Code Monkey home page Code Monkey logo

working-with-hashicorp-vault's Introduction

Working with Hashicorp Vault

This project is all about setting up and connecting to Hashicorp Vault in development mode. It has only been tested on MacOS Mojave.

User Setup

In this project we are going to create the following types of user

Role Type Permissions Description
root full control Only use to create other roles, and set up main authentication type, creates vault admin users
${application-name}-ro Read only role for application Allows an application to login and read secrets from te specified path

Start the Vault Server in Development Mode

From the root directory type

docker-compose -f ./docker/docker-compose.yml up -d
docker-compose -f ./docker/docker-compose.yml down

This will start Vault in development mode and create a docker/vault directory.

In another terminal window, export the root token so that we can login to Vault

VAULT_TOKEN=$(docker logs $(docker ps -aqf "name=vault") 2>&1 | grep Token | awk '{print $3}')
# Use vault because we are using docker networking
VAULT_ADDR='http://vault:8200'

Run terraform to create policies

cd application
TERRAFORM_IMAGE=hashicorp/terraform:0.11.14
# create a command alias
TERRAFORM_CMD="docker run -ti --rm --name test --network=docker_vault-nw -w /app -v `pwd`:/app -e VAULT_ADDR=${VAULT_ADDR} -e VAULT_TOKEN=${VAULT_TOKEN} ${TERRAFORM_IMAGE}"

${TERRAFORM_CMD} init
${TERRAFORM_CMD} plan -out=app-plan
VAULT_TOKEN=$(docker logs $(docker ps -aqf "name=vault") 2>&1 | grep Token | awk '{print $3}') ${TERRAFORM_CMD} apply "app-plan"

What will the command create?

A read only approle user will be created with the following details Mount path: applications/${var.application_name}/approle Role name: ${var.application_name}-ro Role access rights: applications/${var.application_name}/approle/login create for login applications/${var.application_name}/* read for secrets Policy name: ${var.application_name}-application-ro

Validate the paths

You can validate login in the following way. To do this, you will need permissions that grant acces to the path. Root, for example.

# get the vault container id
container_id=$(docker ps --filter "name=vault" --filter "status=running" --format {{.ID}})
# Login to the vault container
docker exec -it $container_id sh
# set the app name and app role
APP_NAME=test
APP_ROLE=test-ro
# get the role id
ROLE_ID=$(vault read auth/applications/${APP_NAME}/approle/role/${APP_ROLE}/role-id | head -3 | tail -1 | awk '{print $2}')
# get the role's secrt id
SECRET_ID=$(vault write -f auth/applications/${APP_NAME}/approle/role/${APP_ROLE}/secret-id | head -3 | tail -1 | awk '{print $2}')
# get the token 
TOKEN_ID=$(vault write auth/applications/${APP_NAME}/approle/login role_id=${ROLE_ID} secret_id=${SECRET_ID} | head -3 | tail -1 | awk '{print $2}')
# now try to login
vault login ${TOKEN_ID}

TODO

  • Setting up a production-like server
  • Running inside kubernetes
  • Improve user hierarchy
  • Show different methods of authentication
  • add more user types
  • add spring boot integration
  • make readme in correct directories

Project Contents

README The project readme file docker Docker related files for running vault terraform Terraform files for populating roles and permissions in Vault

working-with-hashicorp-vault's People

Contributors

mononokehime avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.