Hi everyone!
I’ve been doing a lot of research this week into this topic, and I can’t quite find the right solution, so I’m interested in hearing from anyone who has maybe overcome this before.
I would like to use AWS Fargate for running my containers so I don’t have to deal with the overhead of the underlying orchestrator manager (if I deploy EKS, or ECS traditional, I have to feed and water the hosts).
I’ve decided upon Vault for secrets management, and now i’m looking for the most secure way to present secrets into the container.
Requirements:
Changes to secrets presented to the container should be visible immediately after updating them in vault
Secrets should be secure when presented to the container (not visible from docker inspect, or proc from the host)
Open to them being presented as a file on disk, or stored as environment variables via references.
Current understanding through research:
Through this talk from Liz Rice over at Aqua, she described the functionality that i’m looking to achieve, except that my target infrastructure is Fargate, and I’m not using Aqua (not opposed to using it, just wondering if there is an open source solution to my problem).
I have come across many mentions to the use of “sidecars” using technologies like Envoy to present secrets to the container, but I can’t find any examples or code around hooking up Vault to Docker/Fargate through Envoy.
I understand that Consul is similar to Envoy in so much as it’s a proxy/service discovery/service mesh tool, but it seems to have its own built-in kv store (Also, if using vault, why use consul? doesn’t consul duplicate what vault does and more?), however I can’t see any use cases described for using consul to supply secrets from vault to docker containers (either via agent or via sidecar).
Assumptions:
Vault is accessible to the docker containers/Fargate, and is authenticated via AWS IAM.
Secrets are stored in vault in a way that they can be referenced and pulled out individually.
I’d love ANY assistance that I can get on this topic so I can try to move my project forward.