Vault Enterpise Training

andrea_rsa_pol.hcl

path "db_rsa_key/*" {
  capabilities = ["read", "list"]
}

andrea_rsa_pol.json

{
    "policy": "path \"db_rsa_key/*\" {  capabilities = [\"read\", \"list\"]}"
}

assign_pol.json

{
  "value": [
    "andrea_rsa",
    "cipol"
  ]
}

auth_test_cli.sh

#! /bin/bash auth_test_cli.sh

# Set env variable
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=AddYourVaultTokenHere

# Enable Transit db_rsa_key in root namespace
vault secrets enable -path=db_rsa_key transit
vault secrets list 
vault create namespace ci
vault namespace list

# Enable LDAP and GitHub
vault auth enable ldap
vault auth enable github
vault auth list

# Create a new policy in db_rsa_key for Andrea
vault policy write andrea_rsa andrea_rsa_pol.hcl
vault policy list

# Create policy for CI namespace
export VAULT_NAMESPACE=ci
vault policy write cipol ci_pol.hcl

# Assign rsa and ci policy to Andrea on LDAP
vault write auth/ldap/users/andrea policies=andrea_rsa,cipol
vault read auth/ldap/users/andrea

# Assign rsa and ci policy to Andrea on GitHub
vault write auth/github/map/users/andrea value=andrea_rsa,cipol
vault read auth/github/map/users/andrea

auth_test_curl.sh

#! /bin/bash auth_test_curl.sh

# Set env variable
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=AddYourVaultTokenHere

# Enable Transit db_rsa_key in root namespace
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @db_rsa_key.json \
    $VAULT_ADDR/v1/sys/mounts/db_rsa_key
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/sys/mounts \
    | jq
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    $VAULT_ADDR/v1/sys/namespaces/ci
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    -X LIST \
    $VAULT_ADDR/v1/sys/namespaces \
    | jq

# Enable LDAP and GitHub
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @enable_ldap.json \
    $VAULT_ADDR/v1/sys/auth/ldap
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @enable_github.json \
    $VAULT_ADDR/v1/sys/auth/github
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
   $VAULT_ADDR/v1/sys/auth \
   | jq

# Create a new policy in db_rsa_key for Andrea
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request PUT \
    --data @andrea_rsa_pol.json \
    $VAULT_ADDR/v1/sys/policies/acl/andrea_rsa
curl \
    -X LIST \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/sys/policies/acl \
    | jq

# Create policy for CI namespace
export VAULT_NAMESPACE=ci
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --header "X-Vault-Namespace: $VAULT_NAMESPACE" \
    --request PUT \
    --data @ci_pol.json \
    $VAULT_ADDR/v1/sys/policies/acl/cipol

# Assign rsa and ci policy to Andrea on LDAP
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @assign_pol.json \
    $VAULT_ADDR/v1/auth/ldap/users/andrea
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/auth/ldap/users/andrea

# Assign rsa and ci policy to Andrea on GitHub
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @assign_pol.json \
    $VAULT_ADDR/v1/auth/ldap/map/users/andrea
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/auth/github/map/users/andrea

ci_pol.hcl

# Manage namespaces
path "sys/namespaces/*" {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage policies
path "sys/policies/acl/*" {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List policies
path "sys/policies/acl" {
  capabilities = ["list"]
}

# Enable and manage secrets engines
path "sys/mounts/*" {
   capabilities = ["create", "read", "update", "delete", "list"]
}

# List available secrets engines
path "sys/mounts" {
  capabilities = [ "read" ]
}

ci_pol.json

{
    "policy": "path \"sys/namespaces/*\" {   capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]}path \"sys/policies/acl/*\" {   capabilities = [\"read\", \"update\", \"list\", \"sudo\"]}path \"sys/policies/acl\" {  capabilities = [\"list\"]}path \"sys/mounts/*\" {   capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]}path \"sys/mounts\" {  capabilities = [ \"read\" ]}"
}

db_rsa_key.json

{
    "type": "transit"    
}

enable_github.json

{
    "type": "github",
    "description": "Login with GitHub"
}

enable_ldap.json

{
    "type": "github",
    "description": "Login with GitHub"
}

@rigelreyes could you please include a README.md with this?

And include the .hcl versions of the Vault policies?

Might be worth using a regular gitlab repo for the sake of organization and accepting pull requests.

@bernardogza, could you review this, and perhaps set up a time to show Rigel and Rambabu how you handled this?

@v6 I included the hcl files here too, can you give me access to the vault-training repo in GitLab?

Sure @rigelreyes.