Biscuit: a multi-region key value store for your AWS infrastructure secrets (opens in new tab)

(github.com)

111 pointsptest19y ago18 comments

18 comments

17 comments · 8 top-level

technologia9y ago· 3 in thread

The project is nice, but I'm gonna have to stick with Vault as I like the flexibility of storage backends and not locked into AWS for enterprise-y apps that can't go to AWS.

techie1289y ago

How does Vault verify the identity of the host requesting access to the credentials? I didn't find anything in the documentation that would give me information pertaining to that.

otterley9y ago

It doesn't, at least not by itself. There are ways to make it work, though, if you're clever. We've got an internal daemon that watches for instance launches via SNS notifications (published to an SQS queue); the daemon then requests a bootstrap token from Vault on behalf of the new instance and passes it to the instance via another SQS queue.

The new instance then consumes the bootstrap token from the queue and exchanges it for whatever other tokens it has permission to obtain.

elliotanderson9y ago

You can use the new AWS-EC2 auth backend in Vault 0.6

https://www.vaultproject.io/docs/auth/aws-ec2.html

1 more reply

thatrascaltiger9y ago· 2 in thread

It looks like this is fairly similar to Mozilla sops[1].

[1]https://github.com/mozilla/sops

coredog649y ago

I read the documentation but can't determine if sops supports credentials via IAM roles. Can anyone with experience chime in?

thatrascaltiger9y ago

It does - https://github.com/mozilla/sops/blob/master/sops/__init__.py...

moondev9y ago· 2 in thread

I feel like this problem is already solved with iam ec2 instance roles

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles...

manojlds9y ago

You need to look at this tool and understand what it does.

matt_wulfeck9y ago

Fair enough, but IAM roles does fit all of the requirements listed in the "is biscuit right for me?" section.

hendry9y ago· 1 in thread

At work we use chef to deploy our credentials via KML flat files on the servers that require them. Works rather well.

otterley9y ago

What are KML flat files? And how are you maintaining them without keeping the secrets in plaintext in source control?

bluecmd9y ago· 1 in thread

Why no key rotation? I'd be very careful with something that doesn't rotate keys.

whisk3rs9y ago

Keys: KMS handles rotation of the master key automatically (http://docs.aws.amazon.com/kms/latest/developerguide/rotate-...). The ephemeral key used to encrypt values is changed any time a value is set.

Values: https://github.com/dcoker/biscuit#how-do-i-rotate-the-values

amhoab9y ago

This is also similiar to Sneaker (https://github.com/codahale/sneaker), which is written in Go. It doesn't copy to other regions by default, but it's not hard to handle that on your own. This also uses KMS, but stores encrypted secrets in S3.

carrja999y ago

I prefer credstash (https://github.com/fugue/credstash) which uses KMS and stores encrypted values in dynamodb. It has built in ansible support via lookups too!

Xorlev9y ago

Somewhat off-topic, but I read dcoker's username as docker at first and was fairly confused as to why docker was producing something like this just for AWS.

j / k navigate · click thread line to collapse

18 comments

17 comments · 8 top-level

technologia9y ago· 3 in thread

The project is nice, but I'm gonna have to stick with Vault as I like the flexibility of storage backends and not locked into AWS for enterprise-y apps that can't go to AWS.

techie1289y ago

How does Vault verify the identity of the host requesting access to the credentials? I didn't find anything in the documentation that would give me information pertaining to that.

otterley9y ago

The new instance then consumes the bootstrap token from the queue and exchanges it for whatever other tokens it has permission to obtain.

elliotanderson9y ago

You can use the new AWS-EC2 auth backend in Vault 0.6

https://www.vaultproject.io/docs/auth/aws-ec2.html

1 more reply

thatrascaltiger9y ago· 2 in thread

It looks like this is fairly similar to Mozilla sops[1].

[1]https://github.com/mozilla/sops

coredog649y ago

I read the documentation but can't determine if sops supports credentials via IAM roles. Can anyone with experience chime in?

thatrascaltiger9y ago

It does - https://github.com/mozilla/sops/blob/master/sops/__init__.py...

moondev9y ago· 2 in thread

I feel like this problem is already solved with iam ec2 instance roles

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles...

manojlds9y ago

You need to look at this tool and understand what it does.

matt_wulfeck9y ago

Fair enough, but IAM roles does fit all of the requirements listed in the "is biscuit right for me?" section.

hendry9y ago· 1 in thread

At work we use chef to deploy our credentials via KML flat files on the servers that require them. Works rather well.

otterley9y ago

What are KML flat files? And how are you maintaining them without keeping the secrets in plaintext in source control?

bluecmd9y ago· 1 in thread

Why no key rotation? I'd be very careful with something that doesn't rotate keys.

whisk3rs9y ago

Values: https://github.com/dcoker/biscuit#how-do-i-rotate-the-values

amhoab9y ago

carrja999y ago

I prefer credstash (https://github.com/fugue/credstash) which uses KMS and stores encrypted values in dynamodb. It has built in ansible support via lookups too!

Xorlev9y ago

Somewhat off-topic, but I read dcoker's username as docker at first and was fairly confused as to why docker was producing something like this just for AWS.

j / k navigate · click thread line to collapse