Time
4 hours 53 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
in this lesson, we're going to talk about the vault concept of plug ins.
00:06
When we look at the vault architecture diagram
00:09
and I'm taking reference to plug ins,
00:11
I'm gonna talk about three different kinds of plug ins and how they fit into the overall vault model.
00:17
Specifically, secrets, engines, that type of plug. And these are the things that store generated. Encrypt the data
00:25
we're going to review off method plug ins, these air the things used to perform authentications against different data sources and in different methods in ways.
00:34
And finally, we're gonna talk about audit device plug ins and how we get vault toe log data to different sources so that we can keep track of and make an accounting for all the different operations that are performing. Specifically, it's going to be looking at logging all of the authenticated interactions with vault.
00:54
So if you have the depth server running from a prior lesson, I ask that you kill it now and then we're going to start it over again. So it's fresh. Ali in memory data is cleared and we have a clean slate, and I'm going to jump over to a separate terminal window.
01:10
Don't forget. As a first step, we want to be sure to export the vault address. Since we are in debt mode and it's not doing TLS.
01:18
What I'd like you to do now is run a command called Volt Plug in. This is used to manage the different plug ins register and de register off the bat. We can see from the output that the plugging catalog is divided into three types off database and secret databases. A special offshoot of Secrets Engines
01:37
will be exploring those a little bit.
01:38
And then we talked about off and, of course, the secret plug ins here.
01:42
In fact, if we jump over to the get hub page, we can get a full breakdown, this link to the secrets engines from the Hash Corp documentation that shows us more details about each and every one of the different secrets engines over here on the left.
01:59
I encourage you to give that a look over. We will be experimenting in later lessons with some of the
02:05
different secrets engines, but certainly we will not have time to cover and use all of these different secrets engines in this entire training. If we take a look at the life cycle of the secrets engines we see there's enable disable move in tune.
02:19
We're gonna go ahead and work with the 1st 3 Tuning is for particular types of secrets engines that have the concept of timeto lives based on the secrets that the secret engines themselves are generating, having a limited life and at least expiration. And so tune is the mechanism you're going to use toe,
02:38
configure, tune and tweak
02:40
the time to live for those kinds of secret engines
02:44
moving back to the command line.
02:47
Let's go ahead and enable the secrets engine.
02:51
If I go vault. Blufgan list secrets.
02:55
I see a variety of options. So far, we've been using the Key Value Secrets engine, and so that's registered with vault. Using the term KV.
03:06
Let's take a look at the secrets engines that are currently enabled in the Vault Dev Server Fault Secrets list.
03:15
We can see 34 Excuse me, cubbyhole Identity secret and assists
03:22
secret and you can see the type Cavey Cubbyhole Identity will be covering cubbyhole and identity and later lessons and more in depth. For this example, we're gonna work with the key value secrets engine.
03:32
If you ever have question about any one of these particular secrets engines and want some more details from the command line, Vault has 1/2 help command that will be very useful when you are exploring the different things. Excuse me involved
03:52
secret.
03:53
So in this case, I want to say and explore and understand further. What's it? The path secret I run vault help you get a nice description reiterating to me, This is the key Value store, giving me some information about the key ValueAct back end. This pattern is continued with other areas and pads with involved as well.
04:13
If we were to go path help
04:15
assists, which is a default mounted path. We get a whole lot of information because that's the path used for managing the vault servers, system level information. Getting back to our main objective. Let's go ahead and enable secrets Engine
04:31
baby by running the vault. Secrets enabled Cavey command.
04:35
And so what this did list
04:41
is it enabled the secrets engine, but it enabled it at the path of Cavey as opposed to at the path of secret with involved every mountain engine authentication mechanism. All these different plug. It's they get mounted with a path, and that path has to be unique
04:59
to one particular engine. But you can have multiple instances of the same engine mounted two different paths. So if I want amounts to a specific path,
05:10
Bolt
05:12
enabled the Cavey engine. But let's attempt to enable it to a path called secret. And we can see here. This is already enabled.
05:24
We're gonna get an air because we can only have one path. And this is where the vaults path routing mechanism. It looks up to determine when I get an incoming request, where do I hand it off to which plug into invoke under the covers? You'll notice that I use the dash path arguments. And by doing this, I'm able to mount a secrets engine
05:44
to a non default location. When that I specify.
05:47
So we're gonna go ahead and play around with this a little bit more. Um, let's try and mount the same key value store engine, but to a different path. In fact, moving forward. I'm going to try to add some flavor to these examples when we talk about secrets and managing secrets, and instead of the generic food bar
06:08
and some of those user one type stuff.
06:10
Let's let's think about James Bond and Double 07 He's He's the master Secrets, right? The British spy that's very famous in countless movies and books and comics. And so let's create a storage area that's going to be used in our vault instance to manage the keys
06:28
and the key values that we want a store on behalf of James Bond, who is Agent Double 07
06:34
And if we attempt to organize our key vault engines using some hierarchy to our paths that that's certainly a good idea when we grow our vault server and we have to have lots of different secrets engines, and we want to create some level of organization to them.
06:54
But if we try to do it and mounted to a sub path underneath secret, that's not going to work because secret Slash has already been mounted to the key vaults secret engine, so anything below that
07:06
path cannot be mounted as a secrets engine. However, if we change our path up and maybe we decide okay, let's create a specific key vault engine for the episode of Skyfall in that particular James Bond mission
07:25
is gonna work. And then we say, You know what? We want to create a separate key value engine for his other mission. More recently, Spectra. In fact, we can use the description tag and at a little bit of ah, more information for ourselves,
07:43
just for internal documentation.
07:45
Assed to what? The point is off this key value store secrets, engines. And so we have the description there, and they're both enabled. And we want to give this just a look. Make sure everything worked secrets list. And here we go. We can see we have the double 07 skyfall.
08:01
We have double 07 Spectra, which has the description because we passed and use that argument.
08:07
We sell of secrets and then Katie, which is mounted by default.
08:11
Another thing that could certainly happen in the course of using vault, as as you mount different secrets, engines and off message and so forth to particular locations. You may want to move that if you change your mind or wanna reorganize the structure and the way you are the hierarchy of mounting your secrets engines.
08:31
So we're gonna go through that real quickly.
08:33
That's also using the vaults Secrets Command and is using the move operation. So we're gonna move double 07 skyfall to double 07 gold and I
08:46
Sure enough, the secrets engine has been moved. And if we go ahead and wanna verify that we do a list and see now there is no longer a skyfall. But there is a double 07 GoldenEye
09:00
rounding out the key commands for vault secrets engines. Let's go through the process of disabled. We've done a enable we've done a move. Now let's do the disable. And similarly, it's gonna be the vault secrets. But now it's a disable sub command, and then again, you're going to give it the path to the secrets engines as its mounted.
09:20
And in this case, I want to go ahead and I'm gonna disable
09:22
the golden Eye Secrets engine when you disable the secrets engine. Um,
09:28
first of all, we're not we're not seeing a confirmation that it existed, but we do know it existed for something to note is that any secrets related to that secrets engine are lost, and if there are any dynamic secrets secrets with a lease and a time to live that were distributed by vault.
09:46
Those will also be automatically revoked and destroyed. So when you do disable the secrets engine, if you really want to make sure you understand the implications of doing so.

Up Next

Vault Fundamentals

Learn how HashiCorp Vault can improve your security posture when it comes to storing sensitive passwords, maintaining confidential keys, implementing encryption, and establishing robust access management.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor