vault

[!NOTE|label:references]
vault CLI
Integrate HashiCorp Vault with CICD tool(Jenkins)
How To Read Vault’s Secrets from Jenkin’s Declarative Pipeline
Hashicorp vault how to list all roles
AppRole auth method

environment

install

macos

$ brew tap hashicorp/tap
$ brew install hashicorp/tap/vault

ubunut/debian

$ wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
$ sudo apt update && sudo apt install vault

centos/rhel

$ sudo yum install -y yum-utils
$ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
$ sudo yum -y install vault

compltion

$ vault -autocomplete-install

status

$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.9.0
Build Date      n/a
Storage Type    file
Cluster Name    vault-cluster-ea2f5821
Cluster ID      e034c5c3-53c6-2d38-2adf-e9bbd57ad87c
HA Enabled      false

get info

auth

list role type

$ vault auth list
Path        Type       Accessor                 Description                Version
----        ----       --------                 -----------                -------
approle/    approle    auth_approle_375212fa    n/a                        n/a
ldap/       ldap       auth_ldap_8fc0eb82       n/a                        n/a
token/      token      auth_token_f61ed5a6      token based credentials    n/a

list roles

$ vault list auth/approle/role
Keys
----
jenkins
jenkins-role

read role

$ vault read auth/approle/role/jenkins
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              4h
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [service-ssh]
token_ttl                  1h
token_type                 default

security

get token

$ vault auth list
Path        Type       Accessor                 Description                Version
----        ----       --------                 -----------                -------
approle/    approle    auth_approle_375212fa    n/a                        n/a
ldap/       ldap       auth_ldap_8fc0eb82       n/a                        n/a
token/      token      auth_token_f61ed5a6      token based credentials    n/a

$ vault token lookup
Key                 Value
---                 -----
accessor            Wf********************5y
creation_time       1640161759
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.s**********************K
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service

list

list all path

$ vault secrets list [ -detailed ]
Path                       Type         Accessor              Description
----                       ----         --------              -----------
devops/                    kv           kv_374198a0           for devops

list keys

$ vault kv list devops/service-account/
Keys
----
read-only
read-write
read-write-delete

get contents

$ vault kv get devops/service-account/read-only
=============== Secret Path ===============
devops/data/service-account/read-only

======= Metadata =======
Key                Value
---                -----
created_time       2023-03-06T15:52:45.827580966Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            5

============ Data ============
Key                      Value
---                      -----
cn                       read-only
dn                       CN=read-only,OU=Service-Accounts,DC=example,DC=com
password                 ********
sAMAccountName           read-only
username                 read-only

approle

[!NOTE|label:references:]
Integrate HashiCorp Vault with CICD tool(Jenkins)
AppRole pull authentication
AppRole usage best practices
AppRole auth method
AppRole API
Use AppRole authentication

via CLI

pre-setup

$ export VAULT_ADDR='https://vault.domain.com'
$ export VAULT_TOKEN='s.s**********************K'

# VAULT_TOKEN=$(vault print token)

list

$ vault list auth/approle/role
Keys
----
jenkins
jenkins-role
...

# or
$ curl -s --header "X-Vault-Token: $VAULT_TOKEN" \
          --request LIST "$VAULT_ADDR/v1/auth/approle/role" |
  jq -r .data.keys[]
jenkins
jenkins-role

setup

$ vault write auth/approle/role/devops \
              token_num_uses=0 \
              secret_id_num_uses=0 \
              policies="devops"
Success! Data written to: auth/approle/role/devops

$ vault read auth/approle/role/devops
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
policies                   [devops]
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [devops]
token_ttl                  0s
token_type                 default

via API

# enable auth method
$ curl \
      --header "X-Vault-Token: ..." \
      --request POST \
      --data '{"type": "approle"}' \
      http://127.0.0.1:8200/v1/sys/auth/approle

# create approle with policy
$ curl \
      --header "X-Vault-Token: ..." \
      --request POST \
      --data '{"policies": "dev-policy,test-policy"}' \
      http://127.0.0.1:8200/v1/auth/approle/role/my-role

