Vault server configuration: Log Level: info Backend: consul Listener 1: tcp (addr: "127.0.0.1:8200") ==> Vault server started! Log data will stream in below: Starting the server
- 60. $ vault init Key 1: 427cd2c310be3b84fe69372e683a790e01 Key 2: 0e2b8f3555b42a232f7ace6fe0e68eaf02 Key 3: 37837e5559b322d0585a6e411614695403 Key 4: 8dd72fd7d1af254de5f82d1270fd87ab04 Key 5: b47fdeb7dda82dbe92d88d3c860f605005 Initial Root Token: eaf5cc32-b48f-7785-5c94-90b5ce300e9b Vault initialized with 5 keys and a key threshold of 3! ... Initialising Vault
- 61. $ vault unseal Key (will be hidden): Sealed: true Key Shares: 5 Key Threshold: 3 Unseal Progress: 1 Unsealing
- 62. $ vault auth-enable github Successfully enabled 'github' at ‘github'! $ vault write auth/github/config organization=awesomecorp Success! Data written to: auth/github/config Authentication
- 63. # policy.hcl path “path/to/secret” { policy = "write" } $ vault policy-write dev-policy policy.hcl Authorization
- 64. $ vault write auth/github/map/teams/dev-team value=dev-policy Success! Data written to: auth/github/map/teams/dev-team Mapping policies
- 65. $ vault auth -method=github token=000000905b381e723b3d6a Successfully authenticated! You are now logged in. The token below is already saved in the session. You do not need to "vault auth" again with the token. token: 0d9ab511-bc25-4fb6-a58b-94ce12b8da9c token_duration: 2764800 token_policies: [default dev-policy] Authentication
- 66. $ vault write path/to/secret foo=bar $ vault read path/to/secret Writing and reading to Vault
- 67. $ vault write path/to/secret foo=bar $ vault read path/to/secret Writing and reading to Vault
- 68. $ vault write path/to/secret foo=bar $ vault read path/to/secret Writing and reading to Vault
- 69. $ vault write path/to/secret foo=bar $ vault read path/to/secret Writing and reading to Vault
- 84. $ vault write path/to/secret foo=bar $ vault read path/to/secret
- 90. $ secrets init
- 91. # file where your secrets are kept depending on your environment gem :secrets_file: config/application.yml # vault path where your secrets will be kept :secrets_storage_key: rails/awesome-app/
- 92. $ secrets push Are you sure you want to write config/application.yml to rails/awesome-app/dev Yes There are some differences between config/application.yml and vault: @@ -18,8 +18,8 @@ development: - # database_database: awesome_app_development - database_database: awesome_app_dev + database_database: awesome_app_development + # database_database: awesome_app_dev test: database_database: awesome_app_test Are you sure you want to override rails/awesome-app/dev? Yes
- 93. $ secrets pull secret_key_base: 766c50c121afcf5dcfb78487e97 devise_secret_key: 73056c18285b9251987a10d9aabfcfc database_host: localhost database_username: postgres database_password: amazon_access_key_id: **** amazon_secret_access_key: **** amazon_region: eu-central-1 bugsnag_api_key: ae81c7effa braintree_env: sandbox braintree_merchant_id: bfpb5vm braintree_public_key: 44n9nh9t braintree_private_key: b4e458a braintree_plan_id: 1234
- 94. Visit infinum.co or find us on social networks: infinum.co infinumco infinumco infinum Any questions? STJEPAN.HADJIC@INFINUM.CO @_BEAST_