We've been using Hashicorp's Vault (https://vaultproject.io) to secure secrets for our applications deployed via Marathon. Currently we've just locked down Marathon and use vault's token auth per application to access secrets. However, we've done a lot of work in the last few months to authenticate apps via checking Mesos and Marathon to see if the task is actually authentic and then will trust it: https://github.com/Banno/vault/commit/62deeb6866abd8ea95a9f2f2fe60c0f605075494
Overall Vault has been a great addition to our stack. On Mon, Jan 11, 2016 at 8:28 AM, Robert Vežnaver <[email protected]> wrote: > Hi, > > We give each app a private/public key pair, and let the developers > encrypt any environment variable with their app's public key (we also > base64 encode the ciphertext). > Then instead of calling the usual "/bin/sh", we call a small bash > wrapper script which decrypts the desired environment variables prior > to running the app. > > Note that our cluster is managed by Chef, so we ensure that: > - both the user and the private key are set up > - each app is running as its own user > - each app may access only its own private key > > As an added bonus, the wrapper script: > - wraps stdout and stderr and forwards them to the local syslog (which > then forwards them to Elasticsearch) > - automatically decrypts any environment variable that starts with > "SECRET_" (so they don't have to specify anything when calling the > command) > > Hope this gives you an idea or two, > > Cheers, > Robert > > > On 11 January 2016 at 15:04, Erb, Stephan <[email protected]> > wrote: > > Hi everyone, > > > > I'd like to explore mechanisms to provide secrets to applications > deployed on Mesos (e.g. via Marathon or Apache Aurora). > > > > The classical workflow of having the passwords encrypted in the local > git repository and only decrypted during deployment (for example via > ansible vault) tends to fall too short. From the user perspective the > deployment is done once its job has been submitted to the service > scheduler. Then however, the passwords would be unsecured when traveling > through the various Mesos and scheduler layers. It might potentially been > visible to anyone having access to either the scheduler or the Mesos UI. > > > > One possible solution is to provide an out-of-band mechanism to > distribute passwords to all slaves and to protect those passwords using the > regular Linux permissions, making them only accessible to authorized tasks. > Other solutions might involve the integration of tools like HashiCorp Vault > or Square Keywhiz. > > > > Is anyone willing to share his/her experience with handling such secrets? > > > > Thanks and Best Regards, > > Stephan > -- *Luke Amdor* | Platform Lead Architect | *Banno* Des Moines IA 50309 | Cell 515.231.4033