# check identifier of role
$ curl \
      --header "X-Vault-Token: ..." \
      http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
{
  "data": {
    "role_id": "988a9dfd-ea69-4a53-6cb6-9d6b86474bba"
  }
}

# create new security
$ curl \
      --header "X-Vault-Token: ..." \
      --request POST \
       http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
{
  "data": {
    "secret_id_accessor": "45946873-1d96-a9d4-678c-9229f74386a5",
    "secret_id": "37b74931-c4cd-d49a-9246-ccc62d682a25",
    "secret_id_ttl": 600,
    "secret_id_num_uses": 40
  }
}

get secret_id and role_id

# read for role-id
$ vault read auth/approle/role/devops/role-id
Key        Value
---        -----
role_id    1*******-****-****-****-***********5

$ vault write -f auth/approle/role/srv-ssd-fw-devops/secret-id
Key                   Value
---                   -----
secret_id             3*******-****-****-****-***********3
secret_id_accessor    9*******-****-****-****-***********b
secret_id_ttl         0

# list for secret_id
$ vault list auth/approle/role/devops/secret-id
Keys
-----
9*******-****-****-****-***********b

operator

tokens

[!NOTE|label:references:]
Tokens
Authentication
token prefixes

TOKEN TYPE

VAULT 1.9.X +

VAULT 1.10 -

Service tokens

s.<random>

hvs.<random>

Batch tokens

b.<random>

hvb.<random>

Recovery tokens

r.<random>

hvr.<random>

root tokens

[!TIP]
Regenerate a Vault root token
/sys/generate-root the API key for root tokens

initial root token with no expiration
```
$ vault operator init
```
generate root token with share holders ( with unseal key )
[!NOTE|label:references:]
- unseal key is necessary to generate root token
- operator generate-root
```
$ vault operator generate-root
```
- example:
  - generate an otp code for the final token
    $ vault operator generate-root -generate-otp
  - start a root token generation:
    $ vault operator generate-root -init
  - enter an unseal key to progress root token generation:
    $ vault operator generate-root

check status

$ vault operator generate-root -status
Nonce         n/a
Started       false
Progress      0/3
Complete      false
OTP Length    26

init

$ vault operator init
Unseal Key 1: p******************************************Y
Unseal Key 2: /******************************************y
Unseal Key 3: j******************************************I
Unseal Key 4: V******************************************K
Unseal Key 5: l******************************************M

Initial Root Token: s.s**********************K

check status

$ vault operator key-status
Key Term            1
Install Time        22 Dec 21 08:29 UTC
Encryption Count    211817

generate new unseal key
```
$ vault operator rekey
```

seal/unseal

$ vault operator seal
$ vault operator unseal

ssh

[!NOTE|label:references:]
Signed SSH certificates
Managing SSH Access at Scale with HashiCorp Vault

client key sign

signing key & role configuration

mount ssh secret engine

$ vault secrets enable -path=devops-ssh ssh

configure vault with a ca

$ vault write devops-ssh/config/ca generate_signing_key=true
# or with private/public key pairs
$ vault write devops-ssh/config/ca \
        private_key="..." \
        public_key="..."

add CA to all servers

# download pem
$ curl -o /etc/ssh/trusted-user-ca-keys.pem http://vault.sample.com:8200/v1/ssh-client-signer/public_key
# or
$ vault read -field=public_key devops-ssh/config/ca > /etc/ssh/trusted-user-ca-keys.pem

# modify sshd_config to `TrustedUserCAKeys`
$ sudo vim /etc/ssh/sshd_config
...
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

# restart sshd
$ sudo systemctl daemon-reload
$ sudo systemctl restart sshd.service

create role

$ vault write devops-ssh/roles/my-role -<<"EOH"
{
  "algorithm_signer": "rsa-sha2-256",
  "allow_user_certificates": true,
  "allowed_users": "*",
  "allowed_extensions": "permit-pty,permit-port-forwarding",
  "default_extensions": {
    "permit-pty": ""
  },
  "key_type": "ca",
  "default_user": "ubuntu",
  "ttl": "30m0s"
}
EOH

client ssh authentication

create ssh-key paire

$ ssh-keygen -t ed25519 -C "user@example.com"

sign the public key

$ vault write ssh-client-signer/sign/my-role \
    public_key=@$HOME/.ssh/id_ed25519.pub

Key             Value
---             -----
serial_number   c73f26d2340276aa
signed_key      ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1...

