#ops (2018-08)
Archive: https://archive.sweetops.com/ops/
2018-08-22
![melynda.hunter avatar](https://secure.gravatar.com/avatar/299f6c0672870ecc576263062302b6a3.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
@melynda.hunter has joined the channel
2018-08-27
![tolstikov avatar](https://avatars.slack-edge.com/2018-09-20/439670551077_0515c2a106a4f3ca0ff6_72.jpg)
@tolstikov has joined the channel
![loweryr avatar](https://secure.gravatar.com/avatar/52ad9654e32d11c86446041a9cdb5c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
@loweryr has joined the channel
2018-08-28
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
@justin.dynamicd has joined the channel
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
It’s a bit of effort to get things like MFA/dynamic passwords pushed “down the stack” .. but oddly enough you end up with less maintenance later if you can pull it off. Well worth the journey IMO
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, also with the new push-style notifications of Okta/Duo/Google, it doesn’t annoy me as much
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’d like to get push for AWS MFA
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
SAML is as close as I’ve gotten. Set your MFA there and use the SAML token to pass into AWS.
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
fall back to those horrid keys they sell for your root … cause … nothing else works
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, those are the escape hatch
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
then for programmatic access I’ve become a Vault fan. Let users dynamically request temporary creds, and you can gate vault with MFA as well
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
so far used it with both Okta/Centrify. Not tried Duo
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
vault as in hashicorp vault?
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
yup
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
cool
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
I keep forgetting there’s techncially lots of vaults out there …
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, and we’re big on using aws-vault
(so for a second I was surprised to learn it supported Okta) - but we’re talking about another vault
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, I’ve seen that feature of hashicorp’s vault
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
It’s nice. Hardest part becomes policy management … but it’s been solid on the stability front
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’ve just done a poc with vault. all-in-all, liked it. it was pretty simple to setup. the security architecture too was pretty sweet (the “two man rule” for unlocking vaults)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but it scared me from an operational perspective (just from lack of experience with it) - what happens if all vaults get restarted
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if you don’t automate the unsealing, that’s a forced outage
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
or pay for enterprise which can auto-unseal against an HSM
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
but yeah I hear you
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so running vault under kubernetes, we automated the unsealing
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but it felt “wrong”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
I actually wen t full paranoid where I deployed it and did NOT use containers. It sat on instances build using packer from ther terratorm.io registry
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
was too concerned about a container reshuffle causing things to happen
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
but in general I don’t think ti ever went down except when I messed up a health check so the proxy “thought” it was down (oops) … so I left the unseal manual
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
current place has “cyberark” in place … it’s API is horrible. Just the worst
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i am not familiar with cyberark
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what’s that?
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
similar in concept to hashicorp vault or AWS-vault … but honestly I’m not impressed so far: https://www.cyberark.com/
CyberArk is the only security software company focused on eliminating cyber threats using insider privileges to attack the heart of the enterprise.
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
it “feels” like old software, if that makes sense
2018-08-29
![Raghu avatar](https://secure.gravatar.com/avatar/8ade94b696b86d19097bfc4a1529275e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
@Raghu has joined the channel