Secrets Management- Using Vault for Accessing Cloud Infrastructure

Introduction

In the current IT world, There has been a need for having secured connectivity and having many private objects which need to be accessible only for a limited set of applications or services. We call this orchestration as “Secrets Management”. There are many tools currently available in the market which caters to this need. Some of them are inbuilt with the cloud like Secrets Manager for AWS or Docker Secrets or Vaults. Today in this post, We will discuss about Managing Secrets by Vault by Hashicorp . There many features which are exposed by Vault for implementing and having securing the application authorization and authentication.

We will discuss about how dynamic secrets can be generated by Vault using AWS IAM Policies and send them to application via API based calls. Advantage of dynamic secrets is they are generated when they are accessed. Dynamic secrets do not exist until they are read, so there is no risk of someone stealing them or another client using the same secrets. Because Vault has built-in revocation mechanisms, dynamic secrets can be revoked immediately after use, minimizing the amount of time the secret existed.

Implementation

We will demonstrate the configuration of AWS inside vault using the secrets engine plugin and generate dynamic credentials with a pre configured IAM policies embedded inside vault to securely access AWS SDK.

Technology stacks used for this post:

  • Java
  • AWS SDK – Dynamo DB
  • AWS IAM – Policy
  • Vault

Vault Configuration

Enabling Secrets Engine

We will show the post with vault hosted in the local machine. The configuration of hosting and installing vault is not scope of this post. Once we login into Vault Servers using Token or other authentication methods, We can enable a secret engine using AWS plugin.

Once we select the AWS plugin in the vault(can be done using API commands) and add the credentials of the AWS account inside the secrets engine in the following page.

AWS Secured Configuration

In the above page, we can add the credentials from our AWS Account and also have the additional configuration(not mandatory) about regional based details or any other IAM endpoint appended the the secret engine. Once the AWS and Vault successfully integrates we have the option of creating role based on them. Role are the dynamic secrets which can be configured with the policies on top of them to allow / deny usage of any AWS services. We will be using simple Allow All Policy in the example.

Adding AWS Role Inside Vault

This Role will create dynamic secrets with time validity and can be used inside any 3rd Party Application to securely access AWS SDK’s.

Dynamic Secrets Generation

The Above Credentials are generated and can be consumed into applications externally or using API based invocation. There are also other type of credentials like Federated Token or Assumed Role will can also be generated by same approach. We will show using Spring Boot Application where the Credentials are obtained by API and demonstrate CRUD operations on DynamoDB. We have created a small boot application and added a RestTemplate to invoke the API of the vault.

Spring – Vault Integration

Rest API – Vault Invocation

We make a GET call towards the installed vault server with the token inside X-Vault-Token header and /v1/aws/creds/{role_name} . The Role Name is the same one created inside vault with IAM Policies and customized service access.

Once, Vault Response contains the access_key and secret_key dynamically and are provided inside the AWS SDK to create connection with Spring boot and AWS ecosystem.

Adding Dynamic Secrets to AWS SDK

The Program then continues to perform CRUD operations inside the DynamoDB service. We can modify various operations on any of the services based on the Policies attached to the Role.

Conclusion

Finally, We are done with the configuration. In the above mechanism , We have demonstrate the usage of vault for using AWS SDK’s without exposing the IAM credentials to the Spring Boot Application. There are many other useful features of vault like PKI Certificate Secret Storage , Key Value Storage or SSH storage integration. The Documentation of Vault also contains the details of setting up the vault inside cluster or using terraform to automate the infrastructure.

Reference

1 Comment

  1. Great post. I was checking constantly this blog and I am impressed! Extremely helpful info specifically the last part 🙂 I care for such information a lot. I was seeking this certain information for a very long time. Thank you and best of luck.

Leave a Reply

Your email address will not be published.


*