From c559e62d3fc7164e120c0ad820aabaeee8c9fc35 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:34:51 +0200 Subject: [PATCH 01/17] feat(zabbix): Add policy for a Zabbix server to use dedicated credentials (#1) --- policies/role-zabbix/role-zabbix.hcl | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 policies/role-zabbix/role-zabbix.hcl diff --git a/policies/role-zabbix/role-zabbix.hcl b/policies/role-zabbix/role-zabbix.hcl new file mode 100644 index 0000000..9695ad6 --- /dev/null +++ b/policies/role-zabbix/role-zabbix.hcl @@ -0,0 +1,12 @@ +# Allow listing secret parent-child connections (as in UI hierarchy). Subdir +# underneath 'kv' secrets engine will remain hidden though, user has to +# manually open up +# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.GROUPID.name}} +path "kv/metadata/for_{{identity.groups.ids.GROUPID.name}}/*" { + capabilities = ["list"] +} + +# Grant read-only access to secrets +path "kv/data/for_{{identity.groups.ids.GROUPID.name}}/*" { + capabilities = ["read"] +} -- 2.47.2 From 7f394be1d97e4b5bdcd74eaea07c6094192dfc35 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:37:47 +0200 Subject: [PATCH 02/17] docs(zabbix): Add docs for a Zabbix server example config in Vault (#1) --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/README.md b/README.md index e2f419a..04ca39a 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,62 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Assign the policy to a group as needed. +* As a similar narrowly scoped use case consider a Zabbix monitoring instance that may need access to credentials, session IDs, tokens or other forms of authentication to monitor machines and services. + + Here's one suggestion to set up the basics for Zabbix. + + In Vault with a user that has sufficient permissions: + * Create an entity `zabbix` without a policy. + * Add an alias of type `userpass` to the entity. + * Within the `userpass` auth method create a user (an account if you will) with the same name as the alias you just created so in this case `zabbix`, set a password for the account + + Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `role-zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `role-zabbix` which does not exist. You'll get to that in a minute. + + Like so: + ![Vault 1.11.3 Create Group menu](https://i.imgur.com/3Ni53BE.png) + + Next up check out [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl). Do some light replacement before importing it into Vault. The policy file contains a few occurrences of the string `GROUPID`, replace them with the group ID of `rbacgroup_zabbix`. + * Via Vault's UI you can get the group ID at `Access > Groups > rbacgroup_zabbix`. + * Via the `vault` command-line client you can do it like so where the `id` value is what you're after: + ``` + # Get 'rbacgroup_zabbix' group metadata + vault kv get /identity/group/name/rbacgroup_zabbix + + # Expected output similar to: + == Metadata == + + ========== Data ========== + Key Value + --- ----- + alias map[] + creation_time 2022-09-22T21:47:57.720309362Z + id 88560da7-e180-3d2e-9053-dc0ee4ba7fbe + ... + ``` + With your ID in hand and [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `role-zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`. + + So whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets. + + Log in to Vault with `userpass` and the `zabbix` account from above, get the account's token and lastly double-check that `zabbix` with its token can read a secret: + ``` + curl --silent --location --header 'X-Vault-Token: ' \ + "${VAULT_ADDR}"'v1/kv/data/for_rbacgroup_zabbix/some/secret' \ + | jq '.data.data' + ``` + + Configure Zabbix with its own Vault token and enjoy no longer having to store any secrets in Zabbix itself. + + Side note, if your token regularly expires you may want to store the token itself in Vault and let Zabbix monitor token expiry via the Zabbix equivalent of: + ``` + # Look up a token's own attributes + curl --silent --location --header 'X-Vault-Token: ' \ + "${VAULT_ADDR}"'v1/auth/token/lookup-self' \ + | jq '.data.ttl' + + # .data.ttl will show remaining validity in secs: + 2754536 + ``` + ## Clean-up If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token. -- 2.47.2 From 5e1146546d42ffe8812c7d7624d4632f42d06384 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:47:47 +0200 Subject: [PATCH 03/17] docs(zabbix): Explain how end users can browse subdirectory in Vault's web UI (#1) --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 04ca39a..3cd8b04 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,13 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va 2754536 ``` + Users wishing to browse the `rbacgroup_zabbix` directory structure via Vault's UI will need to manually begin their browsing at `kv/list/for_rbacgroup_zabbix`. Users with higher privileges such as administrators will be able to list all directories underneath the root `kv` object in Vault's web UI. This will include not only `zabbix`-specific data but also directories intended for other users which is why `kv/list` access is not granted to `rbacgroup_zabbix`. + + Their `list` permission only begins one lever deeper at `kv/list/for_rbacgroup_zabbix`. It may make sense to communicate an entrypoint link to end users that - in this case - will look like: + ``` + "${VAULT_ADDR}"'/ui/vault/secrets/kv/list/for_rbacgroup_zabbix/' + ``` + ## Clean-up If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token. -- 2.47.2 From cefdd12177bd0bba735dec5471b3c6ff80223152 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:51:00 +0200 Subject: [PATCH 04/17] docs(ansible): Rewrite Ansible section to mention creation of not only entity and alias(es) but also a userpass user (#1) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3cd8b04..1c90946 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va * Optionally [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. - You'll want to create an Ansible entity with an alias, create both a `token` and a `userpass` alias and use the latter one to authenticate against Vault to retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl). + You'll want to create an Ansible entity with an alias and create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl). From here on out it's just more of what you already did, feel free to make this fit your own approach. -- 2.47.2 From ea042ded1b2c1ce2cd74477f0e6051973f3de3aa Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:53:07 +0200 Subject: [PATCH 05/17] docs(kv-writer): Rename kv-writer role file to confirm to ther role files (#1) --- policies/role-kv-writer/{kv-writer.hcl => role-kv-writer.hcl} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename policies/role-kv-writer/{kv-writer.hcl => role-kv-writer.hcl} (100%) diff --git a/policies/role-kv-writer/kv-writer.hcl b/policies/role-kv-writer/role-kv-writer.hcl similarity index 100% rename from policies/role-kv-writer/kv-writer.hcl rename to policies/role-kv-writer/role-kv-writer.hcl -- 2.47.2 From eb7e875e8dee6814025ddc0d89c83f24ae5ce341 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:54:21 +0200 Subject: [PATCH 06/17] docs(administrator): Rename administrator role file to confirm to other role files (#1) --- .../{administrator.hcl => role-administrator.hcl} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename policies/role-administrator/{administrator.hcl => role-administrator.hcl} (100%) diff --git a/policies/role-administrator/administrator.hcl b/policies/role-administrator/role-administrator.hcl similarity index 100% rename from policies/role-administrator/administrator.hcl rename to policies/role-administrator/role-administrator.hcl -- 2.47.2 From 212e8ae145290b6ec44e7761cf58a5a4d47a334f Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:54:40 +0200 Subject: [PATCH 07/17] docs(administrator): Rename auditor role file to confirm to other role files (#1) --- policies/role-administrator/{auditor.hcl => role-auditor.hcl} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename policies/role-administrator/{auditor.hcl => role-auditor.hcl} (100%) diff --git a/policies/role-administrator/auditor.hcl b/policies/role-administrator/role-auditor.hcl similarity index 100% rename from policies/role-administrator/auditor.hcl rename to policies/role-administrator/role-auditor.hcl -- 2.47.2 From ba9023bb4cafa32a46648915c6e3bb7ff2a068cb Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:55:14 +0200 Subject: [PATCH 08/17] docs(cfgmgmt): Rename cfgmgmt role file to confirm to other role files (#1) --- policies/role-cfgmgmt/{cfgmgmt.hcl => role-cfgmgmt.hcl} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename policies/role-cfgmgmt/{cfgmgmt.hcl => role-cfgmgmt.hcl} (100%) diff --git a/policies/role-cfgmgmt/cfgmgmt.hcl b/policies/role-cfgmgmt/role-cfgmgmt.hcl similarity index 100% rename from policies/role-cfgmgmt/cfgmgmt.hcl rename to policies/role-cfgmgmt/role-cfgmgmt.hcl -- 2.47.2 From faaa185dbc2998345d8e451f025e3a312d6f2152 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 22:55:35 +0200 Subject: [PATCH 09/17] docs(pwchange): Rename pwchange role file to confirm to other role files (#1) --- .../{change-own-password.hcl => role-change-own-password.hcl} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename policies/role-human/{change-own-password.hcl => role-change-own-password.hcl} (100%) diff --git a/policies/role-human/change-own-password.hcl b/policies/role-human/role-change-own-password.hcl similarity index 100% rename from policies/role-human/change-own-password.hcl rename to policies/role-human/role-change-own-password.hcl -- 2.47.2 From f3e9da566638f3f984cb287ae389894fa1ff7cf4 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Fri, 23 Sep 2022 23:01:34 +0200 Subject: [PATCH 10/17] docs(policy): Update example policy file names to unified naming scheme (#1) --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 1c90946..e93b851 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Refer to [config/vault.hcl](config/vault.hcl) for content. Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes: * Add policies from [policies/role-administrator](policies/role-administrator) subdirectory into Vault * Create group `administrators` -* Assign policies `administrator` and `auditor` to that group +* Assign policies `role-administrator` and `role-auditor` to that group * Create one entity to represent yourself as an administrator * Create one alias assigned to that entity for you to use as a username * Enable auth method `userpass` @@ -60,7 +60,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va ---- ---- ----------- file/ file n/a ``` -* We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/role-human/change-own-password.hcl](policies/role-human/change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first: +* We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first: * Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so: ``` @@ -73,13 +73,13 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va token/ token auth_token_d3aad127 token based credentials userpass/ userpass auth_userpass_6671d643 n/a ``` - Over in [policies/role-human/change-own-password.hcl](policies/role-human/change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info. + Over in [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info. * Load the policy - * Create a group for humans and assign the policy `change-own-password` to it. + * Create a group for humans and assign the policy `role-change-own-password` to it. ``` # Create group - vault write identity/group name="humans" policies="change-own-password" + vault write identity/group name="humans" policies="role-change-own-password" # Expected output: Success! Data written to: identity/group/name/humans @@ -87,20 +87,20 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Adding member entities to your group may be best done via Vault's UI. If we're just talking about a few member entities then the CLI does it like so: ``` # Create group - vault write identity/group name="humans" policies="change-own-password" member_entity_ids=",," + vault write identity/group name="humans" policies="role-change-own-password" member_entity_ids=",," # Expected output: Success! Data written to: identity/group/name/humans ``` Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/`. -* Optionally [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. +* Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. - You'll want to create an Ansible entity with an alias and create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl). + You'll want to create an Ansible entity with an alias and create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). From here on out it's just more of what you already did, feel free to make this fit your own approach. -* Optionally from [policies/role-kv-writer/kv-writer.hcl](policies/role-kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location. +* Optionally from [policies/role-kv-writer/role-kv-writer.hcl](policies/role-kv-writer/role-kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location. Permission to also read/view secrets is commented out in the policy file in case you do need this feature. -- 2.47.2 From a206184b0ca410ef4ebe7fc867d1c1ca54364c05 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:01:21 +0200 Subject: [PATCH 11/17] docs(ansible): Tighten sentence structure (#1) --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e93b851..5df826c 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va * Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. - You'll want to create an Ansible entity with an alias and create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). + You'll want to create an Ansible entity create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). From here on out it's just more of what you already did, feel free to make this fit your own approach. @@ -115,7 +115,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va * Add an alias of type `userpass` to the entity. * Within the `userpass` auth method create a user (an account if you will) with the same name as the alias you just created so in this case `zabbix`, set a password for the account - Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `role-zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `role-zabbix` which does not exist. You'll get to that in a minute. + Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `role-zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`, see screenshot below. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `role-zabbix` which does not exist. You'll get to that in a minute. Like so: ![Vault 1.11.3 Create Group menu](https://i.imgur.com/3Ni53BE.png) @@ -140,7 +140,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va ``` With your ID in hand and [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `role-zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`. - So whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets. + Now whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets underneath that directory. Log in to Vault with `userpass` and the `zabbix` account from above, get the account's token and lastly double-check that `zabbix` with its token can read a secret: ``` -- 2.47.2 From 6d1b3b28c3ede3c7559d5da5cd266b8233b228c5 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:11:15 +0200 Subject: [PATCH 12/17] docs(ansible): Entity only needs a userpass alias, no token alias (#1) --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5df826c..73e4217 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,9 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va * Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. - You'll want to create an Ansible entity create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). + You'll want to create an Ansible entity and a `userpass` alias. Think of the alias as glue that ties an auth method to an entity. This in turn allows you to specify policy that applies to the entity, gets inherited by aliases and lastly inherited by auth methods. + + In this simple use case create create a user in the `userpass` auth method, use the same name used from both the entity and its alias. Use that user to authenticate against Vault and retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). From here on out it's just more of what you already did, feel free to make this fit your own approach. -- 2.47.2 From 4efca88074d233c574f8595f01afb080c6207ca2 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:26:15 +0200 Subject: [PATCH 13/17] docs(meta): Use descriptive Vault example address (#1) --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 73e4217..027e171 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Log in to Vault with `userpass` and the `zabbix` account from above, get the account's token and lastly double-check that `zabbix` with its token can read a secret: ``` curl --silent --location --header 'X-Vault-Token: ' \ - "${VAULT_ADDR}"'v1/kv/data/for_rbacgroup_zabbix/some/secret' \ + 'https://fully.qualified.domain.name/v1/kv/data/for_rbacgroup_zabbix/some/secret' \ | jq '.data.data' ``` @@ -157,7 +157,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va ``` # Look up a token's own attributes curl --silent --location --header 'X-Vault-Token: ' \ - "${VAULT_ADDR}"'v1/auth/token/lookup-self' \ + 'https://fully.qualified.domain.name/v1/auth/token/lookup-self' \ | jq '.data.ttl' # .data.ttl will show remaining validity in secs: @@ -168,7 +168,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Their `list` permission only begins one lever deeper at `kv/list/for_rbacgroup_zabbix`. It may make sense to communicate an entrypoint link to end users that - in this case - will look like: ``` - "${VAULT_ADDR}"'/ui/vault/secrets/kv/list/for_rbacgroup_zabbix/' + https://fully.qualified.domain.name/ui/vault/secrets/kv/list/for_rbacgroup_zabbix/ ``` ## Clean-up -- 2.47.2 From 0e285695e79272676966c90ac698d0bfea8ec145 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:32:15 +0200 Subject: [PATCH 14/17] docs(meta): Don't use term 'role' for a policy (#1) --- .../role-administrator.hcl => administrator/administrator.hcl} | 0 .../role-auditor.hcl => administrator/auditor.hcl} | 0 policies/{role-cfgmgmt/role-cfgmgmt.hcl => cfgmgmt/cfgmgmt.hcl} | 0 .../change-own-password.hcl} | 0 .../role-kv-writer.hcl => kv-writer/kv-writer.hcl} | 0 policies/{role-zabbix/role-zabbix.hcl => zabbix/zabbix.hcl} | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename policies/{role-administrator/role-administrator.hcl => administrator/administrator.hcl} (100%) rename policies/{role-administrator/role-auditor.hcl => administrator/auditor.hcl} (100%) rename policies/{role-cfgmgmt/role-cfgmgmt.hcl => cfgmgmt/cfgmgmt.hcl} (100%) rename policies/{role-human/role-change-own-password.hcl => human/change-own-password.hcl} (100%) rename policies/{role-kv-writer/role-kv-writer.hcl => kv-writer/kv-writer.hcl} (100%) rename policies/{role-zabbix/role-zabbix.hcl => zabbix/zabbix.hcl} (100%) diff --git a/policies/role-administrator/role-administrator.hcl b/policies/administrator/administrator.hcl similarity index 100% rename