Vault - vghn/docs GitHub Wiki
docker run --rm -it --cap-add IPC_LOCK -e VAULT_ADDR='https://vault.ghn.me' vault sh# Add environment variable to PowerShell session
Add-Content -Path $Profile.CurrentUserAllHosts -Value '$env:VAULT_ADDR="https://vault.ghn.me:8200"'# Enable the GitHub auth method:
vault auth enable github
# Create mappings for a specific user map/users/<user> endpoint:
vault write auth/github/config organization=vghn
vault write auth/github/map/users/vladgh value=admin
# Or teams
vault write auth/github/map/teams/core value=admin
# Login
vault login -method=github token="MY_TOKEN"vault policy-write snapshot <<EOF
path "sys/storage/raft/snapshot" {
capabilities = ["read"]
}
EOF
vault token create -policy=snapshot# USAGE:
# vault read auth/approle/role/my-role/role-id
# vault write -f auth/approle/role/my-role/secret-id
# vault write auth/approle/login role_id= secret_id=
vault auth enable approle
vault write auth/approle/role/my-role \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
policies=vault-admin \
secret_id_num_uses=40Enable the AppRole auth method
vault auth enable approleCreate a role and attach a policy that has access to secrets
vault policy-write ci_amis <<EOF
path "ci/data/amis" {
capabilities = ["read", "list"]
}
EOF
vault write auth/approle/role/ci_amis token_ttl=1h token_max_ttl=24h policies=ci_amisGive the role_id and secret_id to the client
vault read auth/approle/role/ci_amis/role-id
vault write --force auth/approle/role/ci_amis/secret-idWith the role_id and secret_id the app can generate a short lived login token. This will have access to secrets.
export VAULT_TOKEN="$(vault write -field=token auth/approle/login role_id=${VAULT_ROLE_ID} secret_id=${VAULT_SECRET_ID})"
vault kv get -field=aws_credentials ci/amisAnother use case would be for the client to us a temporary token that can only get the role_id and secret_id with. With those a final login token can be generated.
Create a role and attach a policy that has access to secrets
vault policy-write ci_amis <<EOF
path "ci/data/amis" {
capabilities = ["read", "list"]
}
EOF
vault write auth/approle/role/ci_amis secret_id_ttl=10m token_ttl=1h token_max_ttl=24h policies=ci_amisCreate a token with a policy that can only generate the role_id and secret_id
vault policy-write ci_amis_role <<EOF
path "auth/approle/role/ci_amis/role-id" {
capabilities = ["read"]
}
path "auth/approle/role/ci_amis/secret-id" {
capabilities = ["update"]
}
EOF
vault token create -policy=ci_amis_roleThe client should only have the role name and token. The token can only read the role_id and secret_id. With these the app can generate a login token. This will have access to secrets.
export VAULT_ROLE_ID="$(vault read auth/approle/role/ci_amis/role-id)"
export VAULT_SECRET_ID="$(vault write -field=secret_id --force auth/approle/role/ci_amis/secret-id)"
export VAULT_TOKEN="$(vault write -field=token auth/approle/login role_id=${VAULT_ROLE_ID} secret_id=${VAULT_SECRET_ID})"
vault kv get -field=aws_credentials ci/amisTravis jobs example
jobs:
include:
- stage: Vault
env:
VAULT_ADDR: 'https://vault.ghn.me:8200'
VAULT_VERSION: '1.1.2'
VAULT_ROLE: ci_amis
VAULT_TOKEN: AS A SECRET ENVIRONMENT VARIABLE
install:
- |
wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
wget -qO - https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum -c
unzip vault_${VAULT_VERSION}_linux_amd64.zip; mv vault ~/bin/
script:
- echo 'Using VAULT'
- export VAULT_ROLE_ID="$(vault read auth/approle/role/${VAULT_ROLE}/role-id)"
- export VAULT_SECRET_ID="$(vault write -field=secret_id -f auth/approle/role/${VAULT_ROLE}/secret-id)"
- export VAULT_TOKEN="$(vault write -field=token auth/approle/login role_id=${VAULT_ROLE_ID} secret_id=${VAULT_SECRET_ID})"
- echo "Testing is $(vault kv get -field=aws_credentials ci/amis)"
- stage: Curl
env:
VAULT_ADDR: 'https://vault.ghn.me:8200'
VAULT_ROLE: ci_amis
VAULT_TOKEN: AS A SECRET ENVIRONMENT VARIABLE
script:
- echo 'Using CURL'
- export VAULT_ROLE_ID=$(curl --header "X-Vault-Token:${VAULT_TOKEN}" "${VAULT_ADDR}/v1/auth/approle/role/${VAULT_ROLE}/role-id" | jq -r .data.role_id)
- export VAULT_SECRET_ID=$(curl --header "X-Vault-Token:${VAULT_TOKEN}" --request POST "${VAULT_ADDR}/v1/auth/approle/role/${VAULT_ROLE}/secret-id" | jq -r .data.secret_id)
- export VAULT_TOKEN=$(curl --request POST --data "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" "${VAULT_ADDR}/v1/auth/approle/login" | jq -r .auth.client_token)
- echo "Testing is $(curl --header "X-Vault-Token:${VAULT_TOKEN}" "${VAULT_ADDR}/v1/ci/data/amis" | jq -r .data.data.aws_credentials)"In practice, operators should not use the token create command to generate Vault tokens for users or machines. Instead, those users or machines should authenticate to Vault using any of Vault's configured auth methods such as GitHub, LDAP, AppRole, etc. For legacy applications which cannot generate their own token, operators may need to create a token in advance. Auth methods are discussed in more detail in the next section.
# List all accessors
vault list auth/token/accessors
# Lookup all active tokens
for accessor in $(vault list auth/token/accessors); do vault token lookup -accessor $accessor; done
# Help for paths
vault path-help auth/token
# Renew self token
curl --silent --header "X-Vault-Token:${VAULT_TOKEN}" "${VAULT_ADDR}/v1/auth/token/renew-self" # >/dev/null 2>&1
# List roles
vault list auth/approle/role
# Role info
vault read auth/approle/role/ci_ansible
# Add/Update role policies
vault write auth/approle/role/ci_terraform token_ttl=1h token_max_ttl=24h policies=aws,terraform
# Get Role ID
vault read auth/approle/role/amis/role-id
# Get Secret ID
vault write --force auth/approle/role/amis/secret-id
# Delete roles
vault delete auth/approle/role/ansibleFrom: https://blog.alanthatcher.io/vault-approle-authentication/