Protect YugabyteDB with Hashicorp Vault.pdf
gwennetourneau
234 views
23 slides
Jul 18, 2024
Slide 1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Presentation
This presentation present how we can use Vault to secure DB credentials
Slide Content
©2024 HASHICORP 1
Protect YugabyteDB with
Hashicorp Vault
Etourneau Gwenn
Staff Resident Architect
YugabyteDB Tokyo #5
2024/07/17
Protect YugabyteDB with
Hashicorp Vault
Etourneau Gwenn
Staff Resident Architect
YugabyteDB Tokyo #5
2024/07/17
©2024 HASHICORP2
Table of
Contents/
Agenda
Vault
About Me
Dynamic Database Credentials
Examples
#
#
#
#
Table of
Contents/
Agenda
Vault
About Me
Dynamic Database Credentials
Examples
#
#
#
#
©2024 HASHICORP
About Me
Etourneau Gwenn
Previous company
Staff Resident Architect
Yugabyte - Principal Solution Architect
Woven By Toyota - Staff Platform Architect
Pivotal - Advisory Architect
Rakuten - PaaS team & Technical lead
…
20+ exp.
About Me
Etourneau Gwenn
Previous company
Staff Resident Architect
Yugabyte - Principal Solution Architect
Woven By Toyota - Staff Platform Architect
Pivotal - Advisory Architect
Rakuten - PaaS team & Technical lead
…
20+ exp.
©2024 HASHICORP
01
Vault
4
01
Vault
4
©2024 HASHICORP5
In dynamic cloud infrastructure,
security starts with identity.
Identity-based security uses trusted
identities to automate access to secrets,
data, and applications
Security system of record to centrally store
and protect secrets across clouds and
applications
Lifecycle management of your credentials to
ensure proper oversight, rotation, and expiry
Authenticate and authorize every access request
Client
Token
Authentication System
AD LDAPIAM
In dynamic cloud infrastructure,
security starts with identity.
Identity-based security uses trusted
identities to automate access to secrets,
data, and applications
Security system of record to centrally store
and protect secrets across clouds and
applications
Lifecycle management of your credentials to
ensure proper oversight, rotation, and expiry
Authenticate and authorize every access request
Client
Token
Authentication System
AD LDAPIAM
©2024 HASHICORP6
Identity-based security
Automate secure access and lifecycle
management for credentials and sensitive data
Secrets Certificates Keys Data Protection
Static
Rotated
Dynamic
Database
PKI
Managed Keys
KMS
KMIP
HSM
Encryption
Signatures
Tokenization
Identity-based security
Automate secure access and lifecycle
management for credentials and sensitive data
Secrets Certificates Keys Data Protection
Static
Rotated
Dynamic
Database
PKI
Managed Keys
KMS
KMIP
HSM
Encryption
Signatures
Tokenization
©2024 HASHICORP
01
Dynamic Database
Credentials
7
01
Dynamic Database
Credentials
7
©2024 HASHICORP
●Generates database credentials dynamically based on configured roles
●Are a mechanism to easily provide every service/instance unique credentials for DB access
●Vault’s leasing mechanism is employed to easily rotate credentials
Database Secrets Engines
8
●Generates database credentials dynamically based on configured roles
●Are a mechanism to easily provide every service/instance unique credentials for DB access
●Vault’s leasing mechanism is employed to easily rotate credentials
Database Secrets Engines
8
©2024 HASHICORP
●Dynamic user/application credentials
●Root credential rotation
●Static Roles
Database Credential Types
9
●Dynamic user/application credentials
●Root credential rotation
●Static Roles
Database Credential Types
9
©2024 HASHICORP
●On demand short-lived credentials for application and user requests
●Can be scoped to specific grant statements
●Revoked at TTL expiration
●Applications or users that need occasional access provision it as needed and credentials do not
exist when not in use
Dynamic Database Credentials
10
Request DB Credentials
Create USER …
WITH PASSWORD
Return Dynamic Credential
(Valid for X Days)
●On demand short-lived credentials for application and user requests
●Can be scoped to specific grant statements
●Revoked at TTL expiration
●Applications or users that need occasional access provision it as needed and credentials do not
exist when not in use
Dynamic Database Credentials
10
Request DB Credentials
Create USER …
WITH PASSWORD
Return Dynamic Credential
(Valid for X Days)
©2024 HASHICORP
●Automatic rotation of database
user account passwords
●Ideal for longer-lived connections
i.e. service accounts
●Align with security best practices
and compliance policy
Static Database Roles
11
1
1
3
2
Create a static role
Request credentials
Return credentials
2
3
4
4Connect to DB
●Automatic rotation of database
user account passwords
●Ideal for longer-lived connections
i.e. service accounts
