vault bootstrap
April 20, 2022
Create an admin policy admin-policy.hcl:
# Allow managing leases
path "sys/leases/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Read system health check
path "sys/health"
{
capabilities = ["read", "sudo"]
}
# Create and manage ACL policies broadly across Vault
# List existing policies
path "sys/policies/acl"
{
capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# Enable and manage the key/value secrets engine at path
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read"]
}
Load the policy:
$ vault policy write admin admin-policy.hcl
Enable GitHub:
$ vault auth enable github
Allow only your organization:
$ vault write auth/github/config organization=myorg
Add the admin-policy to a team in your GitHub org named devops:
$ vault write auth/github/map/teams/devops value=admin
Change the default lease time:
$ vault auth tune -default-lease-ttl=72h github/
Login using your GitHub Token
#!/bin/sh
unset ADMIN_TOKEN
export ADMIN_TOKEN=$(vault login -method=github token=ghp_ABC -format=json | jq -r ".auth.client_token")
Lookup:
$ vault token lookup
🔗Adding auth AWS
Use path my-project:
$ vault auth enable -path=my-project aws
Add AWS secret key:
$ vault write auth/my-project/config/client secret_key=SECRET_KEY access_key=ACCESS_KEY
Create a policy for only read and and only allow a VPC:
vault policy write "my-project-ro" -<<EOF
path "secret/my-project/*" {
capabilities = ["read"]
}
EOF
vault write \
auth/my-project/role/my-project \
auth_type=ec2 \
policies=my-project-ro \
max_ttl=5m \
bound_vpc_id=vpc-XXX
Create a kv secrets version 1:
$ vault secrets enable -path=secret/my-project -version=1 kv