Back Home

Overview

Dev Setup

vault server -dev

and without TLS you will need to export the http address:

set VAULT_ADDR=http://127.0.0.1:8200

Example Python Database Access

We enable the management of postgres in Vault. Note we need the postgres client “pq” installed for vault to validate the connection.

go get -v -u github.com/lib/pq

Now the setup: Step 1

 vault secrets enable postgresql

Step 2 configure a postgres datbase

vault write postgresql/config/connection connection_url="postgresql://postgres:xxxx@localhost:5432/postgres?sslmode=disable"

Where the db url is:

  • postgresql: for the database type
  • databasename:password@host:port
  • and parameters like sslmode=disable where it is not supported

We can configure a lease on the database with:

vault write postgresql/config/lease lease=10h lease_max=24h
vault write  postgresql/roles/readonly sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
Success! Data written to: postgresql/roles/readonly

Connections to Secrets Engine

https://www.vaultproject.io/docs/secrets/index.html

  • Active Directory and Azure Cloud
  • AWS Secrets
  • Database Secrets
  • Identity Secrets Engine

Vault and Mule

  • Vault component

Vault UI

By default on http://localhost:8200/ui

Vault and Jenkins

Jenkins can use the Vault Plugin

  • Secrets are (generally) masked in the build log, so you can't accidentally print them.
  • you can inject Vault credentials into a build pipeline or freestyle job for fine-grained vault interactions.

Typically you setup a role “Jenkins” in vault as an Application Role or AppRole. This approle is

  • identified by a role-id and secured with a secret_id.

For jenkins one setups up an “AppRole” authentication backend. Hashicorp recommends using

  • AppRole for Servers / automated workflows (like Jenkins)
  • tokens (default mechanism, Github Token, …) for every developer's machine.

Scope and Configuration

You can configure the vault plugin on three different levels:

  • Global: in your global config
  • Folder-Level: on the folder your job is running in
  • Job-Level: either on your freestyle project job or directly in the Jenkinsfile

The plugin will allow you to store

  • Vault Github Credential
  • Vault GCP (google cloud) Credential
  • Vault Kubernetes Credential
  • Vault (generic) Token Credential
  • Vault Token File Credential - where the token is read from a file that can be refreshed without modifying jenkins

Using Vault UI Freestyle Jobs

You can use vault in the “freestyle” gui jobs to obtain the token or key required if allowed by our role:

Using Vault in Pipeline Jobs

node {
    // define the secrets and the env variables
    // engine version can be defined on secret, job, folder or global.
    // the default is engine version 2 unless otherwise specified globally.
    def secrets = [
        [path: 'secret/testing', engineVersion: 1, secretValues: [
            [envVar: 'testing', vaultKey: 'value_one'],
            [envVar: 'testing_again', vaultKey: 'value_two']]],
        [path: 'secret/another_test', engineVersion: 2, secretValues: [
            [vaultKey: 'another_test']]]
    ]
 
    // optional configuration, if you do not provide this the next higher configuration
    // (e.g. folder or global) will be used
    def configuration = [vaultUrl: 'http://my-very-other-vault-url.com',
                         vaultCredentialId: 'my-vault-cred-id',
                         engineVersion: 1]
    // inside this block your credentials will be available as env variables
    withVault([configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $testing'
        sh 'echo $testing_again'
        sh 'echo $another_test'
    }
}

The vault plugin has a generator to generate the code and condition to obtain tokens etc.

AWS and Jenkins

GCP and Jenkins

Azure and Jenkins

 
vault_notes.txt · Last modified: 2019/11/26 05:45 by root
 
RSS - 200 © CrosswireDigitialMedia Ltd