As demonstrated by Rob Barnes (DevOps Rob) during the Zero Trust RabbitMQ Talk at the RabbitMQ Summit London on 16th September 2022.
This demo written in Go, uses a Zero Trust Security approach to securing application access to RabbitMQ as well as protecting our application data by encrypting it at rest.
The application is made of two services:
- Message consumer - This is a listening service which obtains RabbitMQ credentials from Vault with least priviledged access to consume messages encrypted by Vault's Transit engine from a queue named
rabbitmq-summit
. This service then decrypts the messages using the cryptographic key. - Message producer - This service obtains RabbitMQ credentials from Vault with least priviledged access to publish messages encrypted by Vault's Transit engine to a queue named
rabbitmq-summit
.
To configure Vault and RabbitMQ, you will need to run this Terraform code which will provision the follwing resources:
- RabbitMQ vhost
- RabbitMQ exchange
- Message queue
- RabbitMQ user for Vault to broker identity on behalf of RabbitMQ
- Secret engine in Vault for RabbitMQ
- Vault role for the Message Producer service
- Vault role for the Message Consumer service
- Transit secrets engine
- Transit cryptographic key
- Vault policy for Message Consumer
- Vault policy for Message Producer
Each service will require a Vault token with their respective Vault policies.
The following command will generate a token for the Message Consumer service:
vault token create -policy=rabbitmq-consumer
Copy the token from this command output and run the following commands to set the environment variables in the terminal session that will run the Message Consumer service"
export VAULT_ADDR="http://vault.container.shipyard.run:8200"
export VAULT_TOKEN="<insert copied token here>"
The same will need to be done for the Message Producer service:
vault token create -policy=rabbitmq-producer
Copy the token from this command output and run the following commands to set the environment variables in the terminal session that will run the Message Producer service"
export VAULT_ADDR="http://vault.container.shipyard.run:8200"
export VAULT_TOKEN="<insert copied token here>"
Change directory in each of the terminals to the respective service and run them.
For the Message Consumer service:
cd consumer
go run .
For the Message Producer service:
cd consumer
go run . <insert message here>
When you run the Producer service, the message you entered will be displayed in the Consumer service terminal