Dynamic Azure Credentials for Applications and CI/CD Pipelines

1 like1,669 views

The document details a webinar on dynamic Azure credentials for applications and CI/CD pipelines presented by HashiCorp, highlighting its importance in maintaining security while transitioning to cloud infrastructure. Key topics include Vault's capabilities for managing secrets, the advantages of dynamic credentials, and a demonstration of how to secure CI/CD processes using Terraform. The session also covers benefits like unique application instance credentials, least privilege roles, and the ability to audit and revoke access easily.

Software

© 2019 HashiCorp
Dynamic Azure
Credentials for
Applications and CI/CD
Pipelines
SE Webinar - July 21st, 2020
Kawsar Kamal - Staﬀ Solution Engineer (http://kawsark.gitlab.io)
Brianna DeLuca - Sr. Field Marketing Manager

Agenda
● Introductions (Brianna) - 5
● Vault overview (Kawsar) - 10
● Demo (Kawsar) - 20
● Q/A (moderated by Brianna) - 15

Objectives
● Business driver: move to cloud while maintaining high security posture.

A generational transition is underway
Traditional datacenter
“Static”
Modern datacenter
“Dynamic”
Dedicated
infrastructure
Private cloud
SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT
Public multi-cloud
+

The HashiCorp Stack
A control plane for every layer of the cloud operating model
Run
Development Cloud Application Automation
Connect
Networking Cloud Networking Automation
Secure
Security Cloud Security Automation
Provision
Operations Cloud Infrastructure Automation
vSphere
Various
Hardware
Identity:
AD/LDAP
Terraform
EKS / ECS
Lambda
CloudApp/
AppMesh
Identity:
AWS IAM
Cloud
Formation
AKS / ACS
Azure Functions
Proprietary
Identity:
Azure AD
Resource
Manager
GKE Cloud
Functions
Proprietary
Identity:
GCP IAM
Cloud
Deployment
Manager

Vault: Manage Secrets and Protect
sensitive data
*slide from HashiCorp corporate overview
High Trust
Long-lived IP, clear network
perimeter.
Low Trust
No clear perimeter
Mixed identities: Cloud, VMs,
Container, Serverless
Maintained by
HashiCorp
Written in Go Cloud
agnostic
Opensource
community

Vault
Manage Secrets and Protect sensitive Data
Secrets management to centrally store and
protect secrets across clouds and applications
Data encryption to keep application data secure
across environments and workloads
Advanced Data Protection to secure workloads
and data across traditional systems, clouds, and
infrastructure.
300+
Enterprise
Customers
1M+
Monthly D/Ls
2T+
Transactions
Trusted by:

Azure plugins
Dynamically generates Azure service
principals along with role and group
assignments. Or new password will be
dynamically generated for existing
service principals.
The azure auth method allows
authentication against Vault using
Azure credentials.
Azure Auth Method Azure Secrets Engine

Terraform Enterprise
Demo: Securing CI/CD Pipeline
Version Control
CI/CD
Terraform IaC
(*.tf)
AKS
Workspace

Key beneﬁts
● Azure credentials are unique to each application instance - no password sharing.
● Cloud credentials have least privilege roles to limit blast radius.
● Cloud credentials are time bound so in case of a credential leak, the risk of it being valid is
limited.
● Credentials can be audited to check which application instance retrieved a secret.
● Easy to revoke credentials if needed.

Resources
Demo repository https://gitlab.com/kawsark/vault-azure-demo
Azure Secrets Engine https://www.vaultproject.io/docs/secrets/azure
Blog post
https://medium.com/hashicorp-engineering/onboarding-the-azure-secrets-engine-for-vault-f09d48c68b69?sour
ce=friends_link&sk=59acf7d78362a48bf6cb039385776114
Azure Authentication Method https://www.vaultproject.io/docs/auth/azure
Webinar Assets This will be emailed
Vault 1.4 Blog post https://www.hashicorp.com/blog/vault-1-4/
Deploying Vault in Kubernetes https://www.vaultproject.io/docs/platform/k8s/helm/run
Terraform for AKS https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/kubernetes
Transform Secrets Engine
wrapper
https://github.com/kawsark/transform.py