from policies/role-administrator/role-administrator.hcl rename to policies/administrator/administrator.hcl diff --git a/policies/role-administrator/role-auditor.hcl b/policies/administrator/auditor.hcl similarity index 100% rename from policies/role-administrator/role-auditor.hcl rename to policies/administrator/auditor.hcl diff --git a/policies/role-cfgmgmt/role-cfgmgmt.hcl b/policies/cfgmgmt/cfgmgmt.hcl similarity index 100% rename from policies/role-cfgmgmt/role-cfgmgmt.hcl rename to policies/cfgmgmt/cfgmgmt.hcl diff --git a/policies/role-human/role-change-own-password.hcl b/policies/human/change-own-password.hcl similarity index 100% rename from policies/role-human/role-change-own-password.hcl rename to policies/human/change-own-password.hcl diff --git a/policies/role-kv-writer/role-kv-writer.hcl b/policies/kv-writer/kv-writer.hcl similarity index 100% rename from policies/role-kv-writer/role-kv-writer.hcl rename to policies/kv-writer/kv-writer.hcl diff --git a/policies/role-zabbix/role-zabbix.hcl b/policies/zabbix/zabbix.hcl similarity index 100% rename from policies/role-zabbix/role-zabbix.hcl rename to policies/zabbix/zabbix.hcl -- 2.47.2 From 9c64476e0a16f02dba3be3d91f4fc1c7aac3d19c Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:32:27 +0200 Subject: [PATCH 15/17] docs(meta): Don't use term 'role' for a policy (#1) --- README.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 027e171..dd8bfd6 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,9 @@ Refer to [config/vault.hcl](config/vault.hcl) for content. ## Configure Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes: -* Add policies from [policies/role-administrator](policies/role-administrator) subdirectory into Vault +* Add policies from [policies/administrator](policies/administrator) subdirectory into Vault * Create group `administrators` -* Assign policies `role-administrator` and `role-auditor` to that group +* Assign policies `administrator` and `auditor` to that group * Create one entity to represent yourself as an administrator * Create one alias assigned to that entity for you to use as a username * Enable auth method `userpass` @@ -60,7 +60,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va ---- ---- ----------- file/ file n/a ``` -* We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first: +* We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/human/change-own-password.hcl](policies/human/change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first: * Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so: ``` @@ -73,13 +73,13 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va token/ token auth_token_d3aad127 token based credentials userpass/ userpass auth_userpass_6671d643 n/a ``` - Over in [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info. + Over in [policies/human/change-own-password.hcl](policies/human/change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info. * Load the policy - * Create a group for humans and assign the policy `role-change-own-password` to it. + * Create a group for humans and assign the policy `change-own-password` to it. ``` # Create group - vault write identity/group name="humans" policies="role-change-own-password" + vault write identity/group name="humans" policies="change-own-password" # Expected output: Success! Data written to: identity/group/name/humans @@ -87,22 +87,22 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Adding member entities to your group may be best done via Vault's UI. If we're just talking about a few member entities then the CLI does it like so: ``` # Create group - vault write identity/group name="humans" policies="role-change-own-password" member_entity_ids=",," + vault write identity/group name="humans" policies="change-own-password" member_entity_ids=",," # Expected output: Success! Data written to: identity/group/name/humans ``` Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/`. -* Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. +* Optionally [policies/cfgmgmt/cfgmgmt.hcl](policies/cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. You'll want to create an Ansible entity and a `userpass` alias. Think of the alias as glue that ties an auth method to an entity. This in turn allows you to specify policy that applies to the entity, gets inherited by aliases and lastly inherited by auth methods. - In this simple use case create create a user in the `userpass` auth method, use the same name used from both the entity and its alias. Use that user to authenticate against Vault and retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). + In this simple use case create create a user in the `userpass` auth method, use the same name used from both the entity and its alias. Use that user to authenticate against Vault and retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/cfgmgmt/cfgmgmt.hcl](policies/cfgmgmt/cfgmgmt.hcl). From here on out it's just more of what you already did, feel free to make this fit your own approach. -* Optionally from [policies/role-kv-writer/role-kv-writer.hcl](policies/role-kv-writer/role-kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location. +* Optionally from [policies/kv-writer/kv-writer.hcl](policies/kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location. Permission to also read/view secrets is commented out in the policy file in case you do need this feature. @@ -117,12 +117,12 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va * Add an alias of type `userpass` to the entity. * Within the `userpass` auth method create a user (an account if you will) with the same name as the alias you just created so in this case `zabbix`, set a password for the account - Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `role-zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`, see screenshot below. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `role-zabbix` which does not exist. You'll get to that in a minute. + Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`, see screenshot below. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `zabbix` which does not exist. You'll get to that in a minute. Like so: ![Vault 1.11.3 Create Group menu](https://i.imgur.com/3Ni53BE.png) - Next up check out [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl). Do some light replacement before importing it into Vault. The policy file contains a few occurrences of the string `GROUPID`, replace them with the group ID of `rbacgroup_zabbix`. + Next up check out [policies/zabbix/zabbix.hcl](policies/zabbix/zabbix.hcl). Do some light replacement before importing it into Vault. The policy file contains a few occurrences of the string `GROUPID`, replace them with the group ID of `rbacgroup_zabbix`. * Via Vault's UI you can get the group ID at `Access > Groups > rbacgroup_zabbix`. * Via the `vault` command-line client you can do it like so where the `id` value is what you're after: ``` @@ -140,7 +140,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va id 88560da7-e180-3d2e-9053-dc0ee4ba7fbe ... ``` - With your ID in hand and [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `role-zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`. + With your ID in hand and [policies/zabbix/zabbix.hcl](policies/zabbix/zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`. Now whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets underneath that directory. -- 2.47.2 From dfc39e0768f3c9901050ac0e455ab9d0e739deb9 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:36:36 +0200 Subject: [PATCH 16/17] docs(meta): Style (#1) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dd8bfd6..9c9fbc6 100644 --- a/README.md +++ b/README.md @@ -168,7 +168,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Their `list` permission only begins one lever deeper at `kv/list/for_rbacgroup_zabbix`. It may make sense to communicate an entrypoint link to end users that - in this case - will look like: ``` - https://fully.qualified.domain.name/ui/vault/secrets/kv/list/for_rbacgroup_zabbix/ + https://fully.qualified.domain.name/ui/vault/secrets/kv/list/for_rbacgroup_zabbix ``` ## Clean-up -- 2.47.2 From a24eef2caa304933ae8bc8de8b374d9937df5daa Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:39:04 +0200 Subject: [PATCH 17/17] docs(meta): Style (#1) --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9c9fbc6..8238db6 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Log in to Vault with `userpass` and the `zabbix` account from above, get the account's token and lastly double-check that `zabbix` with its token can read a secret: ``` curl --silent --location --header 'X-Vault-Token: ' \ - 'https://fully.qualified.domain.name/v1/kv/data/for_rbacgroup_zabbix/some/secret' \ + 'https://f.q.d.n/v1/kv/data/for_rbacgroup_zabbix/some/secret' \ | jq '.data.data' ``` @@ -157,7 +157,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va ``` # Look up a token's own attributes curl --silent --location --header 'X-Vault-Token: ' \ - 'https://fully.qualified.domain.name/v1/auth/token/lookup-self' \ + 'https://f.q.d.n/v1/auth/token/lookup-self' \ | jq '.data.ttl' # .data.ttl will show remaining validity in secs: @@ -168,7 +168,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va Their `list` permission only begins one lever deeper at `kv/list/for_rbacgroup_zabbix`. It may make sense to communicate an entrypoint link to end users that - in this case - will look like: ``` - https://fully.qualified.domain.name/ui/vault/secrets/kv/list/for_rbacgroup_zabbix + https://f.q.d.n/ui/vault/secrets/kv/list/for_rbacgroup_zabbix ``` ## Clean-up -- 2.47.2