Skip to content

Instantly share code, notes, and snippets.

@gangsta

gangsta/hashicorp_vault_basics.md

Last active February 15, 2023 21:19
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gangsta/350b0b66c30a3c3e68ede60fda80aaaf to your computer and use it in GitHub Desktop.
Save gangsta/350b0b66c30a3c3e68ede60fda80aaaf to your computer and use it in GitHub Desktop.
Download ZIP
Get Started with HashiCorp Vault Presentation Demo Document
Raw
hashicorp_vault_basics.md

Setup

# Install
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update -y
sudo apt-get install vault -y

# Start
vault server -dev &
export VAULT_ADDR='http://127.0.0.1:8200'

Policies

path "secret/foo" {
  capabilities = ["read"]
}

Access to "secret/foo" or "secret/foo/bar"

  • *
path "secret/cafe/*" {
  capabilities = ["read"]
}

Access to "secret/cafe" or "secret/cafe/zip", "secret/cafe/zip/zap" but not "secret/cafes/zip"

  • -*
path "secret/tar-*" {
  capabilities = ["read"]
}

Access to "secret/tar-jar" or "secret/tar-jar/bar", "secret/tar-bar/jar" but not "secret/tar/jar"

  • +
path "secret/+/teamb" {
  capabilities = ["read"]
}

Access to "secret/tar-jar/teamb" or "secret/tar/teamb", "secret/teamb/teamb" but not "secret/tar/jar/teamb"

  • +/+
path "secret/+/+/teamb" {
  capabilities = ["read"]
}

Access to "secret/tar/jar/teamb" or "secret/jar/tar/teamb"

  • {identity.entity.id}}
path "secret/data/{{identity.entity.id}}/*" {
  capabilities = ["create", "update", "read", "delete"]
}
path "secret/metadata/{{identity.entity.id}}/*" {
  capabilities = ["list"]
}

For more options check out Hashiorp Templated Policies

Example

tee example-policy.hcl <<EOF
# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}
# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}
EOF

vault write sys/policy/example-policy policy=@example-policy.hcl

vault policy list

vault write auth/userpass/users/gangsta \
    password="gangsta" \
    policies="default, example-policy"

# If you get error run: vault auth enable userpass
# Or try to enable it via UI.

vault token create -policy=example-policy -policy=extra

vault delete sys/policy/example-policy

Tokens

Token types

There are two types of Vault tokens: service token and batch token.

Token Type Vault 1.9.x or earlier Vault 1.10 and later
Service tokens s. hvs.
Batch tokens b. hvb.
Recovery tokens r. hvr.

Service Tokens

Check out Service Token Documentation

  • limit tokens - Set limit how many times token can be used.
vault token create -ttl=1h -use-limit=2 -policy=default
VAULT_TOKEN=<YOUR_TOKEN_HERE> vault token lookup

#or

vault token create -ttl=1h -use-limit=2 -policy=default -format=json \
   | jq -r ".auth.client_token" > limit_token.txt
vault token lookup $(cat limit_token.txt)

VAULT_TOKEN=$(cat limit_token.txt) vault write cubbyhole/token value=1234567890
VAULT_TOKEN=$(cat limit_token.txt) vault read cubbyhole/token
  • Periodic - Token may live for an infinite duration of time so long as they are renewed within their TTL.
vault token create -policy="default" -period=6h
VAULT_TOKEN=<YOUR_TOKEN_HERE> vault token lookup

#or

vault token create -policy="default" -period=24h -format=json \
   | jq -r ".auth.client_token" > periodic_token.txt
vault token lookup $(cat periodic_token.txt)
  • Short-lived tokens - Tokens that are valid for a short time to avoid keeping unused tokens.
vault token create -ttl=5s -format=json \
   | jq -r ".auth.client_token" > short-lived_token.txt
vault token lookup $(cat short-lived_token.txt)
  • Orphan tokens - Tokens that are root of their own token tree.
vault token create -orphan -format=json \
   | jq -r ".auth.client_token" > orphan_token.txt
vault token lookup $(cat orphan_token.txt)

Batch Tokens

Check out Batch Token Documentation

  • Test Batch Tokens
vault policy write test -<<EOF
path "auth/token/create" {
   capabilities = ["create", "read", "update", "delete", "list"]
}
EOF

vault token create -type=batch -policy=test -ttl=20m -format=json \
    | jq -r ".auth.client_token" > test_batch_token.txt

vault token lookup $(cat test_batch_token.txt)

VAULT_TOKEN=$(cat test_batch_token.txt) vault write cubbyhole/token value="1234567890"
# Batch tokens do not have a cubbyhole associated with it.

VAULT_TOKEN=$(cat test_batch_token.txt) vault token create -policy=default
# Batch tokens cannot create child tokens even if their policies have the capabilities to do so.

vault token revoke $(cat test_batch_token.txt)
# After 20 minutes, the token expires and Vault will revoke it. Batch tokens cannot be renewed.
  • AppRole
unset VAULT_TOKEN

vault auth enable approle

vault write auth/approle/role/jenkins token_type="batch" policies="example-policy" period="20m"

vault read -format=json auth/approle/role/jenkins/role-id \
    | jq -r ".data.role_id" > role_id.txt

vault write -f -format=json auth/approle/role/jenkins/secret-id | jq -r ".data.secret_id" > secret_id.txt

vault write -format=json auth/approle/login role_id=$(cat role_id.txt) \
     secret_id=$(cat secret_id.txt) | jq -r ".auth.client_token" > shipping_token.txt

vault token lookup $(cat shipping_token.txt)

Extra

  • List all tokens
vault list auth/token/accessors
  • List all token advanced
vault list -format json auth/token/accessors | jq -r .[] | xargs -I '{}' vault token lookup -format json -accessor '{}' | jq -r
  • find all root policy tokens
vault list -format json auth/token/accessors | jq -r .[] | xargs -I '{}' vault token lookup -format json -accessor '{}' | jq -r 'select(.data.policies | any(. == "root"))'

GO APP

Check Github Page for more info.

Install Docker Composer

sudo apt-get -y update
sudo apt-get -y install     ca-certificates     curl     gnupg     lsb-release

sudo apt-get remove docker docker-engine docker.io containerd runc
sudo mkdir -m 0755 -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get -y update
sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo docker run hello-world

If you followed tutorial from this gist, make sure to kill old vault dev server

ps -elf | grep vault
kill <ID>

Copy repo

git clone https://github.com/hashicorp/hello-vault-go.git
cd hello-vault-go/sample-app
./run.sh

Verify

docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

Run the test

curl -s -X POST http://localhost:8080/payments | jq
docker logs sample-app-app-1

curl -s -X GET http://localhost:8080/products | jq
docker logs sample-app-app-1

docker logs sample-app-app-1 2>&1 | grep auth
docker logs sample-app-app-1 2>&1 | grep database

./run-tests.sh

HUG t-shirt URL

Link from presentation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment