![]() $ SHASUM=$(shasum -a 256 vault-fastly-secret-engine | cut -d “ “ -f1) $ vault write sys/plugins/catalog/vault-fastly-secret-engine sha_256=”$SHASUM” command=”vault-fastly-secret-engine”Īfter running this, and the commands in the rest of this post, you should expect to see a message saying it was successful. This should be a one-time operation that should be done by your Vault administrator. It will generate the SHASUM for your plugin, and write the SHASUM into the catalog path of Vault. Using the code below will ensure that your registration for the plugin is correct. This process helps us ensure the plugin code has not been tampered with. If there is a match, the plugin will be run, if they do not match then Vault will return an error and not run the plugin. When the plugin is loaded for the first time, Vault will calculate the SHASUM of the plugin code it has and compare that with the SHASUM in the plugin catalog. The SHASUM acts as a unique fingerprint of the plugin code. In order to use the plugin you must first register it with the Vault plugin catalog by providing the SHASUM of the plugin code. Credit: Ling Zhang/The New York Times Register the plugin with the catalog The diagram for how the plugin works with Vault. The plugin will pass the Fastly token back to Vault which will in turn pass it back to the user/application. Vault will pass the request to the plugin which generates the Fastly token. Then the user/application can request a Fastly token from Vault, which will validate the token request with the user/application’s policy. We designed the workflow for the plugin to log into Vault and obtain a Vault token. We dug into Vault’s open-source code, which already has a TOTP backend and we realized that we could pull the library in and use it to meet the MFA requirement. This meant that we needed a way to authenticate with MFA whenever we generated Fastly tokens for the platforms. While this might have been fine with static secrets, because we could manually retrieve the special log-in code needed to connect to Fastly, our platforms couldn’t whip out a phone every time they need to log-on. Quickly, we realized we had an issue: we use multi-factor authentication (MFA) for a lot of our platforms and our Fastly account is set up to require an MFA for all users. We started digging into the Fastly API to see what it would take to pull this off. The transition over to dynamic secrets turned out to be less straightforward than we expected. We are open-sourcing the plugin, which we’re calling the Vault Fastly Secrets Engine, for anyone to use. Rather than wrestle with the Fastly API and Vault every time we need to generate a secret - which would take us farther away from dynamic creation - we created a Vault plugin to do it for us. Our current system uses Fastly as our CDN.įor each domain that uses a CDN, we have a separate Fastly service to handle configuration.Įvery time we want to make changes to one of those services, we need a dedicated Fastly token for the service so we can authenticate with the Fastly platform. This allows us to send news to our readers as fast as possible. To best serve Times readers around the world, we use a Content Delivery Network (CDN) that caches static content and delivers it from servers closest to where readers are located. ![]() ![]() Dynamic secrets are much safer than static secrets because they can be generated whenever an application requires them, and they can be set to expire after a short period of time. We needed a better solution, so we decided to shift to dynamic secrets using our secrets management tool, HashiCorp Vault. A single exposure can have an outsized effect on security. Because most applications require secrets to be in a configuration file or injected into an environment, the risk of a static secret unintentionally ending up in an application’s log file is high. When they are shared, it can become close to impossible to rotate or even revoke them. ![]() Static secrets are often shared by multiple applications, which can make it difficult to audit appropriate usage. Secrets allow our apps to connect and share information, but like any good password, they need to be changed regularly.įor a long time, we statically generated secrets, but this raised some issues and was hard to manage. To get all of these apps and services to securely talk to each other, we employ secrets, which are similar to the passwords that online accounts require. We’re talking about the applications and services that we’ve built in-house to power everything from our front-end website to back-end services. No, we’re not talking about the apps that you can download from app stores, although we do have a couple of those. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |