Vault
Vault is a service to securely store secrets such as passwords or certificates.
Installation
- Download and unzip the vault binary from their website:
$ wget https://releases.hashicorp.com/vault/1.1.0/vault_1.1.0_linux_amd64.zip $ unzip vault_1.1.0_linux_amd64.zip
- make vault executable and copy it to
/usr/local/bin
$ chmod +x vault $ sudo cp vault /usr/local/bin/
- For security reasons vault data should not be swapped to disk. In order to prevent this vault needs to be able to execute the mlock systemcall. Enable it like this:
$ sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
- Create a new user for vault:
$ sudo useradd --system --home /etc/vault.d --shell /bin/false vault
- Create a systemd service file (
/etc/systemd/system/vault.service
) for vault with the following content:[Unit] Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl [Service] User=vault Group=vault ProtectSystem=full ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK Capabilities=CAP_IPC_LOCK+ep CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 TimeoutStopSec=30 StartLimitIntervalSec=60 StartLimitBurst=3 LimitNOFILE=65536 [Install] WantedBy=multi-user.target
- create the directories
/etc/vault.d
and/opt/vault
and hand ownership over to vault.$ sudo mkdir /etc/vault.d $ sudo mkdir /opt/vault $ sudo chown vault:vault /etc/vault.d $ sudo chown vault:vault /etc/vault
- create the file
/etc/vault.d/vault.hcl
with the following content:listener "tcp" { address = "<server ip>:8200" tls_cert_file = "path/to/fullchain.pem" tls_key_file = "path/to/privkey.key" } storage "file" { path = "/opt/vault" } ui = true
- Make sure to hand ownership over to vault
$ sudo chown vault:vault /etc/vault.d/vault.hcl
- Vault can now be started up.
$ sudo systemctl enable vault $ sudo systemctl start vault
- Vaults web-ui should now be accessible at https://<server ip>:8200
Unsealing Vault
When you first visit the Web UI you will be prompted to generate unseal keys. You can Specify how many keys should be generated and how many are necesarry to unseal vault. A root token will also be generated.
After generating the keys provide as many as necessary to unseal vault and log in using the root token to start configuring vault.
Configuring Vault
LDAP Login
- Enable ldap authentication under
access→Auth Methods→enable new method
- Confugre LDAP login
URL: ldaps://ldap.in.tum.de:636 LDAP Options - Discover DN: yes User Attribute: uid Customize User Search: User DN: ou=Personen,ou=IN,o=TUM,c=DE Customize Group Membership Search: Group Filter: (&(objectClass=posixGroup)(memberUid={{.Username}})) Group Attribute: cn Group DN: ou=Gruppen,ou=IN,o=TUM,c=DE
- another way is to use the commandline by clicking on the symbol in the top right and execute the following code (you may need to type it all in one line):
write auth/ldap/config \ groupdn=ou=Gruppen,ou=IN,o=TUM,c=DE \ url=ldaps://ldap.in.tum.de:636 \ discoverdn=true \ userdn=ou=Personen,ou=IN,o=TUM,c=DE \ userattr=uid \ groupattr=cn \ groupfilter=(&(objectClass=posixGroup)(memberUid={{.Username}}))
- Create a new external group under
Access → Groups → create group
(Name: admin, Type: external) - In the newly created group click on the Aliases tab →
Add Alias
and use the ldap group name (il11admin) as name andldap/(ldap)
as auth backend - You can now create a new Policy under
Policies → create ACL policy
(Name: admin) and associate it with your groupadmin - policy
# Allow tokens to look up their own properties path "auth/token/lookup-self" { capabilities = ["read"] } # Allow tokens to renew themselves path "auth/token/renew-self" { capabilities = ["update"] } # Allow tokens to revoke themselves path "auth/token/revoke-self" { capabilities = ["update"] } # Allow a token to look up its own capabilities on a path path "sys/capabilities-self" { capabilities = ["update"] } # Allow a token to look up its own entity by id or name path "identity/entity/id/{{identity.entity.id}}" { capabilities = ["read"] } path "identity/entity/name/{{identity.entity.name}}" { capabilities = ["read"] } # Allow a token to look up its resultant ACL from all policies. This is useful # for UIs. It is an internal path because the format may change at any time # based on how the internal ACL features and capabilities change. path "sys/internal/ui/resultant-acl" { capabilities = ["read"] } # Allow a token to renew a lease via lease_id in the request body; old path for # old clients, new path for newer path "sys/renew" { capabilities = ["update"] } path "sys/leases/renew" { capabilities = ["update"] } # Allow looking up lease properties. This requires knowing the lease ID ahead # of time and does not divulge any sensitive information. path "sys/leases/lookup" { capabilities = ["update"] } # Allow a token to manage its own cubbyhole path "cubbyhole/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "kv/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "transit/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "files/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "sys/seal" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Allow a token to wrap arbitrary values in a response-wrapping token path "sys/wrapping/wrap" { capabilities = ["update"] } # Allow a token to look up the creation time and TTL of a given # response-wrapping token path "sys/wrapping/lookup" { capabilities = ["update"] } # Allow a token to unwrap a response-wrapping token. This is a convenience to # avoid client token swapping since this is also part of the response wrapping # policy. path "sys/wrapping/unwrap" { capabilities = ["update"] } # Allow general purpose tools path "sys/tools/hash" { capabilities = ["update"] } path "sys/tools/hash/*" { capabilities = ["update"] } path "sys/tools/random" { capabilities = ["update"] } path "sys/tools/random/*" { capabilities = ["update"] } # Allow checking the status of a Control Group request if the user has the # accessor path "sys/control-group/request" { capabilities = ["update"] }
- Associate the policy with the group by clicking on the group
Access → Groups → <group> → Edit group
. Select Policies and choose the new policy.
