Secure second days operations with Boundary and Vault.pdf
attachmentgenie
30 views
39 slides
Jun 11, 2024
Slide 1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
About This Presentation
We now live in the age of cloud native which also means that we now have an incredibly dynamic fleet of nodes to maintain. Instead of injecting a well known SSH key into our entire infrastructure this talk will show how we can utilise Boundary and Vault to build a zero trust system. This than allows...
Slide Content
Secure second day
operations with
Boundary and
Vault
Bram Vogelaar
@attachmentgenie
operations with
Boundary and
Vault
Bram Vogelaar
@attachmentgenie
“I bet I know the most
powerful user in your
platform”
powerful user in your
platform”
“I am 99.9% sure it is not
root”
root”
“It probably is your own ssh key”
“I am also pretty sure it’s
as old as your platform”
as old as your platform”
~ ❯ whoami
Previously a Molecular Biologist
Then became a Dev, now an Ops
Amsterdam HUG organizer
HashiCorp Ambassador 2024
HashiCorp Core Contributor 2024
Previously a Molecular Biologist
Then became a Dev, now an Ops
Amsterdam HUG organizer
HashiCorp Ambassador 2024
HashiCorp Core Contributor 2024
On today’s agenda
“Let's rotate the secrets …right now”
Connect GHA to Vault
CODE EDITOR
steps:
- name: Import Vault Secrets
id: vault_secrets
uses: hashicorp/vault-action@v3
with:
url: "https://nonofyourbusiness.hashicorp.cloud:8200"
namespace: "admin/engineering"
githubToken: ${{ secrets.CI_RUNNER_ACCESS_TOKEN }}
method: approle
roleId: ${{ secrets.CI_VAULT_ROLE_ID }}
secretId: ${{ secrets.CI_VAULT_SECRET_ID }}
secrets: |
shared/secrets/data/not_a_secret foo ;
- name: Print foo secret length
run: echo -n $FOO | wc -l
CODE EDITOR
steps:
- name: Import Vault Secrets
id: vault_secrets
uses: hashicorp/vault-action@v3
with:
url: "https://nonofyourbusiness.hashicorp.cloud:8200"
namespace: "admin/engineering"
githubToken: ${{ secrets.CI_RUNNER_ACCESS_TOKEN }}
method: approle
roleId: ${{ secrets.CI_VAULT_ROLE_ID }}
secretId: ${{ secrets.CI_VAULT_SECRET_ID }}
secrets: |
shared/secrets/data/not_a_secret foo ;
- name: Print foo secret length
run: echo -n $FOO | wc -l
Create a Github application
Create a Github application
Connect your github application
Connect your github application
CODE EDITOR
data "github_repository" "atc" {
full_name = "attachmentgenie/atc"
}
resource "github_app_installation_repository" "atc" {
installation_id = "1234567"
repository = data,github_repository.atc.name
}
CODE EDITOR
data "github_repository" "atc" {
full_name = "attachmentgenie/atc"
}
resource "github_app_installation_repository" "atc" {
installation_id = "1234567"
repository = data,github_repository.atc.name
}
Link the Github application
CODE EDITOR
vault write sys/sync/github-apps/hashidays_gha_secrets \
app_id=<APP_ID> \
private_key=<PATH_TO_PRIVATE_KEY>
CODE EDITOR
vault write sys/sync/github-apps/hashidays_gha_secrets \
app_id=<APP_ID> \
private_key=<PATH_TO_PRIVATE_KEY>
Create the sync location
CODE EDITOR
vault write sys/sync/destinations/gh/hashidays-gha-secrets \
installation_id=<INSTALLATION_ID> \
repository_owner=<GITHUB_USER> \
repository_name=<MY_REPO_NAME> \
app_name=<APP_NAME>
CODE EDITOR
vault write sys/sync/destinations/gh/hashidays-gha-secrets \
installation_id=<INSTALLATION_ID> \
repository_owner=<GITHUB_USER> \
repository_name=<MY_REPO_NAME> \
app_name=<APP_NAME>
Create the secret and sync instructions
CODE EDITOR
vault secrets enable -path=hashidays-gha-secrets kv-v2
vault kv put -mount='hashidays-gha-secrets' my-secret foo='bar'
vault write sys/sync/destinations/gh/hashidays-gha-secrets/associations/set \
mount=hashidays-gha-secrets \
secret_name=my-secret
CODE EDITOR
vault secrets enable -path=hashidays-gha-secrets kv-v2
vault kv put -mount='hashidays-gha-secrets' my-secret foo='bar'
vault write sys/sync/destinations/gh/hashidays-gha-secrets/associations/set \
mount=hashidays-gha-secrets \
secret_name=my-secret
“O11y exposes a wealth of
information”
information”
Securing Node Exporter
CODE EDITOR
tls_server_config:
cert_file: /etc/node_exporter/ssl/node.pki.vagrant.cert
