🔥 If you're interested in a step-by-step course to learn the basics of HashiCorp Vault, check this course out: HashiCorp Vault 101 - Certified Vault Associate ► bit.ly/hc-vault101 In this course you will get to: ⭐ Learn everything you need to know about Vault to ace the Vault Associate Exam ⭐ 8+ hours of video content ⭐ Instructor has his camera on making you feel that you're right in the classroom ⭐ Hand-drawn animated diagrams to help you grasp the topics better ⭐ Lots of hands-on labs to learn by doing ⭐ English closed captions that are searchable so you won't miss a word ⭐ Quizzes to help you grasp the material well ⭐ Join our Community
@nibanazar18822 жыл бұрын
Could you pls let me know is there any video you have made about “vault + GnuPG”
@TeKanAid2 жыл бұрын
@@nibanazar1882 Hi Niba, I don't, but it should be straight forward to use GnuPG to initialize Vault. Take a look at this guide: www.vaultproject.io/docs/concepts/pgp-gpg-keybase#initializing-with-gnupg
@Qamarkhan0072 жыл бұрын
Fantastic video. You connected the dots. Thank you for doing this.
@TeKanAid2 жыл бұрын
Glad it was helpful!
@havoc1412 жыл бұрын
Sam, thank you for the awesome introductory video and demo!
@TeKanAid2 жыл бұрын
You're welcome!
@criyotutorials65602 жыл бұрын
Thanks for the video, lot of knowledge given. Please as a recommendation, explain the code used in the demo at least the area where you connect to the DB and where you retrieve secrets from vault. Thanks
@TeKanAid2 жыл бұрын
Thank you for the feedback, will do.
@yibambe1482 жыл бұрын
Fantastic demonstration
@TeKanAid2 жыл бұрын
Thank you!
@Kk-rl7nv6 ай бұрын
sam, thanks for the video, can you suggest when password will be expired and new username and password will generate to renew/rotate then between the senario any downtime, I am thinking this for production applications.?
@TeKanAid6 ай бұрын
You can configure the time to live for the password. It really depends on the application but it's always good to have it short-lived maybe a week or so. However, the application needs to have the intelligence to reach out to vault and generate new credentials whenever it fails to connect to a database, for example
@edribeirojunior2 жыл бұрын
Awesome video, thanks for sharing!
@TeKanAid2 жыл бұрын
Thank you! Glad it helped.
@khazarhajiyev771011 ай бұрын
great video! thanks! Just thinking about the vault root token, can't we rotate it dynamically?
@TeKanAid11 ай бұрын
It's possible via an external script but not a good practice. The root token needs to be revoked once an auth method with admin privileges is created.
@khazarhajiyev771011 ай бұрын
@@TeKanAid thanks for the reply! I actually meant, how would it be rotating any token, I mean, for instance, token for accessing DB from APP? Because these tokens are also stealable, aren't they?
@TeKanAid11 ай бұрын
@@khazarhajiyev7710 that's the beauty of dynamic secrets. They have a time-to-live. Once it expires the token is useless. If the app once to access the DB again, it has to create a new dynamic secret with a new TTL
@abhishekpandey6483 жыл бұрын
Amazing understanding, Thanks alot really appreciate your knowledge and the way of making things understandable. Can you please make a video on how to encrypt field data in mongo amd also how to configure redis with vault
@TeKanAid3 жыл бұрын
Thank you! I do go over encryption for mongodb in this video kzbin.info/www/bejne/pHfSnKqtlryhftk check it out. I don't have a video for Redis and Vault, I'll consider making one.
@abhishekpandey6483 жыл бұрын
@@TeKanAid Can we also rotate the vault token periodically? If yes then how?
@TeKanAid3 жыл бұрын
yes you can do that by calling the REST API or by using the Vault agent. The Vault agent takes care of auto-auth in your behalf so you don't need to embed that function into your app's code. Take a look at the documentation: www.vaultproject.io/docs/agent/autoauth. I also have a couple of videos on the vault agent: kzbin.info/www/bejne/roC2e4KJib-Ujqc
@MrLavan143 жыл бұрын
Thank you, it's a good introduction video. Good job :)
@TeKanAid3 жыл бұрын
Thank you
@gzoechi11 ай бұрын
How is ensured that only authorized apps can request new credentials? I somehow missed that strp.
@TeKanAid10 ай бұрын
In HashiCorp Vault, ensuring that only authorized applications can request new credentials revolves around authentication and access policies. Here’s a simple breakdown: Authentication: First off, each application or user that needs to access Vault must authenticate themselves. Vault supports various authentication methods like tokens, username/password, cloud identities, and more. When an app or a user authenticates, Vault issues a token. Think of this token like a session ID. It's proof that the app has logged in successfully. Access Policies: After authentication, access policies come into play. These are rules written in HashiCorp Configuration Language (HCL) that determine what an authenticated user or application can do. Policies are attached to the tokens. So, when an app gets its token after authentication, this token is linked with certain policies that dictate what the app can and cannot do in Vault. Dynamic Secrets: When an application requests dynamic secrets, Vault checks the token it presents. It looks at the policies attached to this token to see if the app has the necessary permissions to request these secrets. If the policies allow it, Vault then generates the dynamic secret (like a database credential). If not, the request is denied. Lease and Revocation: Dynamic secrets come with a lease. This means they're only valid for a certain period. Vault automatically invalidates these credentials after the lease expires. Additionally, Vault admins can manually revoke these credentials anytime if needed, adding an extra layer of control. Example Scenario: Let's say you have an app that needs to access a database. You'd set up Vault to: Authenticate your app (maybe using a specific role tied to your app's identity). Attach a policy to the app's token that permits it to access only specific paths in Vault where dynamic DB credentials are generated. When the app requests credentials, Vault checks the token, sees it has the right policies, and issues the credentials with a time-bound lease. hope this helps
@senk0than4 жыл бұрын
cool beans - this is so cool..Thanks sam
@TeKanAid4 жыл бұрын
Thanks, Senthil
@nelsonguamanleiva31983 жыл бұрын
Thanks !!
@TeKanAid3 жыл бұрын
You're welcome!
@AbhayAR Жыл бұрын
Hi Sir Can you guide me how to use Vault in production mode. We have jenkins pipeline and want to integrate in Jenkins to scan github secrets. I an new to this
@TeKanAid Жыл бұрын
Hi, I have a couple of courses that go into the details of running Vault in production. You can find them at courses.tekanaid.com
@rajasekharperikala3444 жыл бұрын
I am looking rotate vault passwords in Websphere datasource .How to use to update datasource with Vault password rotation?.
@TeKanAid4 жыл бұрын
The available database secrets engines are found here www.vaultproject.io/docs/secrets/databases for your use case, if you want to do dynamic secrets you could write a custom plugin as per www.vaultproject.io/docs/secrets/databases/custom you could also use the K/V secrets engine and write a script to automatically rotate these secrets. Here is the API doc for it www.vaultproject.io/api/secret/kv/kv-v2.html