
HashiCorp and Google: easing secret and infrastructure management - rey12rey
https://cloudplatform.googleblog.com/2017/09/HashiCorp-and-Google-expand-collaboration-easing-secret-and-infrastructure-management.html
======
scrollaway
What do people here use to store and source-control secrets/almost-secrets and
make them available to (pick n) terraform/ansible/salt/chef/...?

I've heard a lot of good things of Hashicorp Vault
([https://www.vaultproject.io](https://www.vaultproject.io)) but been hesitant
to go with it.

~~~
ejcx
I almost never heard anything negative about vault until I did a presentation
on all the troubles I had with it. Here are the slides about the issues I had:

[https://docs.google.com/presentation/d/1ipP2eB9pW5j3WDvzCGz9...](https://docs.google.com/presentation/d/1ipP2eB9pW5j3WDvzCGz9Wy4MBoK2SMvOTZtPdf5kSNs/edit#slide=id.g1fa55b980e_1_164)

At the end of the day, Vault gives you secret keys to manage which makes
automating the unsealing process not fun if you want full automation.

Talking with Armon from Hashicorp they planned to work on some much improved
docs around vault which should help with a lot of the issues of making vault
usable, because quite frankly they are very challenging to understand right
now.

~~~
lolbrish
I unseal using ansible (with the unseal keys in ansible-vault) and automate
the configuration fully through ansible. For example you can use the ansible
expect module:

    
    
      - name: unseal 1
        expect:
          command: '/usr/bin/vault unseal'
          responses:
            'Key \(will be hidden\): ': "{{vault_seal_key_1}}"
          echo: yes
        when: vault_sealed_result.rc == 2 and vault_seal_key_1 is defined
        tags:
          unseal

~~~
bogomipz
I'm interested in your solution, you are using ansible-vault to store the
Hashicorp Vault unseal key(s)? Isn't this just pushing the problem out another
level or am I missing something? Thanks.

------
manigandham
All of the major clouds already have good secrets management built in. We have
a simple library that uses Google's Key Management Service in a standalone
project to encrypt/decrypt files held in a private storage bucket. Access to
keys and files are controlled by service account roles. Seamless, efficient,
no-ops model with built-in auditing and fine-grained control that works
everywhere.

~~~
true_tuna
This sounds way simpler and 10x better than what most organizations do
(secrets in virsion control, secrets on local file system or environment
variables). Do you mind doing a quick how-to? It could probably help 90% of
organizations take a step towards better security.

~~~
manigandham
Google actually has a technical how-to here:
[https://cloud.google.com/kms/docs/store-
secrets](https://cloud.google.com/kms/docs/store-secrets) and in-depth
solution architecture here: [https://cloud.google.com/kms/docs/secret-
management](https://cloud.google.com/kms/docs/secret-management)

Key Management Service creates and maintains private keys for you and provides
an API to easily encrypt or decrypt some data. Basically call method
_KMS.Decrypt( "name_of_key_to_use", <bytes>)_ and get back decrypted content.
Secrets are simple text files encrypted with KMS and stored in a private
storage bucket. For example we have something like "database-
secrets.dev.json.encrypted".

We have a small library that took a day to write, used in all of our projects
that does the following on startup: open private storage bucket, download
encrypted file, call the KMS API, decrypt the file, and parse the raw contents
as json. Now the app has the secrets in-memory to be used anywhere. No
infrastructure required, nothing on disk and this is universally accessible
whether inside Google cloud or on local machine. Takes under 1 second when
running in the cloud.

I dont think I can do better than the documentation but let me know if you
have any questions.

~~~
hashmp
AWS offers a similar service for anyone interested.

[https://aws.amazon.com/kms/](https://aws.amazon.com/kms/)

You can limit access to the keys based on IAM instance profiles. So that only
certain instances can access specific credentials.

------
yeukhon
Anything secret involves a master key. If you don't trust AWS, then you need
to supply your own master key. But for most setup, IMO, you should just let
AWS handle the key management, and you use role to decrypt. Rotation is a big
deal though. For server, SSH key can be encrypted in KMS and we either
completely replace the box, or we rotate one box at a time. For DB servers,
it's important to choose a DB that can stream data to a new box with as little
impact as possible (or allows replication). But these takes time to develop (I
can't use container to host DB or critical applications because the network
performance, at least a year ago).

BTW Mozilla's sops [1] is quite interesting. I've been testing this for a
while now.

[1]: [https://github.com/mozilla/sops](https://github.com/mozilla/sops)

------
disordr
The AWS EC2 Systems Manager Service and the Parameter store:
[https://aws.amazon.com/ec2/systems-manager/parameter-
store/](https://aws.amazon.com/ec2/systems-manager/parameter-store/) is a
great way to store secrets with integrated encryption provided by KMS.

------
arianvanp
It's not really clear for me from the docs. But can you now use kubernetes
secrets to not be stored in etcd but in vault? Or is just the token retrieval
part fixed? The docs are a bit terse and don't mention much stuff on how you'd
actually use it.

If I create a kubernetes secret will it be stored in vault if I set some magic
switch? Or are we not there yet?

~~~
jaxxstorm
Not there yet. You can store secrets in Vault, and now a kubernetes pod can
authenticate against Vault which will allow it to retrieve secrets. If you're
running your app in k8s, your app will be able to use the configured token to
get to vault.

~~~
arianvanp
Thanks. But it seems like a good first step into the right direction!

------
outoftacos
I worry a lot about how these megacorps will treat "collaborators" vs "non
collaborators" in the coming years. Obviously you can't just outright buy
everyone, but they seem to be increasingly abusive towards technologies and
teams that aren't on board with their interests and ideology.

Actually I'm more worried about how Facebook and Amazon treat non compliance,
but Google sure seems to be getting shadier every day.

This combined with the W3C evolving into a corrupt entity just makes me want
to get out of tech completely. Maybe if I could get some awesome dev job at
the EFF?

~~~
navaati
From what I can tell, this is all opensource using their publicly documented
API. That is, you could implement the same support for GCP in your own auth
backend product, and you could implement the same support for your own cloud
platform in Vault. So… I don't really get what you're talking about in this
context.

~~~
tyingq
_" We're working to enhance the integration between HashiCorp Vault and GCP,
including Vault authentication backends for IAM and signed VM metadata."_

There's not much detail in that. But, you could certainly read it in a way
that using Hashicorp products might be lower friction than using other
products on GCP.

