Quico/vault-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

1-add-zabbix-example-with-template-strings #2

Merged
hygienic-books merged 17 commits from 1-add-zabbix-example-with-template-strings into master 2022-09-23 22:40:34 +00:00
Conversation 0 Commits 17 Files Changed 7 +13 -13
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 9c64476e0a - Show all commits

26
README.md
View File

@ -19,9 +19,9 @@ Refer to [config/vault.hcl](config/vault.hcl) for content.
## Configure ## Configure
Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes: Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes:
* Add policies from [policies/role-administrator](policies/role-administrator) subdirectory into Vault * Add policies from [policies/administrator](policies/administrator) subdirectory into Vault
* Create group `administrators` * Create group `administrators`
* Assign policies `role-administrator` and `role-auditor` to that group * Assign policies `administrator` and `auditor` to that group
* Create one entity to represent yourself as an administrator * Create one entity to represent yourself as an administrator
* Create one alias assigned to that entity for you to use as a username * Create one alias assigned to that entity for you to use as a username
* Enable auth method `userpass` * Enable auth method `userpass`
@ -60,7 +60,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
---- ---- ----------- ---- ---- -----------
file/ file n/a file/ file n/a
``` ```
* We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first: * We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/human/change-own-password.hcl](policies/human/change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first:
* Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so: * Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so:
``` ```
@ -73,13 +73,13 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
token/ token auth_token_d3aad127 token based credentials token/ token auth_token_d3aad127 token based credentials
userpass/ userpass auth_userpass_6671d643 n/a userpass/ userpass auth_userpass_6671d643 n/a
``` ```
Over in [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info. Over in [policies/human/change-own-password.hcl](policies/human/change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info.
* Load the policy * Load the policy
* Create a group for humans and assign the policy `role-change-own-password` to it. * Create a group for humans and assign the policy `change-own-password` to it.
``` ```
# Create group # Create group
vault write identity/group name="humans" policies="role-change-own-password" vault write identity/group name="humans" policies="change-own-password"
# Expected output: # Expected output:
Success! Data written to: identity/group/name/humans Success! Data written to: identity/group/name/humans
@ -87,22 +87,22 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
Adding member entities to your group may be best done via Vault's UI. If we're just talking about a few member entities then the CLI does it like so: Adding member entities to your group may be best done via Vault's UI. If we're just talking about a few member entities then the CLI does it like so:
``` ```
# Create group # Create group
vault write identity/group name="humans" policies="role-change-own-password" member_entity_ids="<uuid>,<uuid>,<uuid>" vault write identity/group name="humans" policies="change-own-password" member_entity_ids="<uuid>,<uuid>,<uuid>"
# Expected output: # Expected output:
Success! Data written to: identity/group/name/humans Success! Data written to: identity/group/name/humans
``` ```
Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/<name>`. Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/<name>`.
* Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. * Optionally [policies/cfgmgmt/cfgmgmt.hcl](policies/cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible.
You'll want to create an Ansible entity and a `userpass` alias. Think of the alias as glue that ties an auth method to an entity. This in turn allows you to specify policy that applies to the entity, gets inherited by aliases and lastly inherited by auth methods. You'll want to create an Ansible entity and a `userpass` alias. Think of the alias as glue that ties an auth method to an entity. This in turn allows you to specify policy that applies to the entity, gets inherited by aliases and lastly inherited by auth methods.
In this simple use case create create a user in the `userpass` auth method, use the same name used from both the entity and its alias. Use that user to authenticate against Vault and retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). In this simple use case create create a user in the `userpass` auth method, use the same name used from both the entity and its alias. Use that user to authenticate against Vault and retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/cfgmgmt/cfgmgmt.hcl](policies/cfgmgmt/cfgmgmt.hcl).
From here on out it's just more of what you already did, feel free to make this fit your own approach. From here on out it's just more of what you already did, feel free to make this fit your own approach.
* Optionally from [policies/role-kv-writer/role-kv-writer.hcl](policies/role-kv-writer/role-kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location. * Optionally from [policies/kv-writer/kv-writer.hcl](policies/kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location.
Permission to also read/view secrets is commented out in the policy file in case you do need this feature. Permission to also read/view secrets is commented out in the policy file in case you do need this feature.
@ -117,12 +117,12 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
* Add an alias of type `userpass` to the entity. * Add an alias of type `userpass` to the entity.
* Within the `userpass` auth method create a user (an account if you will) with the same name as the alias you just created so in this case `zabbix`, set a password for the account * Within the `userpass` auth method create a user (an account if you will) with the same name as the alias you just created so in this case `zabbix`, set a password for the account
Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `role-zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`, see screenshot below. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `role-zabbix` which does not exist. You'll get to that in a minute. Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`, see screenshot below. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `zabbix` which does not exist. You'll get to that in a minute.
Like so: Like so:
![Vault 1.11.3 Create Group menu](https://i.imgur.com/3Ni53BE.png) ![Vault 1.11.3 Create Group menu](https://i.imgur.com/3Ni53BE.png)
Next up check out [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl). Do some light replacement before importing it into Vault. The policy file contains a few occurrences of the string `GROUPID`, replace them with the group ID of `rbacgroup_zabbix`. Next up check out [policies/zabbix/zabbix.hcl](policies/zabbix/zabbix.hcl). Do some light replacement before importing it into Vault. The policy file contains a few occurrences of the string `GROUPID`, replace them with the group ID of `rbacgroup_zabbix`.
* Via Vault's UI you can get the group ID at `Access > Groups > rbacgroup_zabbix`. * Via Vault's UI you can get the group ID at `Access > Groups > rbacgroup_zabbix`.
* Via the `vault` command-line client you can do it like so where the `id` value is what you're after: * Via the `vault` command-line client you can do it like so where the `id` value is what you're after:
``` ```
@ -140,7 +140,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
id 88560da7-e180-3d2e-9053-dc0ee4ba7fbe id 88560da7-e180-3d2e-9053-dc0ee4ba7fbe
... ...
``` ```
With your ID in hand and [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `role-zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`. With your ID in hand and [policies/zabbix/zabbix.hcl](policies/zabbix/zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`.
Now whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets underneath that directory. Now whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets underneath that directory.