In this video, explore a high-level overview of secrets management
- Vault is a secrets management platform. It provides a range of features designed to encrypt secrets, control access to secrets through authentication and authorization, and records secrets access through auditing. Vault's architecture is composed of several internal components. These components are used to get data in and out of Vault. Vault offers features that support secrets management. Many enterprises keep secrets distributed across many systems, databases, configuration files, continuous integration systems, and source control.
Vault can manage all the secrets of an enterprise from a single system. This makes it very easy to control and audit all access to secrets and revoke secrets when necessary. Vault provides internal encryption capabilities and encryption is a service to users and systems. TLS connections are required to access a production Vault server. This encrypts the secrets over the wire, so they cannot be intercepted. Vault includes support for external identity management providers.
Vault uses policies to control access to secrets, and Vault has the capability to audit all secrets access. Before we move on, let's clearly define the term secret. Technically, a secret is any data we want to keep confidential. Vault is capable of storing any secret such as a credit card number or driver's license number. However, the primary use case for Vault is to protect what we might call operational secrets, the secrets that tie our systems together. A database password is a perfect example.
Most databases support username and password authentication. A username-password combination is used by an application to authenticate to the database. These secrets are often stored in configuration files, which are then stored in source control. These persistent secrets are long lived, distributed all over an enterprise, and are prone to loss. Vault provides a server process and API used to store these types of secrets. Its internal architecture ensures that secrets exist only as long as necessary.
A production Vault server never stores or transmits secrets in plain text. Rather than storing secrets in files where they may be compromised, secrets are stored using Vault. Users and applications that need those secrets request them from Vault. Vault includes three primary components. The command line interface is a thin wrapper around the Vault server HTTP API. The CLI is useful primarily for setup and administration. The Vault server is the process that handles all client requests for setup, configuration, and secrets access.
A Vault server is started with a Vault CLI command. And the Vault API. Vault offers a rich HTTP API for all functions. Applications and systems integration with Vault should be through the API. Every function supported by the command line interface has an associated HTTP API, however, some APIs have no CLI command. This course will cover setting up and using Vault. A Vault server running in dev mode is used for testing and experimentation.
A production Vault server should never be run in dev mode. We'll follow the basics steps required to setup a production Vault server. We'll look at how to use Vault to manage access to SSH servers and databases. We'll integrate Vault with Jenkins to demonstrate how to inject secret into an application when it is deployed. We'll use Postman to demonstrate how Vault can be accessed by applications for configuration and secrets management.
- What is Vault?
- Using the dev server
- Working with Vault secrets engines
- Adding policies to Vault
- Running and using Vault
- Configuring the database secrets engine
- Implementing Vault
- Integrating Jenkins with Vault
- Using the Vault API