Cloud Foundry Summit Silicon Valley 2017

Vault is a popular open source tool for managing application secrets at scale, and it uses an innovative approach to secret acquisition and managing the lifecycle of credentials over time. This approach is not without tradeoffs, since it often goes against common architectures, and Cloud Foundry is no exception.

Unlike traditional secret acquisition which is just a single request, Vault requires a regular updates from the application. This is very akin to a DHCP lease or a TTL. If an application dies or is restarted, it requests new credentials, and it renews those credentials over time. Unused credentials are automatically revoked, reducing the secret sprawl and decreasing the attack surface. Additionally, each instance of an application receives a different credential; if an attacker is able to compromise one application, it's easy to revoke a single credential without causing application downtime.

Seth will discuss the architecture of the Cloud Foundry Vault integration, exploring technical challenges exposed by both Vault's own architecture and design decisions in Cloud Foundry in implementing the Cloud Foundry Vault broker, which controls the distribution of secrets to applications running under Cloud Foundry.