- Part 1 (deploying & initializing Vault)
- Part 2 (transit secrets engine & auto-unseal)
- Part 4 (Vault agent & auto-auth)
- Part 5 (dynamic secrets)
- Part 6 (Vault HA cluster, backup & recovery)
Auth methods
Auth methods are just ways to authenticate to Vault, whether that is through username/password, LDAP or a cloud provider (it is good to understand the authentication workflow for cloud provider service accounts, so I suggesst learning it if you are unfamiliar). Once you have authenticated successfully, you will be granted a Vault token with authorization defined by a token policies that determines which of Vault’s secrets you have access to.
AppRole auth method
The AppRole auth method is a versatile, platform-neutral auth method and I highly recommend being familiar with it as part of your exam prep. I have written about using the AppRole auth method with a fairly detailed write-up and example, so I will not go into detail in this post. The key takeaway is to apply additional constraints to the role to impose additional restrictions on where the token can be used from and/or how many times the token can be used, etc. It is actually very similar to a traditional username/password auth method, except AppRole is designed for machine/app service accounts.
Userpass auth method example
- Enable and configure userpass:
vault auth enable userpass
vault write auth/userpass/users/glenyu \
password=s3cr3t \
token_bound_cidrs="127.0.0.1/32,10.128.0.44/32"The CIDRs I have included are for the localhost and private IP of the Vault server and restricts login only from these IPs (i.e. locally from the server). If you tried to to authenticate from another server, you will be met with “permission denied”:
VAULT_ADDR='http://10.128.0.44:8200' vault login -method=userpass username=glenyu password=s3cr3tError authenticating: Error making API request.
URL: PUT http://10.128.0.44:8200/v1/auth/userpass/login/glenyu
Code: 403. Errors:
* permission deniedToken policies
Everything in Vault is a path and I find that paths for secrets engines are fairly straight forward. I think it is more important to understand the system backend paths (sys/) and also see what is included in the default policy and when not to include it as part of your token policy.
Token policies (IMHO) are easy to learn but hard to master. Even I must admit that I get tripped up sometimes when creating/debugging policies. Vault policies are very literal, so the presence of a trailing forward slash (for example) makes a world of difference. I highly recommend watching “Testing Vault ACL policies with Python: Automating verification and intent” from fellow HashiCorp Ambassador, Ned Bellavance and be sure to play along the quiz he has at the beginning of his talk. I was there in-person and even though I was right, I did not have the confidence to shout them out at the time.
Don’t worry — token policies are a central part of Vault and there will be examples sprinkled throughout all the parts of this guide.
Tokens
There are a few types of tokens and knowing when to use which will add to your Vault mastery. I have written about them before so I am actually not going dive any deeper than that here as I want you to read up on it yourselves (and hopefully try things out on your own).
What I use for my home lab
I have a mix of cloud resources and my Raspberry Pis at home as my home lab and I have multiple Vault instances running. Even though it would be so much easier to use the root token for everything — I don’t. I use GitHub as my auth method (which you will get a chance to set up for yourself in challenge #1 below) and provide myself a reasonably generous token policy which allows me to manage my secrets and perform some day-to-day activities. I use the root token for anything else not covered by my user policy.
CHALLENGE #1: configure GitHub as an auth method with a custom path and description. Login with your personal access token and token details should NOT be displayed upon successful login
For this you will need a GitHub organization. Luckily, they have a free tier plan. Afterwards, you will need to create a team within your org (I called mine “vault-access”) and add yourself as a member.
>> SPOILER ALERT!!! SOLUTION GUIDE BELOW!!! <<
Challenge solutions guide
SOLUTION #1
- Enable GitHub auth method with custom path and description
vault auth enable -path=myorg -description="enable auth with GitHub token" github- Configure organization and assign policies to the team (in my example below, they are the default and gh-vault-access policies) with the sample policy below:
vault policy write gh-vault-access ./gh-vault-access-policy.hcl
vault write auth/myorg/config organization=myorg
vault write auth/myorg/map/teams/vault-access value=default,gh-vault-access- Create a GitHub personal access token with
read:orgpermissions as you just need to be able to valid your org & team memberships - Authenticate to Vault with your GitHub PAT (
-no-printoption prevents your token from being printed to stdout)
vault login -method=github -path=myorg -no-print