Secret Engine
- Create a new secret engine to store passwords and secrets
Secrets → Enable new engine → Generic: KV
(Path: kv, Version: 2) - Secrets stored in the KV (key-value store) under the path kv/services/ can be accessed by the awx approle
AWX Access - Approle Auth
- Enable a new auth method to enable Approle authentication
Access → Auth Methods → Enable new method → Approle
(Path: approle) - Create a new policy to read and write values in the kv/services path ''Policies → Create ACL policy
approle - policy
# Allow tokens to look up their own properties path "auth/token/lookup-self" { capabilities = ["read"] } # Allow tokens to renew themselves path "auth/token/renew-self" { capabilities = ["update"] } # Allow tokens to revoke themselves path "auth/token/revoke-self" { capabilities = ["update"] } # Allow a token to look up its own capabilities on a path path "sys/capabilities-self" { capabilities = ["update"] } # Allow a token to look up its own entity by id or name path "identity/entity/id/{{identity.entity.id}}" { capabilities = ["read"] } path "identity/entity/name/{{identity.entity.name}}" { capabilities = ["read"] } # Allow a token to look up its resultant ACL from all policies. This is useful # for UIs. It is an internal path because the format may change at any time # based on how the internal ACL features and capabilities change. path "sys/internal/ui/resultant-acl" { capabilities = ["read"] } # Allow a token to renew a lease via lease_id in the request body; old path for # old clients, new path for newer path "sys/renew" { capabilities = ["update"] } path "sys/leases/renew" { capabilities = ["update"] } # Allow looking up lease properties. This requires knowing the lease ID ahead # of time and does not divulge any sensitive information. path "sys/leases/lookup" { capabilities = ["update"] } # Allow a token to manage its own cubbyhole path "cubbyhole/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Allow ansible token to access service secrets path "kv/data/services/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Allow ansible token to access files path "files/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Allow a token to wrap arbitrary values in a response-wrapping token path "sys/wrapping/wrap" { capabilities = ["update"] } # Allow a token to look up the creation time and TTL of a given # response-wrapping token path "sys/wrapping/lookup" { capabilities = ["update"] } # Allow a token to unwrap a response-wrapping token. This is a convenience to # avoid client token swapping since this is also part of the response wrapping # policy. path "sys/wrapping/unwrap" { capabilities = ["update"] } # Allow general purpose tools path "sys/tools/hash" { capabilities = ["update"] } path "sys/tools/hash/*" { capabilities = ["update"] } path "sys/tools/random" { capabilities = ["update"] } path "sys/tools/random/*" { capabilities = ["update"] } # Allow checking the status of a Control Group request if the user has the # accessor path "sys/control-group/request" { capabilities = ["update"] }
- Create a new role with the attached policy, Click on the CLI icon at the top and execute this command
vault write auth/approle/role/awx token_policies="approle"
- Get the RoleID and SecretID, be very carefull with these values!! with these two values all secrets and files from kv/services can be read and changed! You can add token_ttl=1h token_max_ttl=4h to make the credentials only valid for a certain time
# retrieve roleID vault read auth/approle/role/awx/role-id # create a new secretID vault write -force auth/approle/role/awx/secret-id
- Store both IDs encrypted in AWX
Vault CLI
- Login on the vault VM or install vault tool on your local laptop/computer
- unset local proxy and export address to the vault server
unset http_proxy HTTP_PROXY https_proxy HTTPS_PROXY export VAULT_ADDR=https://vault.cm.in.tum.de:8200
- login and set token via vault command vault login
- execute other vault commands vault help
vault audit enable file file_path=/var/log/vault.log vault kv list kv/services/...
Revoking Tokens
Set the VAULT_TOKEN environment variable to the token you wish to revoke and execute
vault token revoke -self