vault
Archived0210
Discussions related to Hashicorp Vault
E
erik12 months ago
archived the channel
Jeremy (UnderGrid Network Services)almost 2 years ago
Looking to see if anyone has Hashicorp Vault deployed in EKS/Kubernetes and using Kubernetes Auth Engine across EKS clusters?
Seanover 2 years ago
Do you prefer deploying with the official Helm Chart or with "Bank-Vaults Operator"?
Mohsin Ijazabout 3 years ago
Hi,
I need help springboot application pod is not fetching the
secrets from vault server. annotations does create the properties file
with credentials inside pod at /vault/secrets but still not
discoverable. Can anyone tell what i am doing wrong
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-status: "update"
vault.hashicorp.com/agent-inject-secret-application-kube.properties: "kv/identity/creds/app"
vault.hashicorp.com/role: "auth-service"
vault.hashicorp.com/agent-inject-template-application-kube.properties: |
{{- with secret "kv/identity/creds/app" -}}
DB_URL={{ .Data.data.db_url }}
DB_USERNAME={{ .Data.data.db_username }}
DB_PASSWORD={{ .Data.data.db_password }}
KEYCLOAK_USER={{ .Data.data.keycloak_user }}
KEYCLOAK_PASS={{ .Data.data.keycloak_pass }}
{{- end -}}
vault.hashicorp.com/secret-volume-path-application.properties: "config/"
vault.hashicorp.com/namespace: "demo"
I need help springboot application pod is not fetching the
secrets from vault server. annotations does create the properties file
with credentials inside pod at /vault/secrets but still not
discoverable. Can anyone tell what i am doing wrong
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-status: "update"
vault.hashicorp.com/agent-inject-secret-application-kube.properties: "kv/identity/creds/app"
vault.hashicorp.com/role: "auth-service"
vault.hashicorp.com/agent-inject-template-application-kube.properties: |
{{- with secret "kv/identity/creds/app" -}}
DB_URL={{ .Data.data.db_url }}
DB_USERNAME={{ .Data.data.db_username }}
DB_PASSWORD={{ .Data.data.db_password }}
KEYCLOAK_USER={{ .Data.data.keycloak_user }}
KEYCLOAK_PASS={{ .Data.data.keycloak_pass }}
{{- end -}}
vault.hashicorp.com/secret-volume-path-application.properties: "config/"
vault.hashicorp.com/namespace: "demo"
Herman Smithover 3 years ago
https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/google
Why is "An OAuth 2.0 application with an external user type." required when setting up an Google as an OIDC Provider for Vault? (As opposed to internal user types - which makes more sense to me security-wise?)
Why is "An OAuth 2.0 application with an external user type." required when setting up an Google as an OIDC Provider for Vault? (As opposed to internal user types - which makes more sense to me security-wise?)
Andyover 3 years ago
Hi all does anyone use the database password rotation feature in their applications that retrieve secrets from vault? I can't find examples of how applications should handle a password being refreshed. Should it be done by exception handling?
1. App retrieves
2. App connects to database with
3. After X minutes/hours vault rotates the credentials and creates
4. App attempts to execute a query with
1. App retrieves
v1 creds for database from vault2. App connects to database with
v1 creds3. After X minutes/hours vault rotates the credentials and creates
v2 creds4. App attempts to execute a query with
v1 credentials, but exception occurs, App retrieves latest v2 creds.
michael sewover 3 years ago
Question: Does anybody know where hashicorp vault sits on the gartner quadrant for secrets management or privileged access management? I'm trying to justify / compare it with other solutions like delinia/thycotic .
I know it has the mindshare , but I'm hoping for some industry research that backs it up.
I know it has the mindshare , but I'm hoping for some industry research that backs it up.
Zachary Loeberalmost 4 years ago
You did not pass in the address as is right?
JonƔs MƔrquezalmost 4 years ago
Namespaces are only used for Vault Enterprise and this is not the case, has anyone been able to implement it?
JonƔs MƔrquezalmost 4 years ago
but when I do the Pull Request it gives me the following error:
running "/usr/local/bin/terraform plan -input=false -refresh -out \"/home/atlantis/.atlantis/repos/TEST_PROYECT/test-atlantis-repo/44/default/default.tfplan\"" in "/home/atlantis/.atlantis/repos/TEST_PROJECT/test-atlantis-repo/44/default": exit status 1
ā·
ā Error: Error making API request.
