Using vault in a Microservices architecture
806 views
Skip to first unread message
Adam Curtis
Apr 7, 2016, 6:56:50 AM4/7/16
to Vault
Hey guys!
We're already using vault in production with consul and its be working great! One thing we havent yet figured out is the best way of authenticating against vault in a docker microservices architecture?
Basically we have microservices written in different languages that are built in to a docker container and deployed on a docker swarm, each microservice has its own role in vault. At the moment I've been creating tokens and renewing them when required. Obviously this isn't ideal as we scale more microservices!
Does anyone have a similar setup? How are you dealing with authenticating with vault?
I was wondering if we could somehow build a service that could issue tokens that built around docker notary / content trust.
Thanks! :)
Wesley Staples
Apr 7, 2016, 10:35:57 AM4/7/16
to Vault
Have you seen this?
https://www.hashicorp.com/blog/vault-cubbyhole-principles.html
https://www.hashicorp.com/blog/vault-cubbyhole-principles.html
Jeff Mitchell
Apr 7, 2016, 10:56:29 AM4/7/16
to vault...@googlegroups.com
Hi Adam,
Wesley's link to my post is my general answer. Others may chime in on
the list, but generally this involves a bit of do-it-yourselfery,
because each container orchestrator, runtime, and environment is quite
different (ECS vs Nomad vs Mesos/Marathon vs Kubernetes vs...)
Supporting each one and the specific setup of each one in any given
organization is difficult, so for now we generally opted towards
providing the security primitives that you need to code up the
solution that fits your bill (and often, this solution doesn't take
that much code).
Cubbyhole is generally meant for when your methods of getting an
initial secret to a box are not actually very secret. An example of
this is Docker environment variables -- those have a bad habit of
getting logged in, say, an orchestration tool's log files, because
generally it's good to have a record of that data. Cubbyhole lets you
pass in an ephemeral token containing the real token for the app, and
importantly provides detection of misuse by a third party. If you have
another way to securely access a container (for instance, if you have
SSH running inside) you could use that as a transport instead to
provide a token to a service in the container.
Others generate credentials on the host and pop them on different
bind-mounted filesystems (usually ramdisks), or simply generate a
token and place them into such a bind-mount. A couple of people have
worked on some Docker plugins, such as
https://github.com/calavera/docker-volume-vault. There are probably
other approaches out there, so maybe others will have more
suggestions!
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/e2333ba5-1d70-48fd-86d1-d09ff56cd151%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
Wesley's link to my post is my general answer. Others may chime in on
the list, but generally this involves a bit of do-it-yourselfery,
because each container orchestrator, runtime, and environment is quite
different (ECS vs Nomad vs Mesos/Marathon vs Kubernetes vs...)
Supporting each one and the specific setup of each one in any given
organization is difficult, so for now we generally opted towards
providing the security primitives that you need to code up the
solution that fits your bill (and often, this solution doesn't take
that much code).
Cubbyhole is generally meant for when your methods of getting an
initial secret to a box are not actually very secret. An example of
this is Docker environment variables -- those have a bad habit of
getting logged in, say, an orchestration tool's log files, because
generally it's good to have a record of that data. Cubbyhole lets you
pass in an ephemeral token containing the real token for the app, and
importantly provides detection of misuse by a third party. If you have
another way to securely access a container (for instance, if you have
SSH running inside) you could use that as a transport instead to
provide a token to a service in the container.
Others generate credentials on the host and pop them on different
bind-mounted filesystems (usually ramdisks), or simply generate a
token and place them into such a bind-mount. A couple of people have
worked on some Docker plugins, such as
https://github.com/calavera/docker-volume-vault. There are probably
other approaches out there, so maybe others will have more
suggestions!
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/e2333ba5-1d70-48fd-86d1-d09ff56cd151%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
Adam Curtis
Apr 8, 2016, 4:38:38 AM4/8/16
to Vault
Hi both! Thanks for your help!
I did actually read the blog post about using cubbyhole and it was useful thanks!
I thought I'd ask in case someone had already tacked this :)
Reply all
Reply to author
Forward
0 new messages