Quico/vault-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

3-add-example-for-periodic-orphan-token #4

Merged
hygienic-books merged 7 commits from 3-add-example-for-periodic-orphan-token into master 2023-04-25 00:23:44 +00:00
Conversation 0 Commits 7 Files Changed 2 +117 -106
1 changed files with 117 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit ae241cb900 - Show all commits

23
README.md
View File

@ -32,7 +32,7 @@ Log out. Never again use the `root` token unless there's a good reason.
Get the Vault command-line client via [vaultproject.io/downloads](https://www.vaultproject.io/downloads). It'll install the Vault service itself along with the command-line client. Just ignore the service or keep it disabled via `systemctl disable --now vault.service`. You only need the `vault` binary. Get the Vault command-line client via [vaultproject.io/downloads](https://www.vaultproject.io/downloads). It'll install the Vault service itself along with the command-line client. Just ignore the service or keep it disabled via `systemctl disable --now vault.service`. You only need the `vault` binary.
* Authenticate against Vault: ### Authenticate against Vault:
``` ```
export VAULT_ADDR='https://fully.qualified.domain.name/' export VAULT_ADDR='https://fully.qualified.domain.name/'
vault login vault login
@ -42,7 +42,9 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
``` ```
Enter your personal alias' token, do not ever again use the `root` token. Enter your personal alias' token, do not ever again use the `root` token.
* Enable audit file device (in non-Vault-speak "the audit log file"): ### Auditing
Enable audit file device (in non-Vault-speak "the audit log file"):
``` ```
# Enable # Enable
vault audit enable file file_path=/vault/logs/audit.log vault audit enable file file_path=/vault/logs/audit.log
@ -60,7 +62,10 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
---- ---- ----------- ---- ---- -----------
file/ file n/a file/ file n/a
``` ```
* We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/human/change-own-password.hcl](policies/human/change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first:
### Humans may change their own password
We're going to allow all human users to change their own `userpass` password. The policy to do so is at [policies/human/change-own-password.hcl](policies/human/change-own-password.hcl). For a hands-on example of an actual password change via HTTP API see [Hands-on](#hands-on) but first:
* Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so: * Before you can load the policy into Vault you need to replace the string `ACCESSOR` in it with _your_ particular `userpass` accessor. Get it like so:
``` ```
@ -94,7 +99,9 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
``` ```
Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/<name>`. Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/<name>`.
* Optionally [policies/cfgmgmt/cfgmgmt.hcl](policies/cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. ### Ready-only secrets access
Optionally [policies/cfgmgmt/cfgmgmt.hcl](policies/cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible.
You'll want to create an Ansible entity and a `userpass` alias. Think of the alias as glue that ties an auth method to an entity. This in turn allows you to specify policy that applies to the entity, gets inherited by aliases and lastly inherited by auth methods. You'll want to create an Ansible entity and a `userpass` alias. Think of the alias as glue that ties an auth method to an entity. This in turn allows you to specify policy that applies to the entity, gets inherited by aliases and lastly inherited by auth methods.
@ -102,13 +109,17 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
From here on out it's just more of what you already did, feel free to make this fit your own approach. From here on out it's just more of what you already did, feel free to make this fit your own approach.
* Optionally from [policies/kv-writer/kv-writer.hcl](policies/kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location. ### Write-only access
Optionally from [policies/kv-writer/kv-writer.hcl](policies/kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location.
Permission to also read/view secrets is commented out in the policy file in case you do need this feature. Permission to also read/view secrets is commented out in the policy file in case you do need this feature.
Assign the policy to a group as needed. Assign the policy to a group as needed.
* As a similar narrowly scoped use case consider a Zabbix monitoring instance that may need access to credentials, session IDs, tokens or other forms of authentication to monitor machines and services. ### Zabbix credentials storage
As a similar narrowly scoped use case consider a Zabbix monitoring instance that may need access to credentials, session IDs, tokens or other forms of authentication to monitor machines and services.
Here's one suggestion to set up the basics for Zabbix. Here's one suggestion to set up the basics for Zabbix.