●Align with security best practices
and compliance policy
Static Database Roles
11
1
1
3
2
Create a static role
Request credentials
Return credentials
2
3
4
4Connect to DB
©2024 HASHICORP
●Periodically rotate root database
password
●Maintain GRC / Security policy
compliance
●Rotate root credentials after initial
database configuration - only
Vault will have the privileged
credentials
Root Credential Rotation
12
3
12
1
3
2
Configured with priv. DB Credentials
App Gets a unique set of DB Credentials
Rotate root credentials
Read / Write from DB
app
username: root
Password: rootpassword
username: root
password: newpassword
●Periodically rotate root database
password
●Maintain GRC / Security policy
compliance
●Rotate root credentials after initial
database configuration - only
Vault will have the privileged
credentials
Root Credential Rotation
12
3
12
1
3
2
Configured with priv. DB Credentials
App Gets a unique set of DB Credentials
Rotate root credentials
Read / Write from DB
app
username: root
Password: rootpassword
username: root
password: newpassword
©2024 HASHICORP
01
YugabyteDB
13
01
YugabyteDB
13
©2024 HASHICORP
●PostgreSQL +++
●Scalability
YugabyteDB
14
●Built-in Resilience
●Enterprise
●PostgreSQL +++
●Scalability
YugabyteDB
14
●Built-in Resilience
●Enterprise
©2024 HASHICORP
Database Secrets Engines
DocDB Storage Layer
Distributed, transactional document store
with sync and async replication support
YSQL
hashicorp-vault-ysql-plugin
YCQL
cassandra-database-plugin
Extensible Query Layer
Extensible query layer to support multiple API’s
https://github.com/yugabyte/hashicorp-vault-ysql-plugin
Database Secrets Engines
DocDB Storage Layer
Distributed, transactional document store
with sync and async replication support
YSQL
hashicorp-vault-ysql-plugin
YCQL
cassandra-database-plugin
Extensible Query Layer
Extensible query layer to support multiple API’s
https://github.com/yugabyte/hashicorp-vault-ysql-plugin
©2024 HASHICORP
Database Secrets Engines
●Can also use build in postgres plugin but will not be able to the yugabyte capability
Database Secrets Engines
●Can also use build in postgres plugin but will not be able to the yugabyte capability
©2024 HASHICORP
03
Examples
17
03
Examples
17
©2024 HASHICORP
vault secrets enable database
First steps
18
Enable DB secret engine
vault write database/config/postgresql \
plugin_name=ysql-plugin \
connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_URL/postgres? load_balance=true&yb_
servers_refresh_interval =0" \
allowed_roles="*" \
username="root" \
password="rootpassword"
Configure Vault
vault secrets enable database
First steps
18
Enable DB secret engine
vault write database/config/postgresql \
plugin_name=ysql-plugin \
connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_URL/postgres? load_balance=true&yb_
servers_refresh_interval =0" \
allowed_roles="*" \
username="root" \
password="rootpassword"
Configure Vault
©2024 HASHICORP
Root Credential Rotation
19
vault write -force database/ rotate-root/postgresql
Rotate root credentials1
Root Credential Rotation
19
vault write -force database/ rotate-root/postgresql
Rotate root credentials1
©2024 HASHICORP
vault read database/creds/my-role
Dynamic Database Roles
20
Get credentials 2
vault write database/roles/ my-role \
db_name="my-postgresql-database" \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD
'{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
Configure Role in Vault1
vault read database/creds/my-role
Dynamic Database Roles
20
Get credentials 2
vault write database/roles/ my-role \
db_name="my-postgresql-database" \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD
'{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
Configure Role in Vault1
©2024 HASHICORP
vault read database/creds/my-static-role
Static Database Roles
21
Get credentials 2
vault write database/static-role/ my–static-role \
db_name="my-postgresql-database" \
username="myusername" \
default_ttl="1h" \
max_ttl="24h"
Configure Username in Vault1
vault read database/creds/my-static-role
Static Database Roles
21
Get credentials 2
vault write database/static-role/ my–static-role \
db_name="my-postgresql-database" \
username="myusername" \
default_ttl="1h" \
max_ttl="24h"
Configure Username in Vault1
©2024 HASHICORP
Rotation
22
vault write database/static-role/ my-static-role \
. . .
rotation_period="1h"
rotation_schedule=CRON
Rotation
22
vault write database/static-role/ my-static-role \
. . .
rotation_period="1h"
rotation_schedule=CRON
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 234
- Slides 23
- Age 502 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views