SE Hangout

Delivering Secret Zero: Vault AppRole with Terraform and Chef

When thinking about how to securely deliver secrets to our applications, we often run into chicken-and-egg scenarios where, in order to encrypt secrets, we create an unencrypted key to open up that encryption for regular use. Learn how Vault AppRole can help with this secure introduction problem.

Speaker

  • Teddy Sacilowski

    Teddy Sacilowski

    Sr. Solutions Engineer, HashiCorp

There's now a HashiCorp Learn tutorial adapted from this webinar: AppRole With Terraform & Chef

Whenever a security group chooses to opt for the auto-unseal functionality of Vault instead of the default Shamir's secret sharing approach, you'll encounter the "secret-zero" problem. In order to authenticate safely, you'll need to use an HSM or cloud KMS for auto-unseal, but this means there's now a shared key to those systems stored outside the HSM or the Cloud KMS in a script that starts the auto-unseal process.

In this webinar, Teddy Sacilowski introduces how authentication in Vault works, gives an overview of the AppRole Auth Method, and explains how it integrates with Terraform and Chef. Finally, Teddy gives a demo of how this can be used to mitigate the secret-zero problem and wraps up by answering questions from the audience about Vault.

» Watch to learn:

  • How authentication in Vault works
  • How Terraform can interact with Vault via its Vault Provider
  • How to interact with Vault in Chef recipes

» Agenda

  • 0:00 - 0:20 - Vault AppRole
  • 0:20 - 0:45 - Demo
  • 0:45 - 1:00 - Live Q&A

» Additional resource:

GitHub repository

Stay Informed

Subscribe to our monthly newsletter to get the latest news and product updates.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×