ā
ā URL: GET https://<IP-ADDRESS>:8200/v1/auth/token/lookup-self
ā Code: 400. Errors:
ā
ā * error performing token check: failed to look up namespace from the token: no namespace
ā
ā with provider["<http://registry.terraform.io/hashicorp/vault|registry.terraform.io/hashicorp/vault>"],
ā on main.tf line 8, in provider "vault":
ā 8: provider "vault" {JonĆ”s MĆ”rquezalmost 4 years ago
provider "vault" {
skip_tls_verify = true
address = "https://<IP-ADDRESS>:8200/"
token = "~/.vault-token"
}JonƔs MƔrquezalmost 4 years ago
Hello everyone! Is someone using Vault from Atlantis? I have Atlantis in a Docker container on an EC2 Instance in AWS, in the EC2 instance I have configured the Vault agent and mounted the vault-token in the Atlantis container, I am trying access Vault from Terraform with the Vault provider as follows:
John-Paul Paganoalmost 4 years ago
Vault: v1.9.3 (OSS)
O.S.: Centos7
HA = Enabled
storage_type = Consul v1.11.2
Hi,
Iām deploying Vault with Okta as the auth method. I intend to use ACL templating in policies to give each user control over a personal and persistent (i.e., non-cubbyhole) area of the KV version 2 secrets engine. To wit:
The problem is that the part of the path that is specific to the user:
is not created before the user logs in and is not automatically created after authentication. So, unless Iām totally (and entirely possibly!) misunderstanding how this is supposed to work, Iām left with an awkward workflow that boils down to presetting the paths for hundreds of users (without foreknowledge of whether they even intend to login), or asking them to create directories matching their login ids when they login for the first time.
Additional confusion is wrought by the fact that it doesnāt seem possible to create an empty k/v entry that acts as a āfolderā. Is that true?
What is the right way to accomplish what Iām trying to do?
Thanks!
O.S.: Centos7
HA = Enabled
storage_type = Consul v1.11.2
Hi,
Iām deploying Vault with Okta as the auth method. I intend to use ACL templating in policies to give each user control over a personal and persistent (i.e., non-cubbyhole) area of the KV version 2 secrets engine. To wit:
path "kv/data/user/{{identity.entity.aliases.auth_okta_XYZ123.name}}/*"
{
capabilities = [ "create", "update", "read", "delete", "list" ]
}
*etc. related policies*The problem is that the part of the path that is specific to the user:
{{identity.entity.aliases.auth_okta_XYZ123.name}}/*is not created before the user logs in and is not automatically created after authentication. So, unless Iām totally (and entirely possibly!) misunderstanding how this is supposed to work, Iām left with an awkward workflow that boils down to presetting the paths for hundreds of users (without foreknowledge of whether they even intend to login), or asking them to create directories matching their login ids when they login for the first time.
Additional confusion is wrought by the fact that it doesnāt seem possible to create an empty k/v entry that acts as a āfolderā. Is that true?
What is the right way to accomplish what Iām trying to do?
Thanks!
MichaÅ Czeraszkiewiczabout 4 years ago
Hello,
I use the following workflow:
ā¢ created a temporary pod with
ā¢ then I exec into the temporary pod and execute
As long as this pod is running everything is fine and Vault Injector works as expected.
When I kill the temporary pod then my pods (which use Vault Injector) get stuck in
I would appreciate any feedback, tips how to make this more permanent š
I use the following workflow:
ā¢ created a temporary pod with
vault binary inside. Used for it serviceAccount: vault-injector-agent-injector , which is also used by the vault-injector-agent-injector podā¢ then I exec into the temporary pod and execute
$ vault write "auth/k8s-main/config" \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
kubernetes_host="https://${KUBERNETES_HOST}" \
issuer="${ISSUER}"
Success! Data written to: auth/k8s-main/configAs long as this pod is running everything is fine and Vault Injector works as expected.
When I kill the temporary pod then my pods (which use Vault Injector) get stuck in
Init:0/1 state and the logs hang with:$ kubectl -n some-ns logs -f --tail 10 some-pod-69785cc69b-4j9mt -c vault-agent-init
2021-11-25T17:34:42.918Z [INFO] auth.handler: authenticating
2021-11-25T17:34:42.972Z [ERROR] auth.handler: error authenticating:
error=
| Error making API request.
|
| URL: PUT <https://vault.example.com/v1/auth/k8s-main/login>
| Code: 403. Errors:
|
| * permission denied
backoff=4m48.8sI would appreciate any feedback, tips how to make this more permanent š
U
Unknown Userover 4 years ago(edited)
I use dynamic secret engines in vault
Davidover 4 years ago
Has anyone played around with having Github codespaces authenticate to Vault? They seem to come with Github PATs, but the PATs cannot read organization information, meaning I don't think they can login to vault by default
michael sewover 4 years ago
Q about vault-token lookups:
does anybody know what permission is required to actually lookup your-own token data? Right now, I tried logging in with a test app-role account, but it cant even look up or renew its own token.
does anybody know what permission is required to actually lookup your-own token data? Right now, I tried logging in with a test app-role account, but it cant even look up or renew its own token.
# LOGIN using the approle app-spa-npd-jenkins-readonly:
vault write auth/approle/login role_id=*** secret_id=***
URL: GET <https://vault.lllint.com/v1/auth/token/lookup-self>
Code: 403. Errors:
* permission deniedmichael sewover 4 years ago(edited)
Jenkins Q: I can login from my desktop to an approle using role-id & secret-id, but when I plug those same things into a jenkins credential and try it inside a pipeline, I'm getting an Access denied:
... the withVault block fails with an access denied:
anybody seen this before? Google comes up blank.
def secrets = [
[path: 'app-myapp-kv/dev/db/app_account', secretValues: [
[envVar: 'db_app_password', vaultKey: 'password']
]]
]
def configuration = [vaultUrl: '<https://vault.intranet.com>',
vaultCredentialId: 'app-myapp-npd-jenkins-readonly',
engineVersion: 2]
pipeline {
stages {
stage('Hello') {
steps {
withVault([configuration: configuration, vaultSecrets: secrets]) {
// anything
}... the withVault block fails with an access denied:
[Pipeline] withVault
Retrieving secret: app-myapp-kv/dev/db/app_account
Access denied to Vault Secrets at 'app-myapp-kv/dev/db/app_account'anybody seen this before? Google comes up blank.
michael sewover 4 years ago
Q on Approles: When I create an approle, it gets a role-id and a secret-id.
I understand that role-id is supposed to be static and can be generated once.
Is the secret-id supposed to be generated multiple times ie. every time the service (ie. jenkins or terraform) needs it?
Or is a human admin supposed to generate the secret every once in awhile?
I understand that role-id is supposed to be static and can be generated once.
Is the secret-id supposed to be generated multiple times ie. every time the service (ie. jenkins or terraform) needs it?
Or is a human admin supposed to generate the secret every once in awhile?
michael sewover 4 years ago
Question: How would you manage vault configuration in a CI/CD pipeline? every example/tutorial I see shows how to write a single simple policy with a single command. ie.
..but my company's vault github repo has dozens of .hcl files in multiple subdirectories:
There's this whole structure, but I have no idea how a github action, or jenkins pipeline handles it. Does it recursively go through every file in the directory? Can you ask vault to search an entire directory for .hcl policies?
Are there any examples or github repos out there that show such a setup?
vault policy write my-policy ./my-policy.hcl..but my company's vault github repo has dozens of .hcl files in multiple subdirectories:
/vault
/identities
/roles
app1.yml
app2.yml
/teams
app1.yml
app2.yml;
/policies
/program
/app1
app1.hcl
/app2
app2.hclThere's this whole structure, but I have no idea how a github action, or jenkins pipeline handles it. Does it recursively go through every file in the directory? Can you ask vault to search an entire directory for .hcl policies?
Are there any examples or github repos out there that show such a setup?
Sander Molover 4 years ago
Greetings š
I am hoping someone can help me pinpoint the exact use-case for Hashicorp Vault. Some time ago I did some investigation on password managers as we where sharing website (service) logins with each other. For example admin accounts. This might not be ideal, but I thought a shared vault would already be better as sharing it through something like Slack. It also would less repetetive as anyone (with the right privileges) could look what is available in their shared vault...
On I go and found Hashicorp Vault. After some investigation I found out that Vault is not for company password management, but more to fetch credentials/secrets from service to service.
I was wondering why this was the case, I understand there are no toolsets like an browser extension that works with Vault or it little bit more cumbersome for non-techs to interact with this. But is the main principle still not the same of a K/V store? I would be convenient to use both Vault for the service-to-service and any human interaction to share passwords/secrets.
I am hoping someone can help me pinpoint the exact use-case for Hashicorp Vault. Some time ago I did some investigation on password managers as we where sharing website (service) logins with each other. For example admin accounts. This might not be ideal, but I thought a shared vault would already be better as sharing it through something like Slack. It also would less repetetive as anyone (with the right privileges) could look what is available in their shared vault...
On I go and found Hashicorp Vault. After some investigation I found out that Vault is not for company password management, but more to fetch credentials/secrets from service to service.
