3546 - Terraform + Vault：面向企业的安全、自动化配置.pdf

《3546 - Terraform + Vault：面向企业的安全、自动化配置.pdf》由会员分享，可在线阅读，更多相关《3546 - Terraform + Vault：面向企业的安全、自动化配置.pdf（17页珍藏版）》请在三个皮匠报告上搜索。

1、Copyright 2021 HashiCorpDynamic Provider Credentials Backed by HashiCorp VaultEnabling Zero-Trust Authentication between HCP Terraform and AWSSeptember 2025Sr.Solutions Architectsocial handleDanSchneider So whats the problem?understanding the problem Dynamic Provider Credentials are designed to solv

2、e01 Setting the stageCODE EDITORProviders need credentials!But,you certainly dont want them within your configuration fileterraform required_providers aws=source =hashicorp/awsversion=6.0provider aws region =us-west-2access_key=superrealaccesskeysecret_key=ishouldntbehereWorkspace variables only get

3、 you so farZero Trust ArchitectureNIST Special Publication 800-20702 Setting the stage/Zero-TrustCore Tenants of Zero Trust“Per-Session Access”NIST mandates that“Access to individual enterprise resources is granted on a per-session basis.”“No Implicit Trust”NIST states that Zero Trust“assumes there

4、is no implicit trust granted to assets or user accounts based solely on their physical or network location.”“Dynamic Policy”NIST requires that“Access to resources is determined by dynamic policyincluding the observable state of client identity,application/service,and the requesting asset.”Vault was

5、designed for Zero TrustContrary to popular belief,Vault is not just a secure place to store secrets.Vault an identity broker.CODE EDITORiss:https:/app.terraform.io,aud:vault.workload.identity,sub:organization:djs-tfcb:project:aws-webinar:workspace:vault-backed-aws-credentials:run_phase:apply,terrafo

6、rm_full_workspace:organization:djs-tfcb:project:aws-webinar:workspace:vault-backed-aws-credentials,terraform_run_id:run-X3n1AUXNGWbfECsJ,terraform_run_phase:applyTerraform Workload IdentityThe JWT token provides each run with a unique and verifiable“fingerprin