Vault Response Wrapping Makes The "Secret Zero" Challenge A Piece Of Cake
Feb 27, 2020
Learn how to configure and use the Vault’s response wrapping feature to deliver a wrapped token from Jenkins to an application through a pipeline.
View this presentation's slides on Speaker Deck
When you introduce HashiCorp Vault into a hybrid cloud environment, one of the key points to consider is how your pre-existing provisioning, configuration management, orchestrato, and CI/CD systems can better integrate with Vault, taking advantage of its central secrets management functionalities.
The Challenge of Secret Zero
In Vault lingo, we refer to these systems as Trusted Entities that authenticate against Vault within automated pipelines and workflows.
The Vault AppRole authentication method is specifically designed to allow such pre-existing systems—especially if they are hosted on-premise—to login to Vault with roleID and secretID credentials (a sort of username and password) and retrieve a token with a specific set of capabilities attached (e.g. list and read secrets into a specific path).
You start populating your Trusted Entities with roleIDs and secretsIDs to satisfy all your pipelines' needs to consume secrets. Immediately after, you should deal with the "secret zero" challenge: how to securely deliver secretID from Vault to the applications being built and/or deployed by your Trusted Entity.
In an enterprise environment with lots of different application pipelines, you should avoid both sprawling privileged roleIDs and secretIDs into, for instance, Jenkins nodes and, at the same time, be sure that the proper pipeline consumes the secrets.
What You'll Learn
In this presentation, Giuseppe Misurelli will demo how to configure and use the Vault’s response wrapping feature to deliver a wrapped token from Jenkins to an application through a pipeline. The Jenkins Trusted Entity will be equipped with roleID and secretID and be able to retrieve only wrapped tokens for another AppRole used by a pipeline it spawns. This latter AppRole will unwrap the tokens, use them to login into Vault, and retrieve the privileged token to consume application secrets.
Since a wrapped token can only be unwrapped once, an alert can rise each time the target application cannot unwrap the token meaning that something else unwrapped its token.
Consequently, using wrapped secret it is possibile to equip your Trusted Entities with very low-privileged and long-lived AppRoles credentials (retrieve wrapped token only). Be sure that only the target application consumes its secrets.
Finally, you'll have a fully automated workflow to make the secret zero challenge a piece of cake.