More Related Content

What's hot (20)

PDF

Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018Cloudify Community

PDF

Understanding Service Mesh on Azure with HashiCorp ConsulMitchell Pronschinske

PDF

Using Google Cloud Services with Spring Boot and Pivotal Cloud Foundry (Pivot...VMware Tanzu

PDF

運用高效、敏捷全新平台極速落實雲原生開發inwin stack

PPTX

Building Cloud Native Applications Using Azure Kubernetes ServiceDennis Moon

PDF

stackconf 2021 | Stretching the Service Mesh Beyond the CloudsNETWAYS

PDF

DevSecOps with ConfidenceVMware Tanzu

PDF

stackconf 2021 | Reference Architecture for a Cloud Native Digital EnterpriseNETWAYS

PDF

Unlocking the Cloud operating model with GitHub ActionsMitchell Pronschinske

PPTX

Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...VMware Tanzu

PDF

stackconf 2021 | Data Driven SecurityNETWAYS

PDF

NGINX Controller: faster deployments, fewer headachesKangaroot

PDF

Automating security in aws with divvy cloudJohn Varghese

PDF

Securing APIs for ultimate security and privacy with Azure | Codit WebinarCodit

PDF

Microservices at Scale: How to Reduce Overhead and Increase Developer Product...DevOps.com

PPTX

Swarm Computing Next Generation Clouds and the role of SOAJürgen Kress

PPTX

Cloud Native Demystified: Build Once, Run Anywhere!Codit

PPTX

Unlocking the Cloud Operating Model: DeploymentMitchell Pronschinske

PPTX

Azure IPaaS: Integration Evolved! (Glenn Colpaert @TechdaysNL 2017)Codit

PDF

Delivering-Off-The-Shelf Software with Kubernetes- November 12, 2020VMware Tanzu

Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018Cloudify Community

Understanding Service Mesh on Azure with HashiCorp ConsulMitchell Pronschinske

Using Google Cloud Services with Spring Boot and Pivotal Cloud Foundry (Pivot...VMware Tanzu

運用高效、敏捷全新平台極速落實雲原生開發inwin stack

Building Cloud Native Applications Using Azure Kubernetes ServiceDennis Moon

stackconf 2021 | Stretching the Service Mesh Beyond the CloudsNETWAYS

DevSecOps with ConfidenceVMware Tanzu

stackconf 2021 | Reference Architecture for a Cloud Native Digital EnterpriseNETWAYS

Unlocking the Cloud operating model with GitHub ActionsMitchell Pronschinske

Adopting Azure, Cloud Foundry and Microservice Architecture at Merrill Corpor...VMware Tanzu

stackconf 2021 | Data Driven SecurityNETWAYS

NGINX Controller: faster deployments, fewer headachesKangaroot

Automating security in aws with divvy cloudJohn Varghese

Securing APIs for ultimate security and privacy with Azure | Codit WebinarCodit

Microservices at Scale: How to Reduce Overhead and Increase Developer Product...DevOps.com

Swarm Computing Next Generation Clouds and the role of SOAJürgen Kress

Cloud Native Demystified: Build Once, Run Anywhere!Codit

Unlocking the Cloud Operating Model: DeploymentMitchell Pronschinske

Azure IPaaS: Integration Evolved! (Glenn Colpaert @TechdaysNL 2017)Codit

Delivering-Off-The-Shelf Software with Kubernetes- November 12, 2020VMware Tanzu

Similar to Dynamic Azure Credentials for Applications and CI/CD Pipelines (20)

PPTX

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira

PPTX

Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove

PPTX

Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove

PPTX

Managing your secrets in a cloud environmentTaswar Bhatti

PPTX

Azure Key Vault - Getting StartedTaswar Bhatti

PPTX

Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTom Kerkhove

PPTX

ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove

PPTX

Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit

PDF

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp

PPTX

Vault Open Source vs Enterprise v2Stenio Ferreira

PPTX

Vault Digital TransformationStenio Ferreira

PDF

Vault 101Hazzim Anaya

PPTX

AzureSecurity - Day3 - Storage And Key Vault2nd Sight Lab

PPTX

Zero Credential Development with Managed IdentitiesJoonas Westlin

PDF

Azure Meetup: Keep your secrets and configurations safe in azure!dotnetcode

PPTX

Zero credential development with managed identitiesJoonas Westlin

PPTX

Zero Credential Development with Managed Identities for Azure resourcesJoonas Westlin

PPTX

Zero credential development with managed identitiesJoonas Westlin

PDF

Service for Storing Secrets on Microsoft Azure.pdfZen Bit Tech

PDF

Secretsth-Azure-KeyVault-and-Azure-App.pdfs87j3

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira

Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove

Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove

Managing your secrets in a cloud environmentTaswar Bhatti

Azure Key Vault - Getting StartedTaswar Bhatti

Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTom Kerkhove

ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove

Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp

Vault Open Source vs Enterprise v2Stenio Ferreira

Vault Digital TransformationStenio Ferreira

Vault 101Hazzim Anaya

AzureSecurity - Day3 - Storage And Key Vault2nd Sight Lab

Zero Credential Development with Managed IdentitiesJoonas Westlin

Azure Meetup: Keep your secrets and configurations safe in azure!dotnetcode

Zero credential development with managed identitiesJoonas Westlin

Zero Credential Development with Managed Identities for Azure resourcesJoonas Westlin

Zero credential development with managed identitiesJoonas Westlin

Service for Storing Secrets on Microsoft Azure.pdfZen Bit Tech

Secretsth-Azure-KeyVault-and-Azure-App.pdfs87j3

More from Mitchell Pronschinske (20)

PDF

Code quality for TerraformMitchell Pronschinske

PPTX

Empowering developers and operators through Gitlab and HashiCorpMitchell Pronschinske

PPTX

Automate and simplify multi cloud complexity with f5 and hashi corpMitchell Pronschinske

PDF

Vault 1.5 OverviewMitchell Pronschinske

PPTX

Using new sentinel features in terraform cloudMitchell Pronschinske

PDF

Military Edge Computing with Vault and ConsulMitchell Pronschinske

PDF

Vault 1.4 integrated storage overviewMitchell Pronschinske

PDF

Unlocking the Cloud Operating ModelMitchell Pronschinske

PPTX

Cisco ACI with HashiCorp Terraform (APAC)Mitchell Pronschinske

PPTX

Governance for Multiple Teams Sharing a Nomad ClusterMitchell Pronschinske

PDF

Integrating Terraform and ConsulMitchell Pronschinske

PPTX

Keeping a Secret with HashiCorp VaultMitchell Pronschinske

PPTX

Modern Scheduling for Modern Applications with NomadMitchell Pronschinske

PPTX

Moving to a Microservice World: Leveraging Consul on AzureMitchell Pronschinske

PPTX

Remote Culture at HashiCorpMitchell Pronschinske

PPTX

Rapid Infrastructure in Hybrid EnvironmentsMitchell Pronschinske

PDF

Vault 1.4 launch webinar Mitchell Pronschinske

PDF

From Terraform OSS to EnterpriseMitchell Pronschinske

PDF

Intermediate HCL: Configuration Languages in HCL2Mitchell Pronschinske

PDF

Post quantum cryptography in vault (hashi talks 2020)Mitchell Pronschinske

Code quality for TerraformMitchell Pronschinske

Empowering developers and operators through Gitlab and HashiCorpMitchell Pronschinske

Automate and simplify multi cloud complexity with f5 and hashi corpMitchell Pronschinske