# or customerize
$ vault write ssh-client-signer/sign/my-role -<<"EOH"
{
  "public_key": "ssh-rsa AAA...",
  "valid_principals": "my-user",
  "key_id": "custom-prefix",
  "extensions": {
    "permit-pty": "",
    "permit-port-forwarding": ""
  }
}
EOH

saved the signed keys

$ vault write -field=signed_key ssh-client-signer/sign/my-role \
    public_key=@$HOME/.ssh/id_ed25519.pub > signed-cert.pub

# verify
$ ssh-keygen -Lf ~/.ssh/signed-cert.pub

# ssh
$ ssh -i signed-cert.pub -i ~/.ssh/id_ed25519 username@10.0.23.5

host key sign

mount ssh security

$ vault secrets enable -path=devops-ssh-hosts ssh
Successfully mounted 'ssh' at 'devops-ssh-hosts'!

configure CA

$ vault write devops-ssh-hosts/config/ca generate_signing_key=true
Key             Value
---             -----
public_key      ssh-rsa AAAAB3NzaC1yc2EA...

# or with key pairs
$ vault write devops-ssh-hosts/config/ca \
        private_key="..." \
        public_key="..."

extend host key certificate ttls

$ vault secrets tune -max-lease-ttl=87600h devops-ssh-hosts

create role

$ vault write devops-ssh-hosts/roles/hostrole \
    key_type=ca \
    algorithm_signer=rsa-sha2-256 \
    ttl=87600h \
    allow_host_certificates=true \
    allowed_domains="localdomain,example.com" \
    allow_subdomains=true

sign ssh public key

$ vault write devops-ssh-hosts/sign/hostrole \
    cert_type=host \
    public_key=@/etc/ssh/ssh_host_ed25519_key.pub
Key             Value
---             -----
serial_number   3746eb17371540d9
signed_key      ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...

signed certificate as HostCertificate

$ vault write -field=signed_key devops-ssh-hosts/sign/hostrole \
    cert_type=host \
    public_key=@/etc/ssh/ssh_host_ed25519_key.pub > /etc/ssh/ssh_host_ed25519_key-cert.pub

$ chmod 0640 /etc/ssh/ssh_host_ed25519_key-cert.pub

# modify sshd_config
$ sudo vim /etc/ssh/sshd_config
...
# For client keys
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
...
# For host keys
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

$ sudo systemctl daemon-reload
$ sudo systemctl restasrt sshd.service

verify

retrieve the host signing ca public key

$ curl http://127.0.0.1:8200/v1/devops-ssh-hosts/public_key

# or
$ vault read -field=public_key devops-ssh-hosts/config/ca

add into ~/.ssh/authorized_keys

$ cat >> ~/.ssh/known_hosts << EOF
@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAA...
EOF

troubleshooting

set verbose log level

$ sudo vim /etc/ssh/sshd_config
...
LogLevel VERBOSE

$ sudo systemctl daemon-reload
$ sudo systemctl restart sshd.services

check in /var/log/auth.log

$ tail -f /var/log/auth.log | grep --line-buffered "sshd"

ssh secrets engine (API)

usage

API

[!NOTE|label:references:]
api v1.14.x

$ curl \
      -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
      -H "X-Vault-Namespace: ns1/ns2/" \
      -X GET \
      http://127.0.0.1:8200/v1/secret/foo

# or
$ curl \
      -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
      -X GET \
      http://127.0.0.1:8200/v1/ns1/ns2/secret/foo

CLI

[!NOTE|label:references:]
* Vault commands (CLI)
Rotate Azure auth method root credentials with Vault CLI
auth
kv
list
secrets
policy
debug
print curl commands
$ vault write -output-curl-string  auth/userpass/users/bob password="long-password"
curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"password":"long-password"}' http://127.0.0.1:8200/v1/auth/userpass/users/bob
print policy requirements
$ vault kv put -output-policy kv/secret value=itsasecret
path "kv/data/secret" {
  capabilities = ["create", "update"]
}

path-help

 $ vault path-help devops
   ...