key_file: /etc/node_exporter/ssl/node.pki.vagrant.key
client_auth_type: RequireAndVerifyClientCert
client_ca_file: /etc/node_exporter/ssl/ca.cert
CODE EDITOR
tls_server_config:
cert_file: /etc/node_exporter/ssl/node.pki.vagrant.cert
key_file: /etc/node_exporter/ssl/node.pki.vagrant.key
client_auth_type: RequireAndVerifyClientCert
client_ca_file: /etc/node_exporter/ssl/ca.cert
Securing Node Exporter
CODE EDITOR
global:
scrape_interval: 15s
evaluation_interval: 15s
scrape_configs:
- job_name: "tls"
static_configs: - targets: [”node.pki.vagrant:9100"]
scheme: https
tls_config:
cert_file: /etc/prometheus/ssl/prometheus.pki.vagrant.cert
key_file: /etc/prometheus/ssl/prometheus.pki.vagrant.key
ca_file: /etc/prometheus/ssl/ca.cert
CODE EDITOR
global:
scrape_interval: 15s
evaluation_interval: 15s
scrape_configs:
- job_name: "tls"
static_configs: - targets: [”node.pki.vagrant:9100"]
scheme: https
tls_config:
cert_file: /etc/prometheus/ssl/prometheus.pki.vagrant.cert
key_file: /etc/prometheus/ssl/prometheus.pki.vagrant.key
ca_file: /etc/prometheus/ssl/ca.cert
Vault Agent Config
CODE EDITOR
vault {
address = "http://prometheus.pki.vagrant:8200"
}
auto_auth {
method "approle" {
config = {
role_id_file_path = "/vagrant_data/tmp/role_id"
secret_id_file_path = "/vagrant_data/tmp/secret_id"
remove_secret_id_file_after_reading = false
}
}
}
* Wildly insecure config, for demo purpose only
CODE EDITOR
vault {
address = "http://prometheus.pki.vagrant:8200"
}
auto_auth {
method "approle" {
config = {
role_id_file_path = "/vagrant_data/tmp/role_id"
secret_id_file_path = "/vagrant_data/tmp/secret_id"
remove_secret_id_file_after_reading = false
}
}
}
* Wildly insecure config, for demo purpose only
Vault Agent Config Cont.
CODE EDITOR
template {
contents="{{ with secret \"pki_int/issue/pki-dot-vagrant\" \"ttl=3m\"
\"common_name=prometheus.pki.vagrant\" }}{{ .Data.certificate }}{{ end }}"
destination="/etc/prometheus/ssl/prometheus.pki.vagrant.cert"
command = "killall -HUP prometheus"
}
…
{{ .Data.issuing_ca }} => "/etc/prometheus/ssl/ca.cert”
{{.Data.private_key }} => "/etc/prometheus/ssl/prometheus.pki.vagrant.key"
CODE EDITOR
template {
contents="{{ with secret \"pki_int/issue/pki-dot-vagrant\" \"ttl=3m\"
\"common_name=prometheus.pki.vagrant\" }}{{ .Data.certificate }}{{ end }}"
destination="/etc/prometheus/ssl/prometheus.pki.vagrant.cert"
command = "killall -HUP prometheus"
}
…
{{ .Data.issuing_ca }} => "/etc/prometheus/ssl/ca.cert”
{{.Data.private_key }} => "/etc/prometheus/ssl/prometheus.pki.vagrant.key"
Build In certificate expiration
“Ben the BI guy, needs
database access for a bit”
database access for a bit”
Single Use Database Credentials
CODE EDITOR
vault secrets enable database
vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_URL/postgres" \
allowed_roles=readonly \
username="root" \
password="nolongercommonknowledge"
CODE EDITOR
vault secrets enable database
vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_URL/postgres" \
allowed_roles=readonly \
username="root" \
password="nolongercommonknowledge"
Create “create user” instructions
CODE EDITOR
tee readonly.sql <<EOF
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'
INHERIT;
GRANT ro TO "{{name}}";
EOF
vault write database/roles/readonly \
db_name=postgresql \
[email protected] \
default_ttl=1h \
max_ttl=24h
CODE EDITOR
tee readonly.sql <<EOF
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'
INHERIT;
GRANT ro TO "{{name}}";
EOF
vault write database/roles/readonly \
db_name=postgresql \
[email protected] \
default_ttl=1h \
max_ttl=24h
Create “create user” instructions
CODE EDITOR
vault read database/creds/readonly
Key Value
--- -----
lease_id database/creds/readonly/fyF5xDomnKeCHNZNQgStwBKD
lease_duration 1h
lease_renewable true
password A1a-ckirtymYaXACpIHn
username v-token-readonly-6iRIcGv8tLpu816oblPY-1556567086
CODE EDITOR
vault read database/creds/readonly
Key Value
--- -----
lease_id database/creds/readonly/fyF5xDomnKeCHNZNQgStwBKD
lease_duration 1h
lease_renewable true
password A1a-ckirtymYaXACpIHn
username v-token-readonly-6iRIcGv8tLpu816oblPY-1556567086
“Can you just put on the
sftp server anyway?”
sftp server anyway?”
