Quico/vault-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

1-add-zabbix-example-with-template-strings #2

Merged
hygienic-books merged 17 commits from 1-add-zabbix-example-with-template-strings into master 2022-09-23 22:40:34 +00:00
Conversation 0 Commits 17 Files Changed 7 +3 -3
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit a206184b0c - Show all commits

6
README.md
View File

@ -96,7 +96,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
* Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. * Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible.
You'll want to create an Ansible entity with an alias and create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). You'll want to create an Ansible entity create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl).
From here on out it's just more of what you already did, feel free to make this fit your own approach. From here on out it's just more of what you already did, feel free to make this fit your own approach.
@ -115,7 +115,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
* Add an alias of type `userpass` to the entity. * Add an alias of type `userpass` to the entity.
* Within the `userpass` auth method create a user (an account if you will) with the same name as the alias you just created so in this case `zabbix`, set a password for the account * Within the `userpass` auth method create a user (an account if you will) with the same name as the alias you just created so in this case `zabbix`, set a password for the account
Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `role-zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `role-zabbix` which does not exist. You'll get to that in a minute. Now tie it all together by creating a group named `rbacgroup_zabbix`. Add the `zabbix` entity to it and make it use the policy `role-zabbix`. At this point the policy does not yet exist which is fine, you can set a policy name and Vault will offer to `Add new policy`, see screenshot below. Don't worry, this will not actually add a new policy - empty, broken or otherwise. Vault will simply link your group to the policy `role-zabbix` which does not exist. You'll get to that in a minute.
Like so: Like so:
![Vault 1.11.3 Create Group menu](https://i.imgur.com/3Ni53BE.png) ![Vault 1.11.3 Create Group menu](https://i.imgur.com/3Ni53BE.png)
@ -140,7 +140,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
``` ```
With your ID in hand and [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `role-zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`. With your ID in hand and [policies/role-zabbix/role-zabbix.hcl](policies/role-zabbix/role-zabbix.hcl) updated import it as a new policy. You're going to want to save it with the same policy name you assigned earlier to `rbacgroup_zabbix` which was `role-zabbix`. This role will grant read-only access to secrets underneath a folder `for_rbacgroup_zabbix` which in our example lives inside a `kv` version 2 secrets engine mounted at its default location `kv`.
So whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets. Now whenever your Zabbix instance needs access to something store secrets underneath `kv/for_rbacgroup_zabbix`. The policy will make sure only the group with correct ID will have access to secrets underneath that directory.
Log in to Vault with `userpass` and the `zabbix` account from above, get the account's token and lastly double-check that `zabbix` with its token can read a secret: Log in to Vault with `userpass` and the `zabbix` account from above, get the account's token and lastly double-check that `zabbix` with its token can read a secret:
``` ```