I was wondering why this was the case, I understand there are no toolsets like an browser extension that works with Vault or it little bit more cumbersome for non-techs to interact with this. But is the main principle still not the same of a K/V store? I would be convenient to use both Vault for the service-to-service and any human interaction to share passwords/secrets.
MichaÅ Czeraszkiewiczover 4 years ago
Hi, is there a way to validate key/values on the KV Secrets Engine? Via Vault itself or some plugin mechanism?
Since I'm populating secrets to environment variables, I would like to disallow multi-line values and also have keys in specific format.
Since I'm populating secrets to environment variables, I would like to disallow multi-line values and also have keys in specific format.
Andyalmost 5 years ago
Hi, does anyone know if itās possible to find out which policies Vault thinks youāre entitled to via the Web UI?
J
Juanalmost 5 years ago
the consul UI
Juanalmost 5 years ago
Hi all, I'm setting up a vault cluster in AWS using this TF module https://github.com/hashicorp/terraform-aws-vault
I used one VPC to create an AMI with all the required binaries like described here: https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami
Now I've deployed a 3 node cluster in a VPC that only has 3 private subnets, similar to https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-private
It is using consul plus S3 as the storage backend, and the VPC has all the required VPC endpoints to privately connect to AWS services.
When initializing the cluster like described here https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#initializing-the-vault-cluster
On the first node I can run
I can unseal the cluster from that very same node https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#unsealing-the-vault-cluster
But on the other 2 nodes I cannot even run
On the other 2 nodes I can copy the
.27 is the node where I ran init. And the Consul UI shows that all vault nodes have IP .27
If anyone has ran into similar issues and/or has any clue to point out I'd really appreciate it, thanks!
I used one VPC to create an AMI with all the required binaries like described here: https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami
Now I've deployed a 3 node cluster in a VPC that only has 3 private subnets, similar to https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-private
It is using consul plus S3 as the storage backend, and the VPC has all the required VPC endpoints to privately connect to AWS services.
When initializing the cluster like described here https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#initializing-the-vault-cluster
On the first node I can run
vault operator init and get the root token and unseal keys correctly.I can unseal the cluster from that very same node https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#unsealing-the-vault-cluster
But on the other 2 nodes I cannot even run
vault status: Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: connect: connection refusedOn the other 2 nodes I can copy the
/opt/vault/config/default.hcl file from the init node, and after restarting the service vault status shows:HA Enabled true
HA Cluster https://*.*.*.27:8201
HA Mode standby
Active Node Address https://*.*.*.27:8200.27 is the node where I ran init. And the Consul UI shows that all vault nodes have IP .27
If anyone has ran into similar issues and/or has any clue to point out I'd really appreciate it, thanks!
MichaÅ Czeraszkiewiczalmost 5 years ago
Anyone used Vault Injector on k8s? I'm going with this solution https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example
The challenge I face is: some secrets contain keys with
The challenge I face is: some secrets contain keys with
. and - and bash doesn't like export some.secret-key=secret . My preferred way would be to do this in the templating layer <http://vault.hashicorp.com/agent-inject-template-config|vault.hashicorp.com/agent-inject-template-config>. Does anyone know if some string converting functions like uppercase and replace are available there?
cabrinhaabout 5 years ago
Anyone using vault ok EKS?
I canāt seem to get auto-unseal to work with IAM Roles for Service Accounts
I canāt seem to get auto-unseal to work with IAM Roles for Service Accounts
Davidabout 5 years ago
Has anyone using Vault in a non
Here's the specific issue I'm running in to: https://github.com/hashicorp/vault-lambda-extension/issues/18
us-east-1 region figured out how to use the new vault-lambda-extension yet from Hashicorp?Here's the specific issue I'm running in to: https://github.com/hashicorp/vault-lambda-extension/issues/18
Ruan Arcegaover 5 years ago
hi there, i came here to announce my first opensource project. This project comes to solve migration scenariosā¦ i didnt find anything in the internet like these so i decided to write it (im not a developer, im working as systems engineer but trying to do things with code š)
this is a cli tool to synchronize secrets between vault clusters, i used this tool for a cloud migration, iāve some features to improve, but currently itās useful.
suggestions, pull requests are welcome, thanks
https://github.com/rca0/vault-sync
this is a cli tool to synchronize secrets between vault clusters, i used this tool for a cloud migration, iāve some features to improve, but currently itās useful.
suggestions, pull requests are welcome, thanks
https://github.com/rca0/vault-sync
Zachary Loeberover 5 years ago
Firstly, they released some cool tf modules for deploying Vault (along with Consul and others) into AWS using their best practices (https://www.hashicorp.com/blog/announcing-new-hashicorp-terraform-modules-for-consul-nomad-and-vault). That's pretty cool
Zachary Loeberover 5 years ago
Gang, anyone here providing vault as a platform in a larger organization?