Conway’s Law OU group
Boundary as Source of truth
Model your organization
CODE EDITOR
resource "boundary_scope" "org" {
name = "hashdays inc"
description = "top level"
scope_id = "global"
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_scope" "bi_team" {
name = "platform team"
description = "project for the BI team"
scope_id = boundary_scope.org.id
auto_create_admin_role = true
}
CODE EDITOR
resource "boundary_scope" "org" {
name = "hashdays inc"
description = "top level"
scope_id = "global"
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_scope" "bi_team" {
name = "platform team"
description = "project for the BI team"
scope_id = boundary_scope.org.id
auto_create_admin_role = true
}
Infrastructure Mesh as Code
CODE EDITOR
resource "boundary_target" "bi_pgsql" {
name = "bi_pgsql"
description = "BI Postgresql"
address = aws_instance.hashidays.public_ip:5432
type = "tcp"
default_port = "5432"
scope_id = boundary_scope.bi_team.id
}
boundary connect postgres -target-id ttcp_eTcZMueUYv -username admin -dbname postgres
CODE EDITOR
resource "boundary_target" "bi_pgsql" {
name = "bi_pgsql"
description = "BI Postgresql"
address = aws_instance.hashidays.public_ip:5432
type = "tcp"
default_port = "5432"
scope_id = boundary_scope.bi_team.id
}
boundary connect postgres -target-id ttcp_eTcZMueUYv -username admin -dbname postgres
“Can you update that
webserver, you know the
one i am talking about”
webserver, you know the
one i am talking about”
CODE EDITOR
resource "boundary_host_catalog_static" "webservers" {
name = "webservers"
scope_id = boundary_scope.project.id
}
resource "boundary_host_static" "webserver" {
name = "webserver"
address = aws_instance.hashidays.public_ip
host_catalog_id = boundary_host_catalog_static.webservers.id
}
Model your fleet
resource "boundary_host_catalog_static" "webservers" {
name = "webservers"
scope_id = boundary_scope.project.id
}
resource "boundary_host_static" "webserver" {
name = "webserver"
address = aws_instance.hashidays.public_ip
host_catalog_id = boundary_host_catalog_static.webservers.id
}
Model your fleet
CODE EDITOR
resource "boundary_credential_store_vault" "platform" {
name = "platform”
address = var.vault_url
token = vault_token.hashidays.client_token
scope_id = boundary_scope.project_team.id
}
resource "boundary_credential_library_vault" "platform" {
name = "platform"
credential_store_id = boundary_credential_store_vault.platform.id
path = "ssh/connect/hashidays"
http_method = "GET"
credential_type = "username_password"
}
Define what credentials to use
resource "boundary_credential_store_vault" "platform" {
name = "platform”
address = var.vault_url
token = vault_token.hashidays.client_token
scope_id = boundary_scope.project_team.id
}
resource "boundary_credential_library_vault" "platform" {
name = "platform"
credential_store_id = boundary_credential_store_vault.platform.id
path = "ssh/connect/hashidays"
http_method = "GET"
credential_type = "username_password"
}
Define what credentials to use
CODE EDITOR
resource "boundary_target" "webserver" {
name = "webserver"
description = "public website"
type = "ssh"
default_port = "22"
scope_id = boundary_scope.platform_team.id
host_source_ids = [
boundary_host_set.webserver.id
]
injected_application_credential_source_ids = [
boundary_credential_library_vault.platform.id
]
}
Credential Injection from vault
resource "boundary_target" "webserver" {
name = "webserver"
description = "public website"
type = "ssh"
default_port = "22"
scope_id = boundary_scope.platform_team.id
host_source_ids = [
boundary_host_set.webserver.id
]
injected_application_credential_source_ids = [
boundary_credential_library_vault.platform.id
]
}
Credential Injection from vault
Boundary as ansible transport
CODE EDITOR
hashidays_inventory:
hosts:
webserver:
ansible_host: 18.196.188.109
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: /home/attachmentgenie/.ssh/id_rsa_aws
hashidays_inventory:
hosts:
webserver:
ansible_host: 127.0.0.1
ansible_port: 42921
CODE EDITOR
hashidays_inventory:
hosts:
webserver:
ansible_host: 18.196.188.109
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: /home/attachmentgenie/.ssh/id_rsa_aws
hashidays_inventory:
hosts:
webserver:
ansible_host: 127.0.0.1
ansible_port: 42921
Inventory + Acls + API =
Break glass as Code
https://www.hashicorp.com/blog/event-driven-access-controls-with-hashicorp-boundary-and-vault
Break glass as Code
https://www.hashicorp.com/blog/event-driven-access-controls-with-hashicorp-boundary-and-vault
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 30
- Slides 39
- Age 537 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views