Posted on

Migrating Secrets Using HashiCorp Vault and Safe CLI

Vault and Safe

Vault is a secret management service by HashiCorp. It is a tool that will help you in storing secrets (API keys, passwords, etc.) and accessing them securely. You can use Vault with a user interface as well as through CLI. 

In this post, we will not be going deep into what Vault is, but instead, will look at how we can migrate secrets from one Vault to another. We can migrate secrets from Vault using Vault CLI, but it can get a little complicated to do so. Therefore, to make things easy, we will use Safe CLI, which is a wrapper around Vault. It will help us in managing and migrating our secrets by using simple commands. It also helps us connect to different vault instances very quickly for migration purposes.

Posted on

How to Vaults and Wallets for Simple, Secure Connectivity

This is the third in a series of blogs on data-driven microservices design mechanisms and transaction patterns with the Oracle converged database. The first blog illustrated how to connect to an Oracle database in Java, JavaScript, Python, .NET, and Go as succinctly as possible. The second blog illustrated how to use that connection to receive and send messages with Oracle AQ (Advanced Queueing) queues and topics and conduct an update and read from the database using all of these same languages.  The goal of this third blog is to provide details on how to secure connections in these same languages as well as convenience integration features that are provided by microservice frameworks, specifically Helidon and Micronaut.

When making secure connections to Oracle databases there are two items to consider, the wallet and the password. We will discuss and provide examples of both in this blog.

Posted on

Externalizing Your Configurations With Vault for Scalable Deployments

Table of Contents:

  • Introduction
    1. The Solution
  • Setting Up Vault
    1. Creating API Admin Policy
    2. Creating Read-Only user policy
    3. Creating Token attached with API read-only policy
  • 1. Linux Shell Integration
  • 2. Java Integration
  • 3. Python Integration
  • 4. Nodejs Integration
  • 5. Ansible Integration
  • Conclusion

Introduction:

To implement automation for microservices or applications deployed to a large number of systems, it becomes essential to externalize the configurations to a secure, scalable, centralized configuration store. This is necessary to be able to deploy the application in multiple environments with environment-specific parameters without requiring human intervention and without requiring modification to the core application during automated deployments, scaling, and failover recoveries.

Besides the fact that manually managed configurations involve the risk of human error, they are also not scalable for 24x7 large-scale deployments, particularly when we are deploying several instances of microservices across various infrastructure platforms.

Posted on

Managing Secrets in Node.js With HashiCorp Vault

As the number of services grows in an organization, the problem of secret management only gets worse. Between Zero Trust and the emergence of microservices, handling secrets such as tokens, credentials, and keys has become an increasingly challenging task. That’s where a solution like HashiCorp’s Vault can help organizations solve their secret management woes.

Although there are secret management tools native to each cloud provider, using these solutions locks you in with a specific cloud provider. Vault, on the other hand, is open source and portable.

Posted on

HashiCorp Is Becoming an Important Part of Spring Cloud (Part 1)

As we all know the Cloud-based systems are becoming the most popular architecture in the software engineering world, and the most famous and beloved Cloud platform among developers is Spring Cloud.

Spring Cloud has some important features which are given in the following parts and the feature part does a specific job:

Posted on

Bringing Your (Encryption) Keys to Multi/Hybrid Clouds

Tools and Setup

Before we dive into the fun part of getting keys shared amongst cloud providers, there are a variety of tools required to get this tutorial working. First, you’ll need to download and install Vault, then get it up and running. You will also need to install cURL and OpenSSL — these usually comes pre-installed with most Linux OSs, and are available via most package managers (apt, yum, brew, choco/scoop, etc.). Our examples also use head and diff which are part of the coreutils and diffutils packages under Ubuntu; you can either find a similar package for your OS or find a manual workaround for those portions. Next, install the AWS command line tools (CLI) and make sure you configure the CLI to connect to your account. The last step is to install and configure the Heroku CLI.

One last note — the Heroku feature to utilize keys from AWS requires a private or shield database plan, so please ensure your account has been configured accordingly.

Posted on

Vault: A Secure Way to Keep Your App’s Secrets

In this blog, we will discuss the Vault. In modern scenarios, we want to secure our system as much as possible. We don't want to store our secret keys and certificates in the system or configurations. We need a place where we can keep our secrets with more security and access them securely whenever we need them. We can use the Vault.

Vault is the secure place to store the secrets, password, token, APIKeys of the system with the control of their access. It provides security by encrypting the keys.

Posted on

Testing Spring Boot Integration With Vault and Postgres Using Testcontainers Framework

I have already written many articles where I was using Docker containers for running some third-party solutions integrated with my sample applications. Building integration tests for such applications may not be an easy task without Docker containers. Especially if our application integrates with databases, message brokers, or some other popular tools. If you are planning to build such integration tests, you should definitely take a look on Testcontainers.

Testcontainers is a Java library that supports JUnit tests, providing a fast and lightweight way for running instances of common databases, Selenium web browsers, or anything else that can run in a Docker container. It provides modules for the most popular relational and NoSQL databases like Postgres, MySQL, Cassandra, or Neo4j. It also allows running popular products like Elasticsearch, Kafka, Nginx, or HashiCorp's Vault. Today, I'm going to show you a more advanced sample of JUnit tests that use Testcontainers to check out an integration between Spring Boot/Spring Cloud application, Postgres database, and Vault.

Posted on

Secrets Management: Using Vault for Accessing the Cloud Infrastructure

Introduction

In the current IT world, there has been a need for having secured connectivity and having many private objects, which need to be accessible only for a limited set of applications or services. We call this orchestration “Secrets Management.” There are many tools currently available in the market that caters to this need. Some of them are inbuilt with the cloud-like Secrets Manager for AWS or Docker Secrets or Vaults. Today, in this post, we will discuss Managing Secrets by Vault and Hashicorp. There are many features that are exposed by Vault in regards to implementing and securing the application authorization and authentication.

We will discuss how dynamic secrets can be generated by Vault using AWS IAM Policies and how to send them to an application via API-based calls. An advantage of dynamic secrets is that they are generated when they are accessed. Dynamic secrets do not exist until they are read, so there is no risk of someone stealing them or another client using the same secrets. Because Vault has built-in revocation mechanisms, dynamic secrets can be revoked immediately after use, minimizing the amount of time the secret existed.