[Music] hello everyone uh today I'll do another quick SP Spike demo and in this demo like uh for a backstory until this uh Point uh Spike was using like a admin root login key or a root passphrase to uh initialize itself and also log into the system and get temporary tokens but while discussing with the team uh we realize that uh since we are using spify we don't need passwords the best point and the best part of spify is uh its ability to negate the effect of doing uh or requiring password based authentication so in this demo uh I'm going to show how you can access to a Secret store get Secrets set secrets and receive Secrets securely without needing a a API key or a root token or a root password or anything like that using Spike I'll show that and for for the ones that are new to spike uh the spike website is spike. e let me paste it here it's uh this is the website this is the GitHub repo let me show you on a browser as well uh I think Spike doist is the website that we have like all of the system design documents Rod map since everything is really in progress and highly iterating uh some of the things might not catch up with what we have in the repository or what we have in the discussions in in our slack workspace uh but other than that like there's this green button which is the GitHub repository if you go to the GitHub and while you're at there if you like give us a star you'll be highly appreciated because the more stars we have the more people will know know about this amazing technology and it will be really useful for the community as well it's the least someone can uh give as a gift I guess uh so that's that one this is a spikes repository GitHub com spify Spike and spike. East IST uh is the website and let me like switch to the demo and I'll also explain what I am doing uh so we have a bunch of scripts under the hack folder uh it's like I'll first um start the Spire server and followed by a Spire agent so I'll have like these two running and it will be like our identity control plane in a sense after that uh I'm going to uh I'm going to create um actually I'm going to start two Spike components one of them is um Spike Nexus and the other component is Spike keeper uh Spike Nexus and Spike keeper like communicate with each other using mtls that has uh that will be provided with the spify that we have created here so this communication will be um let me get my text widget here again this communication will be mut TLS and uh Spike Nexus is our secret store it will keep the secrets and as a user we'll use the spike binary to reach to the store set Secrets get secrets and things like that so that's that one it will be easier when I show things rather than talk about them so let's start the Spire server for first uh hack Spire server starter it will first build the recent Spike binaries and then I'll have a Spire server up and running I want to split this uh terminal into two and down below I'll also run uh hack Spire agent starter it will start a Spire agent um so I'll have a Spire server and Aspire agent uh just give me a second okay okay my Spire agent has also started so next up I'm going to start the core components of Spike one of them is Nexus and the other is keeper I'll start with keeper and then I'll start Nexus so let me split this H panel into two as well let's do a split down uh let's start keeper the keeper will start uh and if you are curious about what these components are you you you can go to uh the architecture and like read more about the spike system overview what Nexus does what keeper does and what is the overall design uh but for the sake of this demo uh we need Nexus as The Secret store and the keeper as the uh crypto material backup redundant backup place for uh Spike keep Spike Nexus so let me start Nexus as well Nexus will be our store where we are going to store our secrets so we have Nexus we have keeper and these two folks will like periodically exchange some trust material again uh using uh mtls so this interaction will be also secure uh and along with those uh I have a spike binary so what I can do is I can just use Spike and maybe I'll get a help help document or something like that so if I call Spike right now the connection Will Will Wait It will hang up and if I go to uh this uh the Spire server and Spire agent um view uh we can see that like it's uh Spire agent is giving warnings saying that I cannot issue any identity and the reason for that is I'm trying to run the binary but there is no spiffy IDs assigned to this binary there is no certificate and to that's why I am not able to log into the system so what I'll do is uh I'll cancel this one I'll list the hack folder again I have a bunch of helper scripts here that uh helps me to like enable myself authen iated essentially one of them is this register Leonardo script so there we have a I have a user called Leonardo on this machine so this shell scripts create a spify ID uh or actually a Spire server registration entry for Leonardo so when Leonardo logs in that person will have a i entry and they can use Spike so uh before running this I want to like log in as Leonardo first I log in as Leonardo it will ask for my password I enter it and now I'm Leonardo at Spike uh but still as Leonardo I cannot still use the binary because I still don't have the permission to do it so as Leonardo's admin I need to assign the identity to Leonardo so that Leonardo can log in and use the binary and that uh that is uh this register Leonardo shell script so let me c that one first he register Leonardo uh so it is uh let me quickly talk about you know what's happening so for Leonardo we are creating a spify identifier and that will be tied to an x509 digital certificate and this way Leonardo can use that certificate to identify itself uh this is a Spire server registration entry and for Leonardo to be able to get this identity that user needs to have Leonardo's user ID that user needs to be running the binary that is assigned here and the binary should have the hash that we have computed which means even if the Leonardo tries to use a different binary it they cannot because uh the hash will not uh will not match so uh the user cannot use a forged binary they have to use the actual Spike uh binary to interact with the Secret store and to be able to uh use uh the binary they have to be that user so I have to Shell in as Leonardo to be able to use Spike