Shhhh!....

PHP Secrets

with Vault and Consul

@gabriel_somoza

About Me

Belgium-based consultant PHP Architect.

 

Owner @ Strategery: remote Senior PHP developers

 

Founder of PHP Limburg meetup

 

Regular speaker at meetups & conferences

github.com/
gsomoza/php-mysql-vault-consul

The Old Way

// ./config/autoload/database.local.php

return [
  'database' => [
    'host' => 'localhost',
    'dbname' => 'myapp',
    'user' => 'myapp',
    'password' => 'not-so-secret', // OUCH
    'driver' => 'pdo_mysql',
  ],
];

In Production (Live) Server:

Why Not?

  1. Stored in plain text in Production filesystem
  2. Difficult to distribute secret on multi-server setups
  3. Difficult to revoke access if a server was compromised

vaultproject.io

"A" New Way

Vault

  • Secure secret storage
  • Dynamic Secrets
  • Data Encryption
  • Leasing and Renewal
  • Revocation

vaultproject.io/intro

consul.io

( NB: optional! )

Consul

  • Service Discovery (DNS)
  • Failure Detection
  • Multi-Datacenter
  • Key/value Storage

vault.services.consul.

mysql.services.consul.

myapp.services.consul.

Consul DNS

Inside "MyApp"

  1. Bootstrap (without DNS forwarding to Consul)
    • Ask Consul agent for Vault's IP
      vault.service.consul.io
    • Ask Consul agent for MySQL's IP
      mysql.service.consul.io
  2. Authenticate to Vault with Token
  3. Ask Vault for MySQL credentials
    • Vault creates them on the fly!
  4. Query MySQL​ 

A
New
Way

// ./config/autoload/database.local.php

return [
  'vault' => [
    'host' => 'vault.service.consul',
  ],
  'database' => [
    'host' => 'mysql.service.consul',
    'dbname' => 'myapp',
    'user' => '', // ASK VAULT!
    'password' => '', // ASK VAULT!
    'driver' => 'pdo_mysql',
  ],
];

Let's Do It!

(Demo)

TO DO's


Cache & automatically renew MySQL leases
 

Use an "Auth Backend" (AppRole?) to replace vault_token.json
 

Degrade gracefully

Vault

By Gabriel Somoza

Vault

A quick intro to PHP and Vault

  • 974