Erik Osterman (Cloud Posse)over 5 years ago
it gets pretty annoying when you have one sidecar for your mesh, one for your secrets management, one for your forensics (twistlock), one for your logging, etc...
Erik Osterman (Cloud Posse)over 5 years ago
Haven't tried it yet, and while it's an arguably more secure implementation using the sidecars, the
kubernetes-external-secrets manager appeals more to me since it's just populating kubernetes secrets originating from vault.
Edover 5 years ago
I'd be interested to hear if anybody has experience running vault-k8s in production?
Edover 5 years ago
The one thing that seems somewhat strange is the sidecar that injects secrets gets grouped in with the total number of running pods, which could be confusing - how many actual pods do I have running and how many are sidecars?
Edover 5 years ago
Good demo:
Edover 5 years ago
Has anyone tried using vault-k8s? It seems like an interesting Kubernetes-native way to inject secrets into pods, and access via the file system
Davidover 5 years ago(edited)
I'm looking to start using the database secrets engine to create creds for my postgres RDS db.
How does Vault handle queries that are already running with old credentials when the rotation happens?
How does Vault handle queries that are already running with old credentials when the rotation happens?
julien M.over 5 years ago
Hello
I just set up an infra Vault on AWS with an ALB (internal) front end.
I noticed that when I used the route ā/sys/health/?standbyok=trueā the ALB traffic is redirected on the vault āmasterā node as well as on the vault āstandbyā nodes.
But my Vault cluster doesnāt answer anymore if my https request is forwarded to one of the standby nodes. But isnāt it supposed to have a forwarding from the standby nodes to the master node ?
In the meantime I modified the ALB healtcheck to use the ā/sys/healthā route so that only the master node returns a 200 and my cluster responds perfectly.
Do I have a problem in my configuration ? or is this a normal behavior ?
I just set up an infra Vault on AWS with an ALB (internal) front end.
I noticed that when I used the route ā/sys/health/?standbyok=trueā the ALB traffic is redirected on the vault āmasterā node as well as on the vault āstandbyā nodes.
But my Vault cluster doesnāt answer anymore if my https request is forwarded to one of the standby nodes. But isnāt it supposed to have a forwarding from the standby nodes to the master node ?
In the meantime I modified the ALB healtcheck to use the ā/sys/healthā route so that only the master node returns a 200 and my cluster responds perfectly.
Do I have a problem in my configuration ? or is this a normal behavior ?
Davidalmost 6 years ago
It seems by default that KV secrets have the last 10 versions kept. Is there a way to raise this limit on all secrets at once?
Erik Osterman (Cloud Posse)almost 6 years ago
Adding @U010XGY9B46 bot
Benalmost 6 years ago
Hey folks! I'm looking for some advice about how people are tackling the 'chicken and egg' problem with secret management. I had the idea to use terraform to provision Vault. But with this comes the question: from where do I get the secrets needed within the terraform scripts (of course, I'd love to use Vault for that!)? One solution I have heard is to place the tf scripts in a 'super secret' Git repository along with these secrets and restrict access to only a select few. While I guess this works, something about it feels dodgy. But I guess these init secrets have to be stored somewhere. How are others tackling this?
Yonatan Korenalmost 6 years ago(edited)
Iād personally recommend using Vault Agent if you donāt need data from Consul. It has something called AutoAuth, which allows for automatic authentication via one of the Authentication methods, meaning you just keep the daemon running and forget about it. Then, it has a local HTTP listener, meaning you can just query it locally without worrying about tokens. Thereās even a section on how to combine consul-template with Vault Agent by connecting consul-template to Vault Agentās HTTP listener. But Iām not sure if you need that.
Yonatan Korenalmost 6 years ago
@julien M. yes so thatās the older functionality, but regardless you need to specify both -consul-addr and -vault-addr, and you only did the latter
julien M.almost 6 years ago
but on the consul-template github repository there a some information about vault utilization : https://github.com/hashicorp/consul-template
Yonatan Korenalmost 6 years ago
These two tools have a terrible naming history.
Yonatan Korenalmost 6 years ago
Thereās also a chance you donāt need Consul-Template, and instead want Vault Agent with the Consul-Template interpolation syntax.