Quico/vault-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

1-add-zabbix-example-with-template-strings #2

Merged
hygienic-books merged 17 commits from 1-add-zabbix-example-with-template-strings into master 2022-09-23 22:40:34 +00:00
Conversation 0 Commits 17 Files Changed 7 +9 -9
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit f3e9da5666 - Show all commits

18
README.md
View File

@ -21,7 +21,7 @@ Refer to [config/vault.hcl](config/vault.hcl) for content.
Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes: Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes:
* Add policies from [policies/role-administrator](policies/role-administrator) subdirectory into Vault * Add policies from [policies/role-administrator](policies/role-administrator) subdirectory into Vault
* Create group `administrators` * Create group `administrators`
* Assign policies `administrator` and `auditor` to that group * Assign policies `role-administrator` and `role-auditor` to that group
* Create one entity to represent yourself as an administrator * Create one entity to represent yourself as an administrator
* Create one alias assigned to that entity for you to use as a username * Create one alias assigned to that entity for you to use as a username
* Enable auth method `userpass` * Enable auth method `userpass`
@ -60,7 +60,7 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
---- ---- ----------- ---- ---- -----------
file/ file n/a file/ file n/a
``` ```
* We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/role-human/change-own-password.hcl](policies/role-human/change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first: * We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first:
* Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so: * Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so:
``` ```
@ -73,13 +73,13 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
token/ token auth_token_d3aad127 token based credentials token/ token auth_token_d3aad127 token based credentials
userpass/ userpass auth_userpass_6671d643 n/a userpass/ userpass auth_userpass_6671d643 n/a
``` ```
Over in [policies/role-human/change-own-password.hcl](policies/role-human/change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info. Over in [policies/role-human/role-change-own-password.hcl](policies/role-human/role-change-own-password.hcl) replace `ACCESSOR` with what you're seeing here in the Accessor column. Feel free to read up on [templated policies](https://www.vaultproject.io/docs/concepts/policies#templated-policies) for more info.
* Load the policy * Load the policy
* Create a group for humans and assign the policy `change-own-password` to it. * Create a group for humans and assign the policy `role-change-own-password` to it.
``` ```
# Create group # Create group
vault write identity/group name="humans" policies="change-own-password" vault write identity/group name="humans" policies="role-change-own-password"
# Expected output: # Expected output:
Success! Data written to: identity/group/name/humans Success! Data written to: identity/group/name/humans
@ -87,20 +87,20 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
Adding member entities to your group may be best done via Vault's UI. If we're just talking about a few member entities then the CLI does it like so: Adding member entities to your group may be best done via Vault's UI. If we're just talking about a few member entities then the CLI does it like so:
``` ```
# Create group # Create group
vault write identity/group name="humans" policies="change-own-password" member_entity_ids="<uuid>,<uuid>,<uuid>" vault write identity/group name="humans" policies="role-change-own-password" member_entity_ids="<uuid>,<uuid>,<uuid>"
# Expected output: # Expected output:
Success! Data written to: identity/group/name/humans Success! Data written to: identity/group/name/humans
``` ```
Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/<name>`. Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/<name>`.
* Optionally [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. * Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible.
You'll want to create an Ansible entity with an alias and create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl). You'll want to create an Ansible entity with an alias and create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl).
From here on out it's just more of what you already did, feel free to make this fit your own approach. From here on out it's just more of what you already did, feel free to make this fit your own approach.
* Optionally from [policies/role-kv-writer/kv-writer.hcl](policies/role-kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location. * Optionally from [policies/role-kv-writer/role-kv-writer.hcl](policies/role-kv-writer/role-kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location.
Permission to also read/view secrets is commented out in the policy file in case you do need this feature. Permission to also read/view secrets is commented out in the policy file in case you do need this feature.