Shhhh!....
PHP Secrets
with Vault and Consul
@gabriel_somoza
About Me
Belgium-based consultant PHP Architect.
Owner @ Strategery: remote Senior PHP developers
Founder of PHP Limburg meetup
Regular speaker at meetups & conferences
github.com/
gsomoza/php-mysql-vault-consul
The Old Way
// ./config/autoload/database.local.php
return [
'database' => [
'host' => 'localhost',
'dbname' => 'myapp',
'user' => 'myapp',
'password' => 'not-so-secret', // OUCH
'driver' => 'pdo_mysql',
],
];In Production (Live) Server:
Why Not?
- Stored in plain text in Production filesystem
- Difficult to distribute secret on multi-server setups
- Difficult to revoke access if a server was compromised
vaultproject.io
"A" New Way
Vault
- Secure secret storage
- Dynamic Secrets
- Data Encryption
- Leasing and Renewal
- Revocation
vaultproject.io/intro
consul.io
( NB: optional! )
Consul
- Service Discovery (DNS)
- Failure Detection
- Multi-Datacenter
- Key/value Storage
vault.services.consul.
mysql.services.consul.
myapp.services.consul.
Consul DNS
Inside "MyApp"
- Bootstrap (without DNS forwarding to Consul)
- Ask Consul agent for Vault's IP
vault.service.consul.io - Ask Consul agent for MySQL's IP
mysql.service.consul.io
- Ask Consul agent for Vault's IP
- Authenticate to Vault with Token
- Ask Vault for MySQL credentials
- Vault creates them on the fly!
- Query MySQL
A
New
Way
// ./config/autoload/database.local.php
return [
'vault' => [
'host' => 'vault.service.consul',
],
'database' => [
'host' => 'mysql.service.consul',
'dbname' => 'myapp',
'user' => '', // ASK VAULT!
'password' => '', // ASK VAULT!
'driver' => 'pdo_mysql',
],
];Let's Do It!
(Demo)
TO DO's
Cache & automatically renew MySQL leases
Use an "Auth Backend" (AppRole?) to replace vault_token.json
Degrade gracefully