Saltstack and Vault integration
2 min readOct 3, 2017
First install and configure vault using this tutorial:
https://apassionatechie.wordpress.com/2017/03/05/hashicorp-vault/
Use the latest version of vault.
Then install salt using the steps given here:
https://docs.saltstack.com/en/latest/topics/installation/
If you face any issues then refer these links:
https://apassionatechie.wordpress.com/2017/07/31/salt-issues/
https://apassionatechie.wordpress.com/2017/08/03/salt-stack-formulas/
Now let’s integrate vault and salt so that we can access vault secrets from inside salt state.
- First let’s add some key values into our vault.
vault write secret/ssh/user1 password=”abc123″
Then you can check it by reading: vault read secret/ssh/user1 - To allow salt to access your secrets you must firstly create a policy as follows:
salt-policy.hcl path "secret/*" {
capabilities = ["read", "list"]
}
path "auth/*" {
capabilities = ["read", "list","sudo","create","update","delete"]
}- You can also point to your secret like secret/ssh/*
We have added auth/* so that our token can create other tokens. - Then create a new policy with the following command:
vault policy-write salt-policy salt-policy.hcl - Then we will create a token from the new salt-policy
vault token-create -policy=salt-policy
Save the token created. - Then in the salt-master create a file:
/etc/salt/master.d/vault.conf with the follwoing contents: vault:
url: http://127.0.0.1:8200
auth:
method: token
token: xxxxxx48-xxxx-xxxx-xxxx-xxxx1xxxx
policies:
- salt-policy- Then create a file /etc/salt/master.d/peer_run.conf
peer_run:
.*:
- vault.generate_token- Then restart the salt-master with service salt-master restart
- Then execute the following command to access the secret stored in vault:
salt ‘*’ vault.read_secret “secret/ssh/user1” - To access the secret from inside jinja:
my-secret: {{ salt[‘vault’].read_secret(‘secret/ssh/user1’, ‘password’) }}
OR
{% set supersecret = salt[‘vault’].read_secret(‘secret/ssh/user1’) %}
secrets:
my_secret: {{ supersecret.password }} - If you want to access the secret as pillar then add the following in salt master configuration:
ext_pillar:
— vault: sdb_vault path=secret/ssh/user1
Restart the salt-master and salt-minion
Then access the data with the following command:
salt ‘*’ pillar.get ‘password’
Then refresh the pillar data with: salt ‘*’ saltutil.refresh_pillar - If your vault policy is not configured correctly you might get an error as:
ERROR: {‘error’: ‘Forbidden’}
2017–09–21 06:51:39,320 [salt.loaded.int.utils.vault][ERROR ][26333] Failed to get token from master! An error was returned: Forbidden
2017–09–21 06:51:39,350 [salt.pillar ][ERROR ][26333] Execption caught loading ext_pillar ‘vault’:
File “/usr/lib/python2.7/site-packages/salt/pillar/__init__.py”, line 822, in ext_pillar
key)
File “/usr/lib/python2.7/site-packages/salt/pillar/__init__.py”, line 765, in _external_pillar_data
val)
File “/usr/lib/python2.7/site-packages/salt/pillar/vault.py”, line 91, in ext_pillar
response = __utils__[‘vault.make_request’](‘GET’, url)
File “/usr/lib/python2.7/site-packages/salt/utils/vault.py”, line 124, in make_request
connection = _get_vault_connection()
File “/usr/lib/python2.7/site-packages/salt/utils/vault.py”, line 113, in _get_vault_connection
return _get_token_and_url_from_master()
File “/usr/lib/python2.7/site-packages/salt/utils/vault.py”, line 89, in _get_token_and_url_from_master
raise salt.exceptions.CommandExecutionError(result)2017–09–21 06:51:39,351 [salt.pillar ][CRITICAL][26333] Pillar render error: Failed to load ext_pillar vault: {‘error’: ‘Forbidden’} - Make sure you have added auth/* in the policy.
- If you get the following error:
Failed to get token from master! No result returned — is the peer publish configuration correct?
OR
ERROR: {}
Then make sure you have peer_run.conf created and configured. - You can also access your secret with command:
salt-call sdb.get ‘sdb://vault/secret/ssh/user1?password’