<aside> 💡 This project was done by 2 fellows collaborating in 2020A but it still could use a lot more work. These fellows did a fantastic job on their projects and you should have a very good starting point to extend this project. The following brief is still applicable but you will need to schedule a time with Rob to go over the details.
</aside>
When building infrastructure, you will always run into the problem of storing sensitive keys that are needed to run your application. Whether they are user credentials or ssh keys, secrets will be produced that need to be stored in a secure consolidated location. Hashicorp's Vault is the best tool in use today for secrets management as it secures, stores, and provides access to secrets through an API. Using Vault, we can prevent secrets sprawl and manage all secrets in a centralized location with audit logs to monitor the use of each secret. We can also use Vault to mint one-time passwords to give temporary access to hosts without needing to provide direct access to keys that do not expire.
This project is all about setting up a Vault cluster to manage secrets.
There are many ways you can setup Vault based on the backend you use. Most backends only support a single instance deployment, thus we are going to be building on top of a Consul backend which we also use for service discovery for monitoring. Consul is already setup and automated with Terraform, Packer, and Ansible build steps. Vault deployment will take the same pattern but changing the configuration. Once you deploy Vault, you will need to setup a GPG key and put the public key in keybase to unseal the cluster properly.
Once the cluster is unsealed, you will then need to configure the cluster to give access to IAM and configure the secrets engine and auth method. If a fellow takes on the SSO project, would be great if you setup the authentication for that. Setup a tunnel and get access to the UI. You will then need configure Vault to build a Terraform workflow whereby you can persist and retrieve secrets such as IAM keys and ssh keys to and from Vault. The fellow can then write a simple bash or python script to persist and retrieve a secret such as the keystore and password for blockchain wallets. All this needs to be done immutably using this Ansible role to for deployment. The fellow would be wise to build in tests all along the way.
Generally speaking, most of the last steps are well documented and you should find many guides to help you through the steps. There are many stretch goals that can come off this project.