Vault 1.5 OverviewMitchell Pronschinske

Using new sentinel features in terraform cloudMitchell Pronschinske

Military Edge Computing with Vault and ConsulMitchell Pronschinske

Vault 1.4 integrated storage overviewMitchell Pronschinske

Unlocking the Cloud Operating ModelMitchell Pronschinske

Cisco ACI with HashiCorp Terraform (APAC)Mitchell Pronschinske

Governance for Multiple Teams Sharing a Nomad ClusterMitchell Pronschinske

Integrating Terraform and ConsulMitchell Pronschinske

Keeping a Secret with HashiCorp VaultMitchell Pronschinske

Modern Scheduling for Modern Applications with NomadMitchell Pronschinske

Moving to a Microservice World: Leveraging Consul on AzureMitchell Pronschinske

Remote Culture at HashiCorpMitchell Pronschinske

Rapid Infrastructure in Hybrid EnvironmentsMitchell Pronschinske

Vault 1.4 launch webinar Mitchell Pronschinske

From Terraform OSS to EnterpriseMitchell Pronschinske

Intermediate HCL: Configuration Languages in HCL2Mitchell Pronschinske

Post quantum cryptography in vault (hashi talks 2020)Mitchell Pronschinske

Recently uploaded (20)

PPTX

Revolutionizing Code Modernization with AIKrzysztofKkol1

PPTX

Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...klpathrudu

PDF

Revenue streams of the Wazirx clone script.pdfaaronjeffray

PDF

Digger Solo: Semantic search and maps for your local filesseanpedersen96

PDF

Linux Certificate of Completion - LabEx CertificateVICTOR MAESTRE RAMIREZ

PPTX

MailsDaddy Outlook OST to PST converter.pptxabhishekdutt366

PDF

GetOnCRM Speeds Up Agentforce 3 Deployment for Enterprise AI Wins.pdfGetOnCRM Solutions

PDF

Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...VictoriaMetrics

PDF

Powering GIS with FME and VertiGIS - Peak of Data & AI 2025Safe Software

PDF

Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025hashhshs786

PPTX

Engineering the Java Web Application (MVC)abhishekoza1981

PPTX

Migrating Millions of Users with Debezium, Apache Kafka, and an Acyclic Synch...MD Sayem Ahmed

PPTX

An Introduction to ZAP by Checkmarx - Official VersionSimon Bennetts

PDF

Odoo CRM vs Zoho CRM: Honest Comparison 2025 Odiware Technologies Private Limited

PDF

Beyond Binaries: Understanding Diversity and Allyship in a Global Workplace -...Imma Valls Bernaus

PDF

Unlock Efficiency with Insurance Policy Administration SystemsInsurance Tech Services

PPTX

Tally software_Introduction_PresentationAditiBansal54083

PPTX

Platform for Enterprise Solution - Java EE5abhishekoza1981

PPTX

MiniTool Power Data Recovery Full Crack Latest 2025muhammadgurbazkhan

PPTX

Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptxVarsha Nayak

Revolutionizing Code Modernization with AIKrzysztofKkol1

Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...klpathrudu

Revenue streams of the Wazirx clone script.pdfaaronjeffray

Digger Solo: Semantic search and maps for your local filesseanpedersen96

Linux Certificate of Completion - LabEx CertificateVICTOR MAESTRE RAMIREZ

MailsDaddy Outlook OST to PST converter.pptxabhishekdutt366

GetOnCRM Speeds Up Agentforce 3 Deployment for Enterprise AI Wins.pdfGetOnCRM Solutions

Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...VictoriaMetrics

Powering GIS with FME and VertiGIS - Peak of Data & AI 2025Safe Software

Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025hashhshs786

Engineering the Java Web Application (MVC)abhishekoza1981

Migrating Millions of Users with Debezium, Apache Kafka, and an Acyclic Synch...MD Sayem Ahmed

An Introduction to ZAP by Checkmarx - Official VersionSimon Bennetts

Odoo CRM vs Zoho CRM: Honest Comparison 2025 Odiware Technologies Private Limited

Beyond Binaries: Understanding Diversity and Allyship in a Global Workplace -...Imma Valls Bernaus

Unlock Efficiency with Insurance Policy Administration SystemsInsurance Tech Services

Tally software_Introduction_PresentationAditiBansal54083

Platform for Enterprise Solution - Java EE5abhishekoza1981

MiniTool Power Data Recovery Full Crack Latest 2025muhammadgurbazkhan

Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptxVarsha Nayak

Dynamic Azure Credentials for Applications and CI/CD Pipelines

1. © 2019 HashiCorp Dynamic Azure Credentials for Applications and CI/CD Pipelines SE Webinar - July 21st, 2020 Kawsar Kamal - Staﬀ Solution Engineer (http://kawsark.gitlab.io) Brianna DeLuca - Sr. Field Marketing Manager

2. Agenda ● Introductions (Brianna) - 5 ● Vault overview (Kawsar) - 10 ● Demo (Kawsar) - 20 ● Q/A (moderated by Brianna) - 15

3. Objectives ● Business driver: move to cloud while maintaining high security posture.

4. A generational transition is underway Traditional datacenter “Static” Modern datacenter “Dynamic” Dedicated infrastructure Private cloud SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT Public multi-cloud +

5. The HashiCorp Stack A control plane for every layer of the cloud operating model Run Development Cloud Application Automation Connect Networking Cloud Networking Automation Secure Security Cloud Security Automation Provision Operations Cloud Infrastructure Automation vSphere Various Hardware Identity: AD/LDAP Terraform EKS / ECS Lambda CloudApp/ AppMesh Identity: AWS IAM Cloud Formation AKS / ACS Azure Functions Proprietary Identity: Azure AD Resource Manager GKE Cloud Functions Proprietary Identity: GCP IAM Cloud Deployment Manager

6. Vault: Manage Secrets and Protect sensitive data *slide from HashiCorp corporate overview High Trust Long-lived IP, clear network perimeter. Low Trust No clear perimeter Mixed identities: Cloud, VMs, Container, Serverless Maintained by HashiCorp Written in Go Cloud agnostic Opensource community

7. Vault Manage Secrets and Protect sensitive Data Secrets management to centrally store and protect secrets across clouds and applications Data encryption to keep application data secure across environments and workloads Advanced Data Protection to secure workloads and data across traditional systems, clouds, and infrastructure. 300+ Enterprise Customers 1M+ Monthly D/Ls 2T+ Transactions Trusted by:

8. How Vault works

9. Azure plugins Dynamically generates Azure service principals along with role and group assignments. Or new password will be dynamically generated for existing service principals. The azure auth method allows authentication against Vault using Azure credentials. Azure Auth Method Azure Secrets Engine

10. Dynamic credentials

11. Demo: Dynamic credentials

12. Terraform Enterprise Demo: Securing CI/CD Pipeline Version Control CI/CD Terraform IaC (*.tf) AKS Workspace

13. Key beneﬁts ● Azure credentials are unique to each application instance - no password sharing. ● Cloud credentials have least privilege roles to limit blast radius. ● Cloud credentials are time bound so in case of a credential leak, the risk of it being valid is limited. ● Credentials can be audited to check which application instance retrieved a secret. ● Easy to revoke credentials if needed.

14. Q/A

15. Resources Demo repository https://gitlab.com/kawsark/vault-azure-demo Azure Secrets Engine https://www.vaultproject.io/docs/secrets/azure Blog post https://medium.com/hashicorp-engineering/onboarding-the-azure-secrets-engine-for-vault-f09d48c68b69?sour ce=friends_link&sk=59acf7d78362a48bf6cb039385776114 Azure Authentication Method https://www.vaultproject.io/docs/auth/azure Webinar Assets This will be emailed Vault 1.4 Blog post https://www.hashicorp.com/blog/vault-1-4/ Deploying Vault in Kubernetes https://www.vaultproject.io/docs/platform/k8s/helm/run Terraform for AKS https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/kubernetes Transform Secrets Engine wrapper https://github.com/kawsark/transform.py