Last active
October 28, 2016 20:27
-
-
Save stenio123/83e3a2f046af22968c4178e1cfa98241 to your computer and use it in GitHub Desktop.
Managing secrets using Hashicorp Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
git clone https://github.com/stenio123/hashicorp-vault-token-auth-poc.git | |
cd hashicorp-vault-token-auth-poc | |
vagrant up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault token-create -policy=production -wrap-ttl=20m | |
# Will output response (different token value): | |
Key Value | |
--- ----- | |
wrapping_token: d88d7612-14af-e58d-035f-f9446991bca4 | |
wrapping_token_ttl: 20m0s | |
wrapping_token_creation_time: 2016-09-02 11:33:08.021734288 -0400 EDT | |
wrapped_accessor: 1cd465e7-67bd-7d75-385f-18afb47c489a |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ensures that the ssh key has correct permissions | |
sudo chmod 400 ClientVM/ssh/unsafe_id_rsa | |
echo [single access token] | ssh -i ClientVM/ssh/unsafe_id_rsa -oStrictHostKeyChecking=no vagrant@192.168.0.51 "tee temporary-token.txt" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vagrant ssh client | |
export VAULT_TOKEN=`cat temporary-token.txt` | |
RESPONSE=$(curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET http://192.168.0.50:8200/v1/cubbyhole/response) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl -H "X-Vault-Token: $ACCESS_TOKEN" -X GET http://192.168.0.50:8200/v1/secret/production/password |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl -H "X-Vault-Token: $ACCESS_TOKEN" -X POST http://192.168.0.50:8200/v1/auth/token/renew-self |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo $RESPONSE | jq -r '.data.response | fromjson.auth.client_token' | ACCESS_TOKEN=- | |
# This sequence of commands uses shell pipes, where the output from the left is the input of the right: | |
# echo $RESPONSE | |
# Outputs the wrapped token response | |
# jq -r '.data.response | fromjson.auth.client_token' | |
# Uses jq to parse the json until response, and then parse again until client_token | |
# ACCESS_TOKEN=- | |
# Inserts the output of the previous command in the environment variable ACCESS_TOKEN |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vault path-help [path you want help with] | |
# Example: | |
$ vault path-help auth/token | |
## DESCRIPTION | |
## PATHS | |
The following paths are supported by this backend. To view help for | |
any of the paths below, use the help command with any route matching | |
the path pattern. Note that depending on the policy of your auth token, | |
you may or may not be able to access certain paths. | |
^accessors/?$ | |
List token accessors, which can then be | |
be used to iterate and discover their properities | |
or revoke them. Because this can be used to | |
cause a denial of service, this endpoint | |
requires 'sudo' capability in addition to | |
'list'. | |
^create$ | |
The token create path is used to create new tokens. | |
^create-orphan$ | |
The token create path is used to create new orphan tokens. | |
^create/(?P<role_name>\w[\w-.]+\w)$ | |
This token create path is used to create new tokens adhering to the given role. | |
^lookup(/(?P<urltoken>.+))?$ | |
This endpoint will lookup a token and its properties. | |
^lookup-accessor(/(?P<urlaccessor>.+))?$ | |
This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. | |
^lookup-self$ | |
This endpoint will lookup a token and its properties. | |
... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For this example, you will need to have the aws-ec2 enabled by running | |
# $ vault auth-enable aws-ec2 | |
$ vault path-help auth/aws-ec2/role/test | |
Request: role/test | |
Matching Route: ^role/(?P<role>\w[\w-.]+\w)$ | |
Create a role and associate policies to it. | |
## PARAMETERS | |
allow_instance_migration (bool) | |
If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution. | |
bound_account_id (string) | |
If set, defines a constraint on the EC2 instances that the account ID | |
in its identity document to match the one specified by this parameter. | |
bound_ami_id (string) | |
If set, defines a constraint on the EC2 instances that they should be | |
using the AMI ID specified by this parameter. | |
bound_iam_role_arn (string) | |
If set, defines a constraint on the EC2 instances that they should be using the IAM Role ARN specified by this parameter. | |
disallow_reauthentication (bool) | |
If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws-ec2/identity-whitelist/<instance_id>' endpoint. | |
