As demonstrated by Rob Barnes (DevOps Rob) during the Zero Trust RabbitMQ Talk at the RabbitMQ Summit London on 16th September 2022.
This demo written in Go, uses a Zero Trust Security approach to securing application access to RabbitMQ as well as protecting our application data by encrypting it at rest.
The application is made of two services:
- Message consumer - This is a listening service which obtains RabbitMQ credentials from Vault with least priviledged access to consume messages encrypted by Vault's Transit engine from a queue named
rabbitmq-summit. This service then decrypts the messages using the cryptographic key. - Message producer - This service obtains RabbitMQ credentials from Vault with least priviledged access to publish messages encrypted by Vault's Transit engine to a queue named
rabbitmq-summit.
To configure Vault and RabbitMQ, you will need to run this Terraform code which will provision the follwing resources:
- RabbitMQ vhost
- RabbitMQ exchange
- Message queue
- RabbitMQ user for Vault to broker identity on behalf of RabbitMQ
- Secret engine in Vault for RabbitMQ
- Vault role for the Message Producer service
- Vault role for the Message Consumer service
- Transit secrets engine
- Transit cryptographic key
- Vault policy for Message Consumer
- Vault policy for Message Producer
Each service will require a Vault token with their respective Vault policies.
The following command will generate a token for the Message Consumer service:
vault token create -policy=rabbitmq-consumerCopy the token from this command output and run the following commands to set the environment variables in the terminal session that will run the Message Consumer service"
export VAULT_ADDR="http://vault.container.shipyard.run:8200"
export VAULT_TOKEN="<insert copied token here>"The same will need to be done for the Message Producer service:
vault token create -policy=rabbitmq-producerCopy the token from this command output and run the following commands to set the environment variables in the terminal session that will run the Message Producer service"
export VAULT_ADDR="http://vault.container.shipyard.run:8200"
export VAULT_TOKEN="<insert copied token here>"Change directory in each of the terminals to the respective service and run them.
For the Message Consumer service:
cd consumer
go run .For the Message Producer service:
cd consumer
go run . <insert message here>When you run the Producer service, the message you entered will be displayed in the Consumer service terminal