Last active
January 19, 2021 18:38
-
-
Save WhatsARanjit/42d10786007c88dc81a8a6ea4359528b to your computer and use it in GitHub Desktop.
Using a "pipeline" entity to create all tokens for pipelines
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Enable audit log | |
$ vault audit enable file file_path=/tmp/audit/vault_audit.log | |
Success! Enabled the file audit device at: file/ | |
# Add some example secrets for prod and dev | |
$ vault secrets enable -version=2 kv | |
$ vault kv put kv/production/stuff foo=bar | |
$ vault kv put kv/development/stuff devfoo=devbar | |
Success! Enabled the kv secrets engine at: kv/ | |
Key Value | |
--- ----- | |
created_time 2021-01-16T03:03:51.853075Z | |
deletion_time n/a | |
destroyed false | |
version 1 | |
Key Value | |
--- ----- | |
created_time 2021-01-16T03:03:51.908423Z | |
deletion_time n/a | |
destroyed false | |
version 1 | |
# Create prod/dev access policies | |
$ vault policy write production - << EOF | |
path "kv/data/production/*" { | |
capabilities = ["read", "update", "list"] | |
} | |
EOF | |
Success! Uploaded policy: production | |
$ vault policy write development - << EOF | |
path "kv/data/development/*" { | |
capabilities = ["read", "update", "list"] | |
} | |
EOF | |
Success! Uploaded policy: development | |
# Base count | |
$ vault-auditor parse /tmp/audit | |
Distinct Entities: 0 | |
Non-Entity Tokens: 1 | |
Total Clients: 1 | |
Total files processed: 1 | |
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:06:19Z | |
# Create pipeline entity capable of creating tokens for prod/dev | |
$ vault write auth/token/roles/pipeline allowed_policies="production,development" period="5m" allowed_entity_aliases="pipeline" | |
Success! Data written to: auth/token/roles/pipeline | |
# Count has not changed yet | |
$ vault-auditor parse /tmp/audit | |
Distinct Entities: 0 | |
Non-Entity Tokens: 1 | |
Total Clients: 1 | |
Total files processed: 1 | |
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:07:34Z | |
# Create pipeline token issuer's policy | |
$ vault policy write pipeline - << EOF | |
path "auth/token/create/pipeline" { | |
capabilities = ["create", "update"] | |
} | |
EOF | |
Success! Uploaded policy: pipeline | |
# Login as pipeline token issuer | |
$ vault auth enable userpass | |
Success! Enabled userpass auth method at: userpass/ | |
$ vault write auth/userpass/users/pipeline \ | |
policies=pipeline \ | |
password=Password1! | |
Success! Data written to: auth/userpass/users/pipeline | |
$ vault login -method=userpass username=pipeline password=Password1! | |
WARNING! The VAULT_TOKEN environment variable is set! This takes precedence | |
over the value set by this command. To use the value set by this command, | |
unset the VAULT_TOKEN environment variable or set it to the token displayed | |
below. | |
Success! You are now authenticated. The token information displayed below | |
is already stored in the token helper. You do NOT need to run "vault login" | |
again. Future Vault requests will automatically use this token. | |
Key Value | |
--- ----- | |
token s.qOdqzYZXUiKm7ZSb5eGQP2YC | |
token_accessor sQMCDCJATlbZkABKwidR8dR9 | |
token_duration 768h | |
token_renewable true | |
token_policies ["default" "pipeline"] | |
identity_policies [] | |
policies ["default" "pipeline"] | |
token_meta_username pipeline | |
# Check count | |
$ vault-auditor parse /tmp/audit | |
Distinct Entities: 1 | |
Non-Entity Tokens: 1 | |
Total Clients: 2 | |
Total files processed: 1 | |
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:10:16Z | |
## Pipeline token issuer has a new distinct entity | |
# Work as pipeline token issuer | |
$ export PIPELINE_TOKEN=s.qOdqzYZXUiKm7ZSb5eGQP2YC | |
# Create token for prod pipeline user | |
$ VAULT_TOKEN=$PIPELINE_TOKEN \ | |
vault token create \ | |
-role=pipeline \ | |
-entity-alias=pipeline \ | |
-policy=production | |
Key Value | |
--- ----- | |
token s.lbarA0aEg2Z8yIH9jm3uXdnD | |
token_accessor gqjKN7Getv8TsSCF3otgXw1S | |
token_duration 5m | |
token_renewable true | |
token_policies ["default" "production"] | |
identity_policies [] | |
policies ["default" "production"] | |
# Use prod token | |
$ VAULT_TOKEN=s.lbarA0aEg2Z8yIH9jm3uXdnD \ | |
vault kv get kv/production/stuff | |
====== Metadata ====== | |
Key Value | |
--- ----- | |
created_time 2021-01-16T03:03:51.853075Z | |
deletion_time n/a | |
destroyed false | |
version 1 | |
=== Data === | |
Key Value | |
--- ----- | |
foo bar | |
# Recount | |
$ vault-auditor parse /tmp/audit | |
Distinct Entities: 2 | |
Non-Entity Tokens: 1 | |
Total Clients: 3 | |
Total files processed: 1 | |
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:12:25Z | |
## One new entity --> 'pipeline' | |
# Create token for dev pipeline user using same entity | |
$ VAULT_TOKEN=$PIPELINE_TOKEN \ | |
vault token create \ | |
-role=pipeline \ | |
-entity-alias=pipeline \ | |
-policy=development | |
Key Value | |
--- ----- | |
token s.bpwDjjSSg2UvhvPLgT0TXb2M | |
token_accessor bA90diWoqIH7tKhzjFr36n2x | |
token_duration 5m | |
token_renewable true | |
token_policies ["default" "development"] | |
identity_policies [] | |
policies ["default" "development"] | |
# Use dev token | |
$ VAULT_TOKEN=s.bpwDjjSSg2UvhvPLgT0TXb2M \ | |
vault kv get kv/development/stuff | |
====== Metadata ====== | |
Key Value | |
--- ----- | |
created_time 2021-01-16T03:03:51.908423Z | |
deletion_time n/a | |
destroyed false | |
version 1 | |
===== Data ===== | |
Key Value | |
--- ----- | |
devfoo devbar | |
# Recount | |
$ vault-auditor parse /tmp/audit | |
Distinct Entities: 2 | |
Non-Entity Tokens: 1 | |
Total Clients: 3 | |
Total files processed: 1 | |
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:14:21Z | |
## No new entity or non-entity values | |
#-------------------------------------------------------------------------------- | |
# Summary of resulting numbers | |
# Distinct Entities: 2 | |
## 1) "Pipeline Token Issuer": creates tokens for various pipelines tiers | |
## 2) "Pipeline Token User": uses prod/dev tokens under 1 Vault entity | |
# Non-Entity Tokens: 1 | |
## Root token |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment