This project provides a custom Vault secret plugin for generating temporary LogicMonitor account API tokens.

Reference: https://github.com/hashicorp/vault-auth-plugin-example/blob/master/README.md

This step assumes you have configured a Vault plugin directory and that the plugin binary exists in that directory.

$ export SHA256=$(shasum -a 256 "./vault-plugin-secrets-logicmonitor" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/lm-secrets-plugin \
>     sha_256="${SHA256}" \
>     command="vault-plugin-secrets-logicmonitor"
Success! Data written to: sys/plugins/catalog/lm-secrets-plugin

$ vault secrets enable \
>     -path="lm" \
>     -plugin-name="lm-secrets-plugin" plugin
Success! Enabled the lm-secrets-plugin plugin at: lm/

The secret backend requires authentication information for identifying and interacting with your LogicMonitor account.

• access_id - Required. LogicMonitor API token Access ID with permissions to create new user accounts and set account roles

• access_key - Required. LogicMonitor API token Access Key with permissions to create new user accounts and set account roles

• account_domain - Required. LogicMonitor account domain. Example: vault.logicmonitor.com

  $ vault write lm/config \
  >     account_domain=account.logicmonitor.com \
  >     access_id='YOUR_API_ACCESS_ID' \
  >     access_key='YOUR_API_ACCESS_KEY'
  Success! Data written to: lm/config
  
  $ vault read lm/config
  Key            Value
  ---               -----
  access_id         YOUR_API_ACCESS_ID
  access_key        <sensitive>
  account_domain    account.logicmonitor.com
  max_ttl           0
  ttl               0
  

In order to begin generating tokens, you must first configure a role in the Vault backend. This role controls the permissions the granted to generated API tokens.

• roles - Required. Comma-separated list of LogicMonitor account roles to bind to this role.

Behind the scenes, for each Vault role, Vault will create a LogicMonitor user that is a member of the specified groups. Generated tokens will belong to the LogicMonitor user associated with the Vault role that created them.

$ vault write lm/roles/dev \
>     roles="readonly,dev"
Success! Data written to: lm/roles/test

You can generate tokens for a given role by reading /lm/tokens/{role}. Note that tokens will be disabled and removed from your account when the lease expires or is revoked.

$ vault read /lm/tokens/dev
Key                Value
---                -----
lease_id           lm/tokens/dev/5790895b-c318-725c-0fba-a7abcdfe3ae7
lease_duration     768h
lease_renewable    true
access_id          enP8w1234z7HJ3Y6B84L
access_key         =xz1234XEsBL(4y]B$mJ34567JE5=x39y)(T!_E4