#ops (2018-08)

@melynda.hunter has joined the channel

@tolstikov has joined the channel

@loweryr has joined the channel

@justin.dynamicd has joined the channel

It’s a bit of effort to get things like MFA/dynamic passwords pushed “down the stack” .. but oddly enough you end up with less maintenance later if you can pull it off. Well worth the journey IMO

yea, also with the new push-style notifications of Okta/Duo/Google, it doesn’t annoy me as much

I’d like to get push for AWS MFA

SAML is as close as I’ve gotten. Set your MFA there and use the SAML token to pass into AWS.

fall back to those horrid keys they sell for your root … cause … nothing else works

yea, those are the escape hatch

then for programmatic access I’ve become a Vault fan. Let users dynamically request temporary creds, and you can gate vault with MFA as well

so far used it with both Okta/Centrify. Not tried Duo

vault as in hashicorp vault?

yup

cool

I keep forgetting there’s techncially lots of vaults out there …

yea, and we’re big on using aws-vault (so for a second I was surprised to learn it supported Okta) - but we’re talking about another vault

yea, I’ve seen that feature of hashicorp’s vault

It’s nice. Hardest part becomes policy management … but it’s been solid on the stability front

we’ve just done a poc with vault. all-in-all, liked it. it was pretty simple to setup. the security architecture too was pretty sweet (the “two man rule” for unlocking vaults)

but it scared me from an operational perspective (just from lack of experience with it) - what happens if all vaults get restarted

if you don’t automate the unsealing, that’s a forced outage

or pay for enterprise which can auto-unseal against an HSM

but yeah I hear you

so running vault under kubernetes, we automated the unsealing

but it felt “wrong”

I actually wen t full paranoid where I deployed it and did NOT use containers. It sat on instances build using packer from ther terratorm.io registry

was too concerned about a container reshuffle causing things to happen

but in general I don’t think ti ever went down except when I messed up a health check so the proxy “thought” it was down (oops) … so I left the unseal manual

current place has “cyberark” in place … it’s API is horrible. Just the worst

i am not familiar with cyberark

what’s that?

similar in concept to hashicorp vault or AWS-vault … but honestly I’m not impressed so far: https://www.cyberark.com/

it “feels” like old software, if that makes sense

@Raghu has joined the channel