Title: Vault setup Subject: To Manage Secrets and Protect Sensitive Data Vault, by hashicorp, Tries to solve the problem of secrets managment This isn't just user/pass, but also api keys, and tokens It accomdates every kind of storage REF: https://vaultproject.io This is about a 15 min exercise to setup on gentoo with a file storage #------------------------------- # REF: https://www.vaultproject.io/docs/configuration #------------------------------- #------------------------------- # # Create location for storing # mkdir /vault-data chmod 700 /vault-data chown -R vault:root /vault-data #------------------------------- # # Create server config, store in a file # cat localhost.json<<'EOF_FILE' { "listener": [{ "tcp": { "address" : "0.0.0.0:8200", "tls_disable" : 1 } }], "api_addr": "http://127.0.0.1:8500", "storage": { "file": { "path" : "/vault-data/vault" } }, "max_lease_ttl": "10h", "default_lease_ttl": "10h", "ui":true } EOF_FILE #------------------------------- # # Start the server # /etc/init.d/vault restart #------------------------------- # # Check status # export VAULT_ADDR=http://127.0.0.1:8200 vault status Key Value --- ----- Seal Type shamir Initialized false Sealed true Total Shares 0 Threshold 0 Unseal Progress 0/0 Unseal Nonce n/a Version n/a HA Enabled false #------------------------------- # # Try to initialize # vault operator init > /etc/vault.d/init.file # You might see this if permssions are wrong Error initializing: Error making API request. URL: PUT http://127.0.0.1:8200/v1/sys/init Code: 400. Errors: * failed to initialize barrier: failed to persist keyring: mkdir /vault-data/vault: permission denied #------------------------------- # # No output on success, but # But this is what was created # tree --charset ascii /vault-data/ /vault-data/ |-- core | |-- _audit | |-- _auth | |-- cluster | | |-- _feature-flags | | `-- local | | `-- _info | |-- hsm | | `-- _barrier-unseal-keys | |-- _keyring | |-- _local-audit | |-- _local-auth | |-- _local-mounts | |-- _master | |-- _mounts | |-- _seal-config | |-- _shamir-kek | `-- wrapping | `-- _jwtkey |-- logical | `-- d68112f3-db8c-1105-cda8-55155a6ae62f | `-- _casesensitivity `-- sys |-- policy | |-- _control-group | |-- _default | `-- _response-wrapping `-- token |-- accessor | `-- _9333ffd808923ff0ce261f85d091953f18a6b874 |-- id | `-- _hcb49e783cfbe54178974c2e508fcf05579d2a3f881d6fcb8b3b1e1e081e3cf26 `-- _salt 12 directories, 21 files #------------------------------- # # Good logs found here # tail -f /var/log/vault/vault.log #------------------------------- # # Get Your Tokens (unseal, root) # cat /etc/vault.d/init.file Unseal Key 1: aaaa Unseal Key 2: bbbb Unseal Key 3: cccc Unseal Key 4: dddd Unseal Key 5: eeee Initial Root Token: ffff Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information. Vault remains unsealed until: Restailed via API Vault service is restarted #------------------------------- # # Unseal # vault operator unseal aaaa vault operator unseal bbbb vault operator unseal cccc Keys = 'aaaa bbbb cccc' for k in $Keys; do vault operator unseal $k done Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.4.0 Cluster Name vault-cluster-f460de5c Cluster ID 9e0340b7-da3c-1920-e691-cb06248eab5d HA Enabled false #------------------------------- # # View vault # http://127.0.0.1:8200/ui/vault/auth?with=token Token: The default is named "cubbyhole" #------------------------------- # # Create AppRole and Policies through CLI # vault auth enable approle vault write \ auth/approle/role/demo \ bound_cidr_list=10.0.0.0/16 \ bind_secret_id=false \ policies=default-policy https://devopscube.com/setup-hashicorp-vault-beginners-guide/ #------------------------------- # Via web interface: # In cubbyhole # Click "Create Secret +" # Name your secret container (you can't changes it's name" # Add Secret Data # Click Save# # # I added a user, but they can't see the secret data. # # I created a group called Admin # Policyies to default # #------------------------------- export VAULT_ADDR=http://127.0.0.1:8200 vault status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.4.0 Cluster Name vault-cluster-f460de5c Cluster ID 9e0340b7-da3c-1920-e691-cb06248eab5d HA Enabled false #------------------------------- Command line access #------------------------------- If you see this error: Error uploading policy: Error making API request. URL: PUT http://127.0.0.1:8200/v1/sys/policies/acl/admin Code: 403. Errors: * permission denied PROBLEM: you did not export a VAULT_TOKEN # # Most permissive access # export VAULT_ADDR=http://127.0.0.1:8200 export VAULT_TOKEN="" # Test vault policy list default #------------------------------- # Making admin policy # REF: https://learn.hashicorp.com/vault/identity-access-management/iam-policies #------------------------------- cat /etc/vault.d/admin-policy.hcl<<'EOF_ADMIN_POL' # Manage auth methods broadly across Vault path "auth/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Create, update, and delete auth methods path "sys/auth/*" { capabilities = ["create", "update", "delete", "sudo"] } # List auth methods path "sys/auth" { capabilities = ["read"] } # List existing policies path "sys/policies/acl" { capabilities = ["list"] } # Create and manage ACL policies path "sys/policies/acl/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # List, create, update, and delete key/value secrets path "secret/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Manage secrets engines path "sys/mounts/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # List existing secrets engines. path "sys/mounts" { capabilities = ["read"] } # Read health checks path "sys/health" { capabilities = ["read", "sudo"] } EOF_ADMIN_POL # Load the policy vault policy write admin admin-policy.hcl Success! Uploaded policy: admin #------------------------------- # Making provisioner policy # REF: https://learn.hashicorp.com/vault/identity-access-management/iam-policies #------------------------------- cat /etc/vault.d/provisioner-policy.hcl<<'EOF_PROVIS_POL' # Manage auth methods broadly across Vault path "auth/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Create, update, and delete auth methods path "sys/auth/*" { capabilities = ["create", "update", "delete", "sudo"] } # List auth methods path "sys/auth" { capabilities = ["read"] } # List existing policies path "sys/policies/acl" { capabilities = ["list"] } # Create and manage ACL policies via API & UI path "sys/policies/acl/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # List, create, update, and delete key/value secrets path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] } EOF_PROVIS_POL # Load the policy vault policy write provisioner provisioner-policy.hcl Success! Uploaded policy: provisioner vault policy list admin default provisioner root vault policy read admin vault token create -policy="admin" Key Value --- ----- token s.xgobcO45DENqxSnR65wvbpuH token_accessor MP7gGDSF9wZB91jfR7qh06Z7 token_duration 10h token_renewable true token_policies ["admin" "default"] identity_policies [] policies ["admin" "default"] #------------------------------- # I need to keep going with this for it's use with api calls