Vault provides secrets management and protection of sensitive data, a central place to secure, store, and control access to tokens, passwords, certificates, and encryption keys. There are challenges of centralized secrets management, particularly related to applications. Applications don’t keep secrets, and secrets are often shared among different applications.
Vault offers an answer to these problems in the form of dynamic secrets, which are generated on demand and are unique to a client. This is as opposed to static secrets, which are defined ahead of time and are often shared by different clients. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. Static secrets, by contrast, often have much longer lifecycles.
Dynamic secrets allows you to manage intentions (e.g., web server needs database access) instead of managing credentials (e.g., authentication data provided to web servers requiring database access). This allows you to achieve the same end goal while solving major challenges, including leaky applications, nonrepudiation, automatic rotation, and practical revocation. Vault applies a dynamic secret approach to public key certificates as well, acting as a signing intermediary to generate short-lived certificates. This allows certificates to be generated on demand, as needed, and rotated automatically.
Christie Koehler gives a brief introduction to Vault and dynamic secrets and then shares the most common operator activities involved in certificate management using Vault, including enabling and configuring public key infrastructure (PKI) engine(s), creating roles and generating certificates, revoking certificates and updating certificate revocation lists (CRLs), and integrating with applications.
Christie Koehler is a developer advocate at HashiCorp, where she uses her hybrid experience as an operator and a developer to create resources to help practitioners use HashiCorp’s suite of open source cloud automation tools. She’s a longtime open source contributor and an expert on open source culture and governance.
Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?
Join the conversation here (requires login)
©2019, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org