Using Vault to decouple secrets from applications
Vault is an up and coming project by HashiCorp, the folks behind projects such as Vagrant and Consul. The goal of Vault is to decouple the handling of secrets from applications to enforce access control, encryption standards, and create an audit trail. There are several components to Vault: - Authentication such as LDAP, GitHub or custom app-id - Authorization using path-based ACL policies - Encrypted storage backend using one of several options such as Consul, etcd, Zookeeper, S3, or MySQL - Secret backends that define how secrets are stored or generated. Options include MySQL and AWS IAM credentials, among others. - Audit logging of token generation and secrets access A few reasons why adding Vault to your infrastructure would be beneficial include: - a need to authenticate on an external service, such as LDAP or GitHub organization - the database environment is too large to manage individual users - provide credentials to external resources such as auditors or outside consultants that automatically expire - compliance requirements for strict audit logs for database access This session will explain Vault in more detail, providing examples of creating and accessing dynamically generated credentials such as MySQL and AWS IAM. We will also look at the various authentication and access control features of Vault. Finally, we will address the architecture to ensure that Vault is deployed in a fault-tolerant manner.
OSDB Practice Advocate, Pythian
Derek Downey is the Practice Advocate for the OpenSource Database practice at Pythian, helping to align technical and business objectives for the company and for our clients. Derek loves automating MySQL, implementing visualization strategies and creating repeatable training environments.
Armon (@armon) has a passion for distributed systems and their application to real world problems. He is currently the CTO of HashiCorp, where he brings distributed systems into the world of DevOps tooling. He has worked on Nomad, Vault, Terraform, Consul, and Serf at HashiCorp, and maintains the Statsite and Bloomd OSS projects as well.