Every enterprise system has tons of sensitive data like database passwords or third-party API keys. Quite often people store this data openly in internal repositories, continuous integration pipeline or configuration managements systems. The bigger company the stricter security rules. It is more complex and important when you have thousands of different applications and each one has its own secrets. In this talk I am giving an overview of my personal experience on Vault technology and will show by example how you can build your own policies and move your secrets to the Vault.
Optimizing AI for immediate response in Smart CCTV
Can you keep a secret? (XP Days 2017)
1. Can you keep a secret?
Moisieienko Valerii
XP Days 2017
2. Who Is This Guy?
• Senior Application Engineer @ Oracle UGBU
• 8+ years in commercial software development
• Oracle Certified Professional
• MapR Certified HBase Developer
• Masters Degree in Information Security
4. Everybody Has A Secret
• Database credentials
• Third-party API keys
• License keys
• Sensitive environment variables
5. And How Do We Usually
Keep Them ?
database:
connections:
default:
url: jdbc:mysql://my.db.server:3306/example_service
user: service_user
password: superStrongPassword
apiToken: 8d07b5e9-fbb2-4499-a3c4-053190a78827
8. The Task
• Reliable secret storage
• Data encryption support
• Flexible user authentication backend
• Authorization
• Convenient interaction for humans and applications
20. Admin Policy
example-service-admin.hcl
# Admins can read/write secrets for their service
path "secret/service/example_service/v1/*" {
capabilities = ["create", "read", "update", "delete",
"list"]
}
# Admins can provision tokens for their service
path "auth/token/create/role.service.example-service" {
capabilities = ["create", "update"]
}