I cannot use Spike as uh as admin admin user right right now so if I do a spike it will hang up but if I log in as uh Leo Leonardo and if you remember last time I wasn't able to use it uh but now but now I think I cannot still use it because I haven't run the script so let's try it it won't work uh let me exit and now I'll register Leonardo it will it will create a registration entry uh for the user so next time Leonardo logs in to the system from their terminal from wherever it doesn't matter because this registration entry is on this machine uh then they can be able to interact with Spike and set Secrets remove secrets and things like that let me try that one so if I run Spike now I can see a help message which means the connection didn't hang up I was able to get an ID if I go back to the logs I can now see that uh come on this Leonardo user has been assigned and sfit so things are working really fine uh in that area and I can do anything with the uh with this store because we have given Leonardo as super user Privileges and later down the line we'll have more fine grain policies around how which person Which principle can access what kind of secret how uh but for now we can just create secrets for example I can uh do a spike list it will say there are no secrets I can do a spike put uh I don't know organization e DB and then user Spike password Spike R and then I can do it like a spike get orme DB and I'll get the secret so so far so good uh but what if I want to like temporarily allow Leonardo to use this and then I want to revoke uh the the Privileges LS hack and I have a unregistered Leonardo to say one byby to Leonardo uh so let's do a clear let's cat that one first cat hack on register Leonardo uh it does like the Spire server entry deletion with the Spire server entry delete we remove the registration entry uh that deems the Leonardo user as super admin from Spire server so when the when Leonardo tries next time my assumption is they won't be able to use Spike so let's run this one uh hack unregister Leonardo uh but not def find SP ID what uh let me okay spire server entry list entry show uh let's see where is Leonardo's iron entry keeper Nexus this is the super user this is our Leonardo so uh entry okay the I need to do it by entry ID or by I don't know by whatever ID but at least I have this entry ID so if I copy this one uh clear and let me like update this script this is the like I thought it was it would be I would be able to do it with spify ID but uh for whatever reason I have to provide an entry ID but still uh we can query the entry and like provide it that's we that's uh available to us as the admin user of this fire server as well so let me quit and then try to unregister Leonardo again hack unregister Leonardo and yeah it deleted uh the entry so if I log in as uh Leonardo uh okay I'll try to log in as Leonardo again it will ask for my password I am in clear uh then I'll try to run Spike and now again I'm hanging up because I don't have any registration entry and when I look at the Spire agent logs I can see that again I am getting errors because I'm trying to fetch a certificate and Spire agent says hey I cannot give you your certificate because I cannot attest you I don't have any registration entry that is related to you so I cannot let you uh use this biner uh which is really good because in a nutshell it enables us to not use any kind of application specific secret so we are authenticating the user by the attributes that the user has so in a Linux environment since I am a Linux user I already authenticated to the system I don't have to authenticate myself yet another time to a application essentially because my credentials identify myself we first of all we reduced Tex surface of the Secret store because we don't have to deal with keeping usernames and passwords and service tokens and things like that secure we trust the uh the boundary of the Linux box that we are in so as long as we are a legitimate user and as long as a admin has given access to our legitimate user to use the binary that user will be able to use the binary and uh if if the usage if there is no need to use the binary anymore uh then we can revoke the access and the system will be secure Because unless there is a registration entry nobody will nobody will be able to uh access the Secret store nobody will be able to create Secrets or modify Secrets or Define policies on the secrets uh but overall that's all there is that I can show you uh about how you can get and set and read Secrets uh from from a Secret store which is Spike without having to use usernames or passwords or Secrets or tokens hope you liked it until the next demo keep your secrets Secret [Music] hello everyone uh today I'll do another quick SP Spike demo and in this demo like uh for a backstory until this uh Point uh Spike was using like a admin rout login key or a root pass phrase to uh initialize itself and also log into the system and get temporary tokens but while discussing with the team uh we realized that uh since we are using spify we don't need password the best point and the best part of spify is uh its ability to negate the effect of doing uh or requiring password based authentication so in this demo uh I'm going to show how you can access to a Secret store get Secrets set secrets and receive Secrets securely without needing a API key or a root token or a root password or anything like that using Spike I'll show that and for for the ones that are new to spike uh the spike website is spike.
let me paste it here it's uh this is the website this is the GitHub repo let me show you on a browser as well uh think spike. IST is the website that we have like all of the system design documents road map since everything is really in progress and highly iterating uh some of the things might not catch up with what we have in the repository or what we have in the discussions in in our slack workspace uh but other than that like there is this green button which is the GitHub repository if you go to the GitHub and while you're at there if you like give us a star you'll be highly appreciated because the more stars we have the more people will know know about this amazing technology and it will be really useful for the community as well it's the least someone can uh give as a gift I guess uh so that's that one this is a spikes repository GitHub com spify Spike and spike.