     ^.*$

     ^config$
         Configures settings for the KV store

     ^data/(?P<path>.*)$
         Write, Patch, Read, and Delete data in the Key-Value Store.

     ^delete/(?P<path>.*)$
         Marks one or more versions as deleted in the KV store.

     ^destroy/(?P<path>.*)$
         Permanently removes one or more versions in the KV store

     ^metadata/(?P<path>.*)$
         Configures settings for the KV store

     ^undelete/(?P<path>.*)$
         Undeletes one or more versions from the KV store.

and more

$ vault path-help sys/mounts
Request:        mounts
Matching Route: ^mounts$

## DESCRIPTION
This path responds to the following HTTP methods.

    GET /
        Lists all the mounted secret backends.

    GET /<mount point>
        Get information about the mount at the specified path.

    POST /<mount point>
        Mount a new secret backend to the mount point in the URL.

    POST /<mount point>/tune
        Tune configuration parameters for the given mount point.

    DELETE /<mount point>
        Unmount the specified mount point.

stdin

$ echo -n '{"value":"itsasecret"}' | vault kv put secret/password -

# or
$ echo -n "itsasecret" | vault kv put secret/password value=-

Files

$ vault kv put secret/password @data.json

# or
$ vault kv put secret/password value=@data.txt

basic usage

$ export VAULT_ADDR='http://127.0.0.1:8200'
$ export VAULT_TOKEN=root

# enable azure
$ vault auth enable azure

# write config
$ vault write auth/azure/config \
              tenant_id="${TENANT_ID}" \
              client_id="${CLIENT_ID}" \
              client_secret="${CLIENT_SECRET}" \
              resource="https://management.azure.com/"

# write role
$ vault write auth/azure/role/rotation-role \
              bound_subscription_ids="${SUBSCRIPTION_ID}" \
              bound_resource_groups="${RESOURCE_GROUP_NAME}"

# login
$ vault write auth/azure/login \
              role="rotation-role" \
              jwt="${ACCESS_TOKEN_JWT}" \
              subscription_id="${SUBSCRIPTION_ID}" \
              resource_group_name="${RESOURCE_GROUP_NAME}" \
              vm_name="${VM_NAME}"

result

Key                               Value
---                               -----
token                             hvs.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
token_accessor                    XXXXXXXXXXXXXXXXXXXXXX
token_duration                    768h
token_renewable                   true
token_policies                    ["default"]
identity_policies                 []
policies                          ["default"]
token_meta_vm_name                vault-azure-tests-vm
token_meta_resource_group_name    vault_azure_tests_XXXXXXXX
token_meta_role                   rotation-role
token_meta_subscription_id        XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX

using vault with curl

[!TIP|label:references]
Passing certs to curl from an environment variable

CACERT=$(vault kv get -field crt my/cert/path/CACERT)
CERT=$(vault kv get -field crt my/cert/path/TESTCERT)
KEY=$(vault kv get -field key my/cert/path/TESTCERT)

curl -v \
    --cacert <(echo "$CACERT") \
    --cert <(echo "$CERT") \
    --key <(echo "$KEY") \
    --location \
    --request GET 'https://my.end.point'

Previousansible Nextartifactory

Last updated 7 months ago

hashtagenvironment

hashtaginstall

hashtagcompltion

hashtagstatus

hashtagget info

hashtagauth

hashtagsecurity

hashtaglist

hashtagapprole

hashtagvia CLI

hashtagget secret_id and role_id

hashtagoperator

hashtagtokens

hashtagssh

hashtagclient key sign

hashtaghost key sign

hashtagverify

hashtagusage

hashtagAPI

hashtagCLI

hashtagbasic usage

hashtagusing vault with curl

environment

install

compltion

status

get info

auth

security

list

approle

via CLI

get secret_id and role_id

operator

tokens

ssh

client key sign

host key sign

verify

usage

API

CLI

basic usage

using vault with curl