max_ttl (duration (sec)) | |
The maximum allowed lifetime of tokens issued using this role. | |
policies (string) | |
Policies to be set on tokens issued using this role. | |
role (string) | |
Name of the role. | |
role_tag (string) | |
If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' of the tag should be generated using 'role/<role>/tag' endpoint. Defaults to an empty string, meaning that role tags are disabled. | |
ttl (duration (sec)) | |
Duration in seconds after which the issued token should expire. Defaults | |
to 0, in which case the value will fallback to the system/mount defaults. | |
## DESCRIPTION | |
A precondition for login is that a role should be created in the backend. | |
The login endpoint takes in the role name against which the instance | |
should be validated. After authenticating the instance, the authorization | |
for the instance to access Vault's resources is determined by the policies | |
that are associated to the role though this endpoint. | |
When the instances require only a subset of policies on the role, then | |
'role_tag' option on the role can be enabled to create a role tag via the | |
endpoint 'role/<role>/tag'. This tag then needs to be applied on the | |
instance before it attempts a login. The policies on the tag should be a | |
subset of policies that are associated to the role. In order to enable | |
login using tags, 'role_tag' option should be set while creating a role. | |
Also, a 'max_ttl' can be configured in this endpoint that determines the maximum | |
duration for which a login can be renewed. Note that the 'max_ttl' has an upper | |
limit of the 'max_ttl' value on the backend's mount. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vagrant ssh vault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This runs Vault in the background. Output is sent to nohup.out | |
nohup ./vault server -config=sync/HashicorpVault/config.hcl & | |
# Press <enter> to see the Exit 1 status code | |
# Using the address defined in the above configuration file | |
export VAULT_ADDR=http://0.0.0.0:8200 | |
# Initializes unseal tokens and root access token | |
./vault init | |
# If you want to avoid having to type "./" before executing Vault, you can add this folder to your PATH by executing: | |
export PATH=$PATH:`pwd` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault unseal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault auth [root token] | |
# Should return output: | |
Successfully authenticated! You are now logged in. | |
token: [root token] | |
token_duration: 0 | |
token_policies: [root] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault audit-enable file path=./vault_audit.log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault mounts |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault policy-write production sync/HashicorpVault/policies/production.hcl | |
vault policy-write qa sync/HashicorpVault/policies/qa.hcl | |
vault policy-write development sync/HashicorpVault/policies/development.hcl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault write secret/production/password value=MyProdPassword | |
vault write secret/production/qa value=MyQAPassword | |
vault write secret/production/development value=MyDevelopmentPassword |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
% Total % Received % Xferd Average Speed Time Time Time Current | |
Dload Upload Total Spent Left Speed | |
100 569 100 569 0 0 223k 0 --:--:-- --:--:-- --:--:-- 555k |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"request_id":"940e5211-76f1-b33f-7130-af48e49c5a7c", | |
"lease_id":"", | |
"renewable":false, | |
"lease_duration":0, | |
"data":{ | |
"response":"{\"request_id\":\"f8b9ea99-2001-54db-3260-70b0c836aa7b\",\"lease_id\":\"\",\"renewable\":false,\"lease_duration\":0,\"data\":null,\"wrap_info\":null,\"warnings\":null,\"auth\":{\"client_token\":\"9d7b7da7-897c-bb8e-9729-c0b5f5d61b7f\",\"accessor\":\"2b66772e-775c-ef9e-1a02-30e711787a9f\",\"policies\":[\"default\",\"production\"],\"metadata\":null,\"lease_duration\":2592000,\"renewable\":true}}" | |
}, | |
"wrap_info":null, | |
"warnings":null, | |
"auth":null | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"request_id":"8196ade4-9589-8bbd-685c-ac29e44c349c", | |
"lease_id":"", | |
"renewable":false, | |
"lease_duration":2592000, | |
"data":{ | |
"value":"MyProdPassword" | |
}, | |
"wrap_info":null, | |
"warnings":null, | |
"auth":null | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment