Dynamic Database Credentials by Sean Chittenden

Tuesday, November 15 at 4:40-5:35

In either bare metal or cloud environments, application hosts come and go automatically.  If application hosts come and go dynamically, why should application usernames and passwords be static?  In this session we will discuss the setup and use of Vault for securing the access from application hosts to PostgreSQL (both credentials and SSL certs) in a way that provides both revocability and auditability.  This talk will include:

• A quick introduction and setup of an HA Vault cluster
• Setting up an "AppRole" Backend
• Integration of the "AppRole" Backend into sample applications (JDBC, Rails, Python, and Go)
• Benefits for administrators and Security Officers of the AppRole backend
• SSL Cert Management for encrypted connections from app hosts to databases

About the speaker

Sean Chittenden is a longtime user and administrator of PostgreSQL. Formerly an Architect for Groupon Production Operations, Sean now hails from HashiCorp where he is focused on security, high-availability, and the advancement of operational best practices for companies using open source tools. Sean is a long-time participant  of  the PostgreSQL and FreeBSD communities and a 15+ year veteran of  large scale  web infrastructure. Sean's notable recent projects pg_consul and designing and building Groupon's internal Database-